diff options
| author | Lukasz Kasprzak <lukasz.kasprzak@pm.me> | 2026-04-14 22:32:43 +0200 |
|---|---|---|
| committer | Lukasz Kasprzak <lukasz.kasprzak@pm.me> | 2026-04-14 22:32:43 +0200 |
| commit | 83f7fe4b8402bab171d110703a1b1115efbc9b28 (patch) | |
| tree | 19110702c7d740f6bd8ee4f5d2ebcb97442be237 /straper/db/public/fail2ban/etc-fail2ban/action.d/nginx-block-map.conf | |
| parent | 51d43498b07dc97d795947964534f0903cd05db5 (diff) | |
| download | bin-83f7fe4b8402bab171d110703a1b1115efbc9b28.tar.gz bin-83f7fe4b8402bab171d110703a1b1115efbc9b28.zip | |
cleaned up many scrits and deleted some that were of no use; renamed a lot
Diffstat (limited to 'straper/db/public/fail2ban/etc-fail2ban/action.d/nginx-block-map.conf')
| -rw-r--r-- | straper/db/public/fail2ban/etc-fail2ban/action.d/nginx-block-map.conf | 117 |
1 files changed, 0 insertions, 117 deletions
diff --git a/straper/db/public/fail2ban/etc-fail2ban/action.d/nginx-block-map.conf b/straper/db/public/fail2ban/etc-fail2ban/action.d/nginx-block-map.conf deleted file mode 100644 index 0de382b..0000000 --- a/straper/db/public/fail2ban/etc-fail2ban/action.d/nginx-block-map.conf +++ /dev/null @@ -1,117 +0,0 @@ -# Fail2Ban configuration file for black-listing via nginx -# -# Author: Serg G. Brester (aka sebres) -# -# To use 'nginx-block-map' action you should define some special blocks in your nginx configuration, -# and use it hereafter in your locations (to notify fail2ban by failure, resp. nginx by ban). -# -# Example (argument "token_id" resp. cookie "session_id" used here as unique identifier for user): -# -# http { -# ... -# # maps to check user is blacklisted (banned in f2b): -# #map $arg_token_id $blck_lst_tok { include blacklisted-tokens.map; } -# map $cookie_session_id $blck_lst_ses { include blacklisted-sessions.map; } -# ... -# # special log-format to notify fail2ban about failures: -# log_format f2b_session_errors '$msec failure "$cookie_session_id" - $remote_addr - $remote_user ' -# ;# '"$request" $status $bytes_sent ' -# # '"$http_referer" "$http_user_agent"'; -# -# # location checking blacklisted values: -# location ... { -# # check banned sessionid: -# if ($blck_lst_ses != "") { -# try_files "" @f2b-banned; -# } -# ... -# # notify fail2ban about a failure inside nginx: -# error_page 401 = @notify-f2b; -# ... -# } -# ... -# # location for return with "403 Forbidden" if banned: -# location @f2b-banned { -# default_type text/html; -# return 403 "<br/><center> -# <b style=\"color:red; font-size:18pt; border:2pt solid black; padding:5pt;\"> -# You are banned!</b></center>"; -# } -# ... -# # location to notify fail2ban about a failure inside nginx: -# location @notify-f2b { -# access_log /var/log/nginx/f2b-auth-errors.log f2b_session_errors; -# } -# } -# ... -# -# Note that quote-character (and possibly other special characters) are not allowed currently as session-id. -# Thus please add any session-id validation rule in your locations (or in the corresponding backend-service), -# like in example below: -# -# location ... { -# if ($cookie_session_id !~ "^[\w\-]+$") { -# return 403 "Wrong session-id" -# } -# ... -# } -# -# The parameters for jail corresponding log-format (f2b_session_errors): -# -# [nginx-blck-lst] -# filter = -# datepattern = ^Epoch -# failregex = ^ failure "<F-ID>[^"]+</F-ID>" - <ADDR> -# usedns = no -# -# The same log-file can be used for IP-related jail (additionally to session-related, to ban very bad IPs): -# -# [nginx-blck-ip] -# maxretry = 100 -# filter = -# datepattern = ^Epoch -# failregex = ^ failure "[^"]+" - <ADDR> -# usedns = no -# - -[Definition] - -# path to configuration of nginx (used to target nginx-instance in multi-instance system, -# and as path for the blacklisted map): -srv_cfg_path = /etc/nginx/ - -# cmd-line arguments to supply to test/reload nginx: -#srv_cmd = nginx -c %(srv_cfg_path)s/nginx.conf -srv_cmd = nginx - -# pid file (used to check nginx is running): -srv_pid = /run/nginx.pid - -# command used to check whether nginx is running and configuration is valid: -srv_is_running = [ -f "%(srv_pid)s" ] -srv_check_cmd = %(srv_is_running)s && %(srv_cmd)s -qt - -# first test nginx is running and configuration is correct, hereafter send reload signal: -blck_lst_reload = %(srv_check_cmd)s; if [ $? -eq 0 ]; then - %(srv_cmd)s -s reload; if [ $? -ne 0 ]; then echo 'reload failed.'; fi; - fi; - -# map-file for nginx, can be redefined using `action = nginx-block-map[blck_lst_file="/path/file.map"]`: -blck_lst_file = %(srv_cfg_path)s/blacklisted-sessions.map - -# Action definition: - -actionstart_on_demand = false -actionstart = touch '%(blck_lst_file)s' - -actionflush = truncate -s 0 '%(blck_lst_file)s'; %(blck_lst_reload)s - -actionstop = %(actionflush)s - -actioncheck = - -_echo_blck_row = printf '\%%s 1;\n' "<fid>" - -actionban = %(_echo_blck_row)s >> '%(blck_lst_file)s'; %(blck_lst_reload)s - -actionunban = id=$(%(_echo_blck_row)s | sed -e 's/[]\/$*.^|[]/\\&/g'); sed -i "/^$id$/d" %(blck_lst_file)s; %(blck_lst_reload)s |
