Erich Blume
80c33ccaf1
nginx configuration: - forge.eblu.me server block with WebSocket support, 512m body limit - Rate limit login/signup/forgot-password at 3r/s per real client IP (keyed on Fly-Client-IP header, not Fly's internal remote_addr) - Static asset caching (7d), no blanket caching for dynamic content - Security headers (HSTS, X-Frame-Options, X-Content-Type-Options) - Block /swagger (API docs only available via tailnet) - X-Real-IP set to real client IP for Forgejo audit logs - geo-based deny list for fail2ban integration fail2ban configuration: - Custom filter matching 401/403 on login paths in nginx JSON log - Ban after 5 failures in 10 minutes, ban duration 1 hour - Custom nginx-deny action: writes IPs to deny file and reloads nginx (iptables won't work in Fly.io — remote_addr is Fly's proxy IP) - Ban lists ephemeral across deploys (nginx rate limiting is persistent) Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
14 lines
486 B
Text
14 lines
486 B
Text
# Custom fail2ban action that bans IPs via an nginx deny list.
|
|
# Standard iptables banning won't work in Fly.io because $remote_addr
|
|
# is Fly's internal proxy IP. Instead, we write banned IPs to a file
|
|
# that nginx checks via a geo directive keyed on $http_fly_client_ip.
|
|
|
|
[Definition]
|
|
|
|
actionban = echo "<ip> 1;" >> /etc/nginx/forge-deny.conf && nginx -s reload
|
|
|
|
actionunban = sed -i '/<ip> 1;/d' /etc/nginx/forge-deny.conf && nginx -s reload
|
|
|
|
actionstart =
|
|
actionstop =
|
|
actioncheck =
|