Add forge.eblu.me to Fly.io proxy with rate limiting and fail2ban

nginx configuration:
- forge.eblu.me server block with WebSocket support, 512m body limit
- Rate limit login/signup/forgot-password at 3r/s per real client IP
  (keyed on Fly-Client-IP header, not Fly's internal remote_addr)
- Static asset caching (7d), no blanket caching for dynamic content
- Security headers (HSTS, X-Frame-Options, X-Content-Type-Options)
- Block /swagger (API docs only available via tailnet)
- X-Real-IP set to real client IP for Forgejo audit logs
- geo-based deny list for fail2ban integration

fail2ban configuration:
- Custom filter matching 401/403 on login paths in nginx JSON log
- Ban after 5 failures in 10 minutes, ban duration 1 hour
- Custom nginx-deny action: writes IPs to deny file and reloads nginx
  (iptables won't work in Fly.io — remote_addr is Fly's proxy IP)
- Ban lists ephemeral across deploys (nginx rate limiting is persistent)

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>

fly/Dockerfile

@@ -8,7 +8,8 @@ COPY --from=docker.io/tailscale/tailscale:stable \
 
 RUN mkdir -p /var/run/tailscale /var/lib/tailscale \
     && apk add --no-cache iptables ip6tables \
-    && apk add --no-cache libc6-compat
+    && apk add --no-cache libc6-compat \
+    && apk add --no-cache fail2ban
 
 # Copy Alloy binary from official image (Ubuntu-based, needs libc6-compat)
 COPY --from=docker.io/grafana/alloy:v1.13.1 \
@@ -16,6 +17,10 @@ COPY --from=docker.io/grafana/alloy:v1.13.1 \
 
 RUN mkdir -p /var/log/nginx /etc/alloy /tmp/alloy-data
 
+COPY fail2ban/filter.d/forge-login.conf /etc/fail2ban/filter.d/forge-login.conf
+COPY fail2ban/jail.d/forge.conf /etc/fail2ban/jail.d/forge.conf
+COPY fail2ban/action.d/nginx-deny.conf /etc/fail2ban/action.d/nginx-deny.conf
+
 COPY nginx.conf /etc/nginx/nginx.conf
 COPY error.html /usr/share/nginx/html/error.html
 COPY alloy.river /etc/alloy/config.alloy

fly/fail2ban/action.d/nginx-deny.conf

@@ -0,0 +1,14 @@
+# Custom fail2ban action that bans IPs via an nginx deny list.
+# Standard iptables banning won't work in Fly.io because $remote_addr
+# is Fly's internal proxy IP. Instead, we write banned IPs to a file
+# that nginx checks via a geo directive keyed on $http_fly_client_ip.
+
+[Definition]
+
+actionban = echo "<ip> 1;" >> /etc/nginx/forge-deny.conf && nginx -s reload
+
+actionunban = sed -i '/<ip> 1;/d' /etc/nginx/forge-deny.conf && nginx -s reload
+
+actionstart =
+actionstop =
+actioncheck =

fly/fail2ban/filter.d/forge-login.conf

@@ -0,0 +1,10 @@
+# Filter for Forgejo login failures via nginx JSON access log.
+# Matches 401/403 responses to authentication endpoints, keyed on
+# the client_ip field (populated from Fly-Client-IP header).
+
+[Definition]
+
+# Match JSON log lines with 401 or 403 status on login-related paths
+failregex = "client_ip":"<HOST>".*"request_uri":"\/user\/(login|sign_up|forgot_password)[^"]*".*"status":(401|403)
+
+ignoreregex =

fly/fail2ban/jail.d/forge.conf

@@ -0,0 +1,8 @@
+[forge-login]
+enabled  = true
+filter   = forge-login
+logpath  = /var/log/nginx/access.json.log
+maxretry = 5
+findtime = 600
+bantime  = 3600
+banaction = nginx-deny

fly/nginx.conf

@@ -29,6 +29,19 @@ http {
     # Rate limiting zones — define per-service zones as needed
     limit_req_zone $binary_remote_addr zone=general:10m rate=10r/s;
 
+    # Forge-specific rate limit keyed on real client IP (Fly-Client-IP header).
+    # $binary_remote_addr is Fly's internal proxy IP — all clients share one
+    # bucket. $http_fly_client_ip has the actual client IP.
+    limit_req_zone $http_fly_client_ip zone=forge_auth:10m rate=3r/s;
+
+    # fail2ban deny list — banned IPs are written here by fail2ban and
+    # checked via the $forge_banned variable. The file is touched at
+    # container start to ensure it exists.
+    geo $http_fly_client_ip $forge_banned {
+        default 0;
+        include /etc/nginx/forge-deny.conf;
+    }
+
     # Proxy cache: 200MB, evict after 24h of no access
     proxy_cache_path /tmp/cache levels=1:2 keys_zone=services:10m
                      max_size=200m inactive=24h;
@@ -114,6 +127,97 @@ http {
         }
     }
 
+    # --- forge.eblu.me (dynamic, authenticated) ---
+    server {
+        listen 8080;
+        server_name forge.eblu.me;
+
+        # Block fail2ban-banned IPs
+        if ($forge_banned) {
+            return 403 "Temporarily blocked. Try again later.\n";
+        }
+
+        # General rate limit — higher burst for git operations and CI webhooks
+        limit_req zone=general burst=50 nodelay;
+
+        # Git LFS and repo uploads can be large
+        client_max_body_size 512m;
+
+        # Security headers
+        add_header X-Frame-Options "DENY" always;
+        add_header X-Content-Type-Options "nosniff" always;
+        add_header Strict-Transport-Security "max-age=31536000; includeSubDomains" always;
+        add_header Referrer-Policy "strict-origin-when-cross-origin" always;
+
+        error_page 502 503 504 /error.html;
+        location = /error.html {
+            root /usr/share/nginx/html;
+            internal;
+        }
+
+        # Block swagger API docs — use forge.ops.eblu.me from tailnet
+        location /swagger {
+            return 403 "API documentation is only available at forge.ops.eblu.me (tailnet).\n";
+        }
+
+        # Rate-limit authentication endpoints
+        location ~ ^/user/(login|sign_up|forgot_password) {
+            limit_req zone=forge_auth burst=5 nodelay;
+
+            set $upstream_forge https://forge.tail8d86e.ts.net;
+            proxy_pass $upstream_forge$request_uri;
+            proxy_ssl_verify off;
+            proxy_ssl_server_name on;
+            proxy_intercept_errors on;
+
+            proxy_set_header Host $host;
+            proxy_set_header X-Real-IP $http_fly_client_ip;
+            proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
+            proxy_set_header X-Forwarded-Proto $scheme;
+
+            proxy_http_version 1.1;
+            proxy_set_header Upgrade $http_upgrade;
+            proxy_set_header Connection "upgrade";
+        }
+
+        # Selectively cache static assets only
+        location ~* \.(css|js|png|jpg|svg|woff2?)$ {
+            set $upstream_forge_static https://forge.tail8d86e.ts.net;
+            proxy_pass $upstream_forge_static$request_uri;
+            proxy_ssl_verify off;
+            proxy_ssl_server_name on;
+
+            proxy_cache services;
+            proxy_cache_valid 200 7d;
+            proxy_cache_key $host$uri;
+
+            add_header X-Cache-Status $upstream_cache_status;
+            add_header X-Clacks-Overhead "GNU Terry Pratchett" always;
+        }
+
+        location / {
+            set $upstream_forge https://forge.tail8d86e.ts.net;
+            proxy_pass $upstream_forge$request_uri;
+            proxy_ssl_verify off;
+            proxy_ssl_server_name on;
+            proxy_intercept_errors on;
+
+            # NO proxy_cache — dynamic content with sessions
+
+            proxy_set_header Host $host;
+            proxy_set_header X-Real-IP $http_fly_client_ip;
+            proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
+            proxy_set_header X-Forwarded-Proto $scheme;
+
+            # WebSocket support (Forgejo uses it for live updates)
+            proxy_http_version 1.1;
+            proxy_set_header Upgrade $http_upgrade;
+            proxy_set_header Connection "upgrade";
+
+            add_header X-Clacks-Overhead "GNU Terry Pratchett" always;
+        }
+    }
+
     # Catch-all: reject unknown hosts, but serve health check
     server {
         listen 8080 default_server;

fly/start.sh

@@ -12,11 +12,18 @@ tailscale up --authkey="${TS_AUTHKEY}" --hostname=flyio-proxy
 until tailscale status > /dev/null 2>&1; do sleep 1; done
 echo "Tailscale connected"
 
+# Ensure fail2ban deny file exists before nginx starts
+touch /etc/nginx/forge-deny.conf
+
 # Start nginx — MagicDNS is available, health check passes immediately.
 nginx -g "daemon off;" &
 NGINX_PID=$!
 echo "Nginx started"
 
+# Start fail2ban for login brute-force protection
+fail2ban-server -b
+echo "fail2ban started"
+
 # Start Alloy for observability (logs → Loki, metrics → Prometheus)
 alloy run /etc/alloy/config.alloy \
     --server.http.listen-addr=127.0.0.1:12345 \