Comments (12)
As you can see here, you can provide a list of middleware that will be added to the entrypoint itself, thus enabling it by default for services using the entrypoint.
from fail2ban.
Hi @Whisper40,
Thanks
Thanks for your interest in Fail2Ban!
Did you add the middleware to your service ?
- "traefik.http.routers.traefik.middlewares=fail2ban@docker"
from fail2ban.
Hi @tomMoulard
I actually have this on traefik side :
- "traefik.http.routers.traefik.middlewares=traefik-auth"
- "traefik.http.middlewares.traefik-auth.basicauth.users=account:${passwd_account}"
It should be like this ?
- "traefik.http.routers.traefik.middlewares=traefik-auth, fail2ban@docker" # can i put just fail2ban and not with @docker ?
- "traefik.http.middlewares.traefik-auth.basicauth.users=account:${passwd_account}"
thanks !
from fail2ban.
Yeah !
This way you are actually using the middleware on a router.
See the configuration example.
from fail2ban.
Ok, so by doing this, only traefik will be protected by fail2ban.
In my case i serve apps with all time a different name for the auth.
Example :
- "traefik.http.routers.rutorrent_user-router.middlewares=user_app-auth"
another user :
- "traefik.http.routers.rutorrent_user2-router.middlewares=user2_app-auth"
So is there something to put it as a global middleware ? ( in order to do not repeat the code everywhere ? )
from fail2ban.
Hum, when i add , fail2ban@docker , it just break traefik with a 404 not found on traefik admin page.
Traefik version : traefik:v2.4
What i did :
command
- "--experimental.plugins.fail2ban.modulename=github.com/tommoulard/fail2ban"
- "--experimental.plugins.fail2ban.version=v0.6.0"
labels
- "traefik.http.routers.traefik.middlewares=traefik-auth, fail2ban@docker"
- "traefik.http.middlewares.traefik-auth.basicauth.users=account:${passwd_account}"
from fail2ban.
Can you have a reproducible case, I mean a way to allow reproducing easily the issue quickly without having to configure and to build the whole context. For example, it could be a docker compose file with the minimal Traefik configuration (static and dynamic) that reproduce the issue and all the containers needed for the use case. Finally, all commands used to prove the issue.
Thanks
from fail2ban.
This is the docker-compose used with my domain :
You can remove the ssl part and cloudflare
version: '3.9'
services:
###################################
# TRAEFIK
###################################
traefik:
image: traefik:v2.4
container_name: traefik
restart: unless-stopped
command:
# Globals
- "--global.checkNewVersion=true"
- "--global.sendAnonymousUsage=true"
# Logs
- "--log=true"
- "--log.level=${DEBUG_LEVEL}"
- "--accessLog=true"
- "--accessLog.filePath=/log/traefik.log"
- "--accessLog.bufferingSize=100"
- "--accessLog.filters.statusCodes=400-499"
- "--accesslog.fields.names.StartUTC=drop"
# Http & Https
- "--entryPoints.web.address=:80"
- "--entryPoints.websecure.address=:443"
# Permits the update by user's services
- "--api=true"
# Docker Configuration
- "--providers.docker=true"
- "--providers.docker.endpoint=unix:///var/run/docker.sock"
- "--providers.docker.exposedByDefault=false"
- "--providers.docker.network=traefik_proxy"
- "--providers.docker.swarmMode=false"
- "--providers.file.directory=/rules"
- "--providers.file.watch=true"
# Certificate Resolver
# - "--certificatesResolvers.mydnschallenge.acme.caserver=https://acme-staging-v02.api.letsencrypt.org/directory"
- "--certificatesresolvers.mydnschallenge.acme.email=${CF_API_EMAIL}"
- "--certificatesresolvers.mydnschallenge.acme.dnschallenge.provider=cloudflare"
- "--certificatesresolvers.mydnschallenge.acme.storage=/etc/traefik/acme.json"
- "--serverstransport.insecureskipverify=true"
# Traefik Plugins
- "--experimental.plugins.fail2ban.modulename=github.com/tommoulard/fail2ban"
- "--experimental.plugins.fail2ban.version=v0.6.0"
labels:
# Api
- "traefik.enable=true"
- "traefik.http.routers.traefik.rule=Host(`${TRAEFIK_BASE_URL}-${SERVER_BASE_URL}.${DOMAIN_URL}`)"
- "traefik.http.services.traefik.loadbalancer.server.port=8080"
- "traefik.http.services.traefik.loadbalancer.server.scheme=http"
- "traefik.http.routers.traefik.service=api@internal"
# Wildcard cert
- "traefik.http.routers.traefik.tls.domains[0].main=${DOMAIN_URL}"
- "traefik.http.routers.traefik.tls.domains[0].sans=*.${DOMAIN_URL}"
- "traefik.http.routers.traefik.tls.certresolver=mydnschallenge"
# Http -> Https
- "traefik.http.routers.http-catchall.rule=HostRegexp(`{host:.+}`)"
- "traefik.http.routers.http-catchall.entrypoints=web"
- "traefik.http.routers.http-catchall.middlewares=redirect-to-https"
- "traefik.http.middlewares.redirect-to-https.redirectscheme.scheme=https"
- "traefik.http.routers.traefik.entrypoints=websecure"
- "traefik.http.routers.traefik.tls=true"
# Traefik Authentification
- "traefik.http.routers.traefik.middlewares=traefik-auth, fail2ban@docker"
- "traefik.http.middlewares.traefik-auth.basicauth.users=admin:${passwd_admin}"
# Traefik Plugins Configuration
- "traefik.http.middlewares.fail2ban.plugin.fail2ban.rules.enabled=true"
- "traefik.http.middlewares.fail2ban.plugin.fail2ban.rules.maxretry=4"
- "traefik.http.middlewares.fail2ban.plugin.fail2ban.rules.bantime=1h"
volumes:
- /var/run/docker.sock:/var/run/docker.sock
- /usr/share/zoneinfo:/usr/share/zoneinfo:ro
- $CONFIG_DIR/traefik:/etc/traefik
- $CONFIG_DIR/traefik/logs:/log
ports:
- "80:80"
- "443:443"
environment:
- CLOUDFLARE_EMAIL=${CF_API_EMAIL}
- CLOUDFLARE_API_KEY=${CF_API_KEY}
- TZ=${TZ}
networks:
- proxy
##########################################
# Networks
##########################################
networks:
proxy:
external:
name: traefik_proxy
from fail2ban.
Do you have the pilot token in your configuration ?
from fail2ban.
Yes i just deleted it for github ( pilot working )
from fail2ban.
When using your docker-compose, I can see the error:
traefik_1 | time="2021-04-12T12:31:10Z" level=error msg="Error when Transforming rules: Could not parse Ports, bad format (hint: use something like \"80:443\" to filter all ports from 80 to 443)" routerName=traefik@docker entryPointName=websecure
Thus, you should add this line in your configuration to make fail2ban plugin to work:
- "traefik.http.middlewares.fail2ban.plugin.fail2ban.rules.ports=80:443"
You have other errors on your traefik configuration, but they are not related to the plugin.
from fail2ban.
Ok, i think it should be added on traefik pilot documentation :)
Yep on my side just a little error with rules ( wrong directory )
from fail2ban.
Related Issues (20)
- panic in the usage of plugin HOT 2
- [Traefik Pilot] Traefik Plugin Analyzer has detected a problem.
- [Traefik Pilot] Traefik Plugin Analyzer has detected a problem.
- Dashboard preview/admin console of current state HOT 1
- Export metrics HOT 1
- Pages load slowly when plugin enabled HOT 4
- Traefik proxy | Can this plugin be installed for free?
- Websocket causes a deadlock until its closed? HOT 4
- Only ban if the response is non 2##? HOT 10
- Whitelisting by subnet does not work HOT 4
- [Traefik Plugin Catalog] Plugin Analyzer has detected a problem.
- [Traefik Plugin Catalog] Plugin Analyzer has detected a problem.
- [Traefik Plugin Catalog] Plugin Analyzer has detected a problem.
- [Traefik Plugin Catalog] Plugin Analyzer has detected a problem.
- Banning based on forwarded IP HOT 4
- Error running plugin: unable to find source related to: "net/netip"` HOT 3
- Config from Labels is not extracted HOT 5
- Traefik 3 beta 4 : failed to import plugin code HOT 5
- All traffic banned HOT 6
- Trademark Infringement HOT 1
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from fail2ban.