Erich Blume
80c33ccaf1
nginx configuration: - forge.eblu.me server block with WebSocket support, 512m body limit - Rate limit login/signup/forgot-password at 3r/s per real client IP (keyed on Fly-Client-IP header, not Fly's internal remote_addr) - Static asset caching (7d), no blanket caching for dynamic content - Security headers (HSTS, X-Frame-Options, X-Content-Type-Options) - Block /swagger (API docs only available via tailnet) - X-Real-IP set to real client IP for Forgejo audit logs - geo-based deny list for fail2ban integration fail2ban configuration: - Custom filter matching 401/403 on login paths in nginx JSON log - Ban after 5 failures in 10 minutes, ban duration 1 hour - Custom nginx-deny action: writes IPs to deny file and reloads nginx (iptables won't work in Fly.io — remote_addr is Fly's proxy IP) - Ban lists ephemeral across deploys (nginx rate limiting is persistent) Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
8 lines
162 B
Text
8 lines
162 B
Text
[forge-login]
|
|
enabled = true
|
|
filter = forge-login
|
|
logpath = /var/log/nginx/access.json.log
|
|
maxretry = 5
|
|
findtime = 600
|
|
bantime = 3600
|
|
banaction = nginx-deny
|