Last active
November 9, 2023 09:43
-
-
Save nginx-gists/2863c4820287e16d51fab2b70ea3847d to your computer and use it in GitHub Desktop.
Dynamic IP Denylisting with NGINX Plus and fail2ban
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| <!DOCTYPE html> | |
| <html> | |
| <head> | |
| <title>Banned</title> | |
| <style> | |
| body { | |
| width: 35em; | |
| margin: 0 auto; | |
| font-family: Tahoma, Verdana, Arial, sans-serif; | |
| } | |
| </style> | |
| </head> | |
| <body> | |
| <h1>You have been banned.</h1> | |
| <p>Sorry, there have been too many login failures from this IP address.<br/> | |
| Please try again later.</p> | |
| </body> | |
| </html> |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| server { | |
| listen 1111; | |
| allow 127.0.0.1; # Only allow access from localhost, | |
| deny all; # and prevent remote access. | |
| location /api { | |
| api write=on; # The NGINX Plus API endpoint in read/write mode | |
| } | |
| } | |
| keyval_zone zone=denylist:1M; | |
| keyval $remote_addr $num_failures zone=denylist; | |
| server { | |
| listen 80; | |
| location / { | |
| root /usr/share/nginx/html; | |
| if ($num_failures) { | |
| return 403; | |
| } | |
| } | |
| } | |
| vim: syntax=nginx |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| [DEFAULT] | |
| bantime = 120 | |
| banaction = nginx-plus-denylist | |
| [nginx-http-auth] | |
| enabled = true |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| [Definition] | |
| actionban = curl -s -o /dev/null -d '{"<ip>":"<failures>"}' http://localhost:1111/api/6/http/keyvals/denylist | |
| actionunban = curl -s -o /dev/null -X PATCH -d '{"<ip>":null}' http://localhost:1111/api/6/http/keyvals/denylist |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| server { | |
| listen 1111; | |
| allow 127.0.0.1; # Only allow access from localhost, | |
| deny all; # and prevent remote access. | |
| location /api { | |
| api write=on; # The NGINX Plus API endpoint in read/write mode | |
| } | |
| } | |
| keyval_zone zone=denylist:1M state=denylist.json; | |
| keyval $remote_addr $num_failures zone=denylist; | |
| limit_req_zone $binary_remote_addr zone=20permin:10M rate=20r/m; | |
| server { | |
| listen 80; | |
| root /usr/share/nginx/html; | |
| location / { | |
| auth_basic "closed site"; | |
| auth_basic_user_file users.htpasswd; | |
| if ($num_failures) { | |
| rewrite ^.* /banned.html; | |
| } | |
| } | |
| location = /banned.html { | |
| limit_req zone=20permin burst=100; | |
| } | |
| } | |
| vim: syntax=nginx |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
For a discussion of these files, see Dynamic IP Denylisting with NGINX Plus and fail2ban