Last active November 9, 2023 09:43
Save nginx-gists/2863c4820287e16d51fab2b70ea3847d to your computer and use it in GitHub Desktop.
Dynamic IP Denylisting with NGINX Plus and fail2ban
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters. Learn more about bidirectional Unicode characters <!DOCTYPE html> <html> <head> <title>Banned</title> <style> body { width: 35em; margin: 0 auto; font-family: Tahoma, Verdana, Arial, sans-serif; } </style> </head> <body> <h1>You have been banned.</h1> <p>Sorry, there have been too many login failures from this IP address.<br/> Please try again later.</p> </body> </html> This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters. Learn more about bidirectional Unicode characters server { listen 1111; allow 127.0.0.1; # Only allow access from localhost, deny all; # and prevent remote access. location /api { api write=on; # The NGINX Plus API endpoint in read/write mode } } keyval_zone zone=denylist:1M; keyval $remote_addr $num_failures zone=denylist; server { listen 80; location / { root /usr/share/nginx/html; if ($num_failures) { return 403; } } } vim: syntax=nginx This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters. Learn more about bidirectional Unicode characters [DEFAULT] bantime = 120 banaction = nginx-plus-denylist [nginx-http-auth] enabled = true This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters. Learn more about bidirectional Unicode characters [Definition] actionban = curl -s -o /dev/null -d '{"<ip>":"<failures>"}' http://localhost:1111/api/6/http/keyvals/denylist actionunban = curl -s -o /dev/null -X PATCH -d '{"<ip>":null}' http://localhost:1111/api/6/http/keyvals/denylist This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters. Learn more about bidirectional Unicode characters server { listen 1111; allow 127.0.0.1; # Only allow access from localhost, deny all; # and prevent remote access. location /api { api write=on; # The NGINX Plus API endpoint in read/write mode } } keyval_zone zone=denylist:1M state=denylist.json; keyval $remote_addr $num_failures zone=denylist; limit_req_zone $binary_remote_addr zone=20permin:10M rate=20r/m; server { listen 80; root /usr/share/nginx/html; location / { auth_basic "closed site"; auth_basic_user_file users.htpasswd; if ($num_failures) { rewrite ^.* /banned.html; } } location = /banned.html { limit_req zone=20permin burst=100; } } vim: syntax=nginxYou can’t perform that action at this time.
RetroSearch is an open source project built by @garambo | Open a GitHub Issue
Search and Browse the WWW like it's 1997 | Search results from DuckDuckGo
HTML:
3.2
| Encoding:
UTF-8
| Version:
0.7.4