eblume/blumeops
1
1
Fork 0
Code Issues Pull requests Projects Releases 83 Packages Wiki Activity Actions
blumeops/fly/fail2ban/action.d/nginx-deny.conf

14 lines
486 B
Text
Raw Normal View History

Add forge.eblu.me to Fly.io proxy with rate limiting and fail2ban nginx configuration: - forge.eblu.me server block with WebSocket support, 512m body limit - Rate limit login/signup/forgot-password at 3r/s per real client IP (keyed on Fly-Client-IP header, not Fly's internal remote_addr) - Static asset caching (7d), no blanket caching for dynamic content - Security headers (HSTS, X-Frame-Options, X-Content-Type-Options) - Block /swagger (API docs only available via tailnet) - X-Real-IP set to real client IP for Forgejo audit logs - geo-based deny list for fail2ban integration fail2ban configuration: - Custom filter matching 401/403 on login paths in nginx JSON log - Ban after 5 failures in 10 minutes, ban duration 1 hour - Custom nginx-deny action: writes IPs to deny file and reloads nginx (iptables won't work in Fly.io — remote_addr is Fly's proxy IP) - Ban lists ephemeral across deploys (nginx rate limiting is persistent) Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
2026-03-03 07:52:58 -08:00
# Custom fail2ban action that bans IPs via an nginx deny list.
# Standard iptables banning won't work in Fly.io because $remote_addr
# is Fly's internal proxy IP. Instead, we write banned IPs to a file
# that nginx checks via a geo directive keyed on $http_fly_client_ip.
[Definition]
actionban = echo "<ip> 1;" >> /etc/nginx/forge-deny.conf && nginx -s reload
actionunban = sed -i '/<ip> 1;/d' /etc/nginx/forge-deny.conf && nginx -s reload
actionstart =
actionstop =
actioncheck =
Reference in a new issue Copy permalink