Add fail2ban for traefik
Remote action coming soon
This commit is contained in:
Jake Howard
@ -3,3 +3,4 @@ traefik_provider_homeassistant: false
|
||||
traefik_provider_grafana: false
|
||||
|
||||
with_traefik_pages: false
|
||||
with_fail2ban: false
|
||||
|
||||
@ -8,5 +8,6 @@ services:
|
||||
- CF_DNS_API_TOKEN={{ cloudflare_api_token }}
|
||||
volumes:
|
||||
- /var/run/docker.sock:/var/run/docker.sock:ro
|
||||
- /tmp/traefik-logs:/var/log/traefik
|
||||
- ./traefik:/etc/traefik
|
||||
restart: unless-stopped
|
||||
|
||||
4
ansible/roles/traefik/files/fail2ban/traefik-filter.conf
Normal file
4
ansible/roles/traefik/files/fail2ban/traefik-filter.conf
Normal file
@ -0,0 +1,4 @@
|
||||
[Definition]
|
||||
failregex = ^<HOST> \- \S+ \[\] \"(GET|POST|HEAD) .+\" .+$
|
||||
ignoreregex =
|
||||
mode = normal
|
||||
9
ansible/roles/traefik/files/fail2ban/traefik-jail.conf
Normal file
9
ansible/roles/traefik/files/fail2ban/traefik-jail.conf
Normal file
@ -0,0 +1,9 @@
|
||||
[traefik]
|
||||
enabled = true
|
||||
bantime = 6000
|
||||
findtime = 600
|
||||
maxretry = 5
|
||||
filter = traefik
|
||||
logpath = /tmp/traefik-logs/access.log
|
||||
port = http,https
|
||||
ignoreip = {{ wireguard.cidr }},{{ nebula.cidr }},{{ pve_hosts.internal_cidr }}
|
||||
8
ansible/roles/traefik/files/logrotate.conf
Normal file
8
ansible/roles/traefik/files/logrotate.conf
Normal file
@ -0,0 +1,8 @@
|
||||
/tmp/traefik-logs/access.log {
|
||||
daily
|
||||
rotate 7
|
||||
missingok
|
||||
compress
|
||||
nodateext
|
||||
notifempty
|
||||
}
|
||||
@ -77,3 +77,9 @@ tls:
|
||||
|
||||
pilot:
|
||||
dashboard: false
|
||||
|
||||
accessLog:
|
||||
filePath: "/var/log/traefik/access.log"
|
||||
filters:
|
||||
statusCodes:
|
||||
- "400-600"
|
||||
|
||||
@ -2,3 +2,9 @@
|
||||
shell:
|
||||
chdir: /opt/traefik
|
||||
cmd: "{{ docker_update_command }}"
|
||||
|
||||
- name: restart fail2ban
|
||||
service:
|
||||
name: fail2ban
|
||||
state: restarted
|
||||
become: true
|
||||
|
||||
15
ansible/roles/traefik/tasks/fail2ban.yml
Normal file
15
ansible/roles/traefik/tasks/fail2ban.yml
Normal file
@ -0,0 +1,15 @@
|
||||
- name: Create jail
|
||||
template:
|
||||
src: files/fail2ban/traefik-jail.conf
|
||||
dest: /etc/fail2ban/jail.d/traefik.conf
|
||||
mode: 0644
|
||||
become: true
|
||||
notify: restart fail2ban
|
||||
|
||||
- name: Create filter
|
||||
template:
|
||||
src: files/fail2ban/traefik-filter.conf
|
||||
dest: /etc/fail2ban/filter.d/traefik.conf
|
||||
mode: 0644
|
||||
become: true
|
||||
notify: restart fail2ban
|
||||
@ -77,3 +77,14 @@
|
||||
notify: restart traefik
|
||||
when: traefik_provider_grafana
|
||||
become: true
|
||||
|
||||
- name: logrotate config
|
||||
template:
|
||||
src: files/logrotate.conf
|
||||
dest: /etc/logrotate.d/traefik
|
||||
mode: "0600"
|
||||
become: true
|
||||
|
||||
- name: fail2ban
|
||||
include: fail2ban.yml
|
||||
when: with_fail2ban
|
||||
|
||||
Reference in New Issue
Block a user