Categories

JavaScriptPHPHTMLCssPythonWordPressWeb developmentLinuxMySQLAndroidWindowsJavaC++ / C#LayoutReactUbuntuYiiDjangoProgramming1C-BitrixLaravelSystem administrationTelegramJSONDebianPostgreSQLIOSGoogleHtaccessWindows ServerGitMacOSGoogle ChromeCMSWooСommerceBootstrapNginxSQLUnityAPI
Make a leaderReport
A
A
Alexander Alexandrov2017-10-14 02:09:59
JavaScript
Alexander Alexandrov, 2017-10-14 02:09:59

How to set up fail2ban on a server behind haproxy?

Good day to all!
There is a redmine server located on the local network, it enters the world through the haproxy server, which I have configured as a reverse proxy. I decided to configure fail2ban on the redmine server. I set it up as expected, I decided to try it at work, but I also encountered the following: in the fail2ban logs, it can be seen that when the conditions set by me are triggered, the ip address is banned after several unsuccessful attempts to log in, but as such blocking access to the resource does not occur. Therefore, a reasonable question arose, how to configure the behavior of fail2ban on the server behind the proxy server?
It turns out that the work is being done like this
WAN<---EXT-IP--->HAPROXY<---LOCAL-IP--->REDMINE_SERVER Haproxy
settings look something like this

frontend http_frontend
        bind *:80
        mode http
        redirect scheme https if !{ ssl_fc }

frontend https_frontend_ssl_terminate
        mode http
        bind *:443 ssl crt <path_to_cert>/sert.pem
        option  forwardfor header X-Real-IP
        option  http-keep-alive
        acl letsencrypt-acl path_beg /.well-known/acme-challenge/
        use_backend letsencrypt-backend if letsencrypt-acl
        acl is_redmine hdr(host) -i redmine.server.ru
        use_backend redmine if is_redmine

backend redmine
        mode http
        cookie SERVERID insert indirect nocache
        http-request set-header X-Client-IP %[src]
        http-request set-header X-Forwarded-Port %[dst_port]
        http-request add-header X-Forwarded-Proto https if { ssl_fc }
        server redmine.server.ru 192.168.1.1:80 check cookie redmine.server.ru

setting jail.local
[redmine]
enabled = true
filter = redmine
port = http,https
logpath = /<path_to_redmine>/log/production.log
maxretry = 5
findtime = 600
bantime = 600

does it even make sense to configure fail2ban with this configuration?

Reply
Answer the question

Answer the question

In order to leave comments, you need to log in

5 answer(s)
Report
I
Ivan V, 2019-07-11
@verkhoturov

This is called "Numbered List". Made in pure HTML.
htmlbook.ru/samhtml/spiski/numerovannyy-spisok

Report
D
Dmitry, 2019-07-11
@MaKvc

ACE , Codemirror or implement on tabs (for example, take Bootstrap or UI-Kit), call the line numbering function on the tab open or tab closed event. You can use the details tag.
What prevents you from taking ACE, everything is already implemented there, highlighting, numbering, the ability to collapse the block.
Try: https://ace.c9.io/build/kitchen-sink.html

Report
K
ksnk, 2019-07-11
@ksnk

It’s better to copy the markup of the source text with line numbering from the github. It's just that everything is done on the tables :)
Well, or so
https://jsfiddle.net/1ype9u3L/

Report
D
Dmitry, 2017-10-19
@mrResident

As far as I understand your configuration, it makes little sense to use F2B on BE.
BackEnd (REDMINE_SERVER) receives http requests whose source IP address for all is LOCAL-IP (the real address is transmitted as an http header, which fail2ban if it sees from the logs and bans them, but the ip addresses of the packets will still come from LOCAL -IP addresses).
And you need to ban external addresses on the EXT-IP interface, which is on the FE (HAPROXY)
Ie . in such a scheme, the following implementation path is seen: you need to drive F2B on FE, and analyze redmine logs on BE (mount the folder via nfs / sshfs, for example, with an eye to the load) and ban external addresses on FE.
If sclerosis does not change, then in some distant future it was promised, I don’t remember by whom, to add Redis support to F2B, as a repository of banned ones. Then it would be easier - F2B works on BE and analyzes the logs, and enters the addresses of the villains into the radish. And the F2B working at the front works with the same repository and bans the villains. It is better to watch the F2B community about the reality and prospects of these changes, the moped is not mine, a retelling of rumors :)

Report
R
Redaicd, 2017-11-22
@Redaicd

The fact is that Apache does not know anything about external addresses, but it can be taught
Configure the remoteip module in Apache, the module
config is approximately the following RemoteIPHeader
X-Real-IP
RemoteIPInternalProxy 127.0.0.1 10.10.10.10, etc.
apache for redmine change %h to %a so that fail2ban takes the correct external addresses to block
if it doesn’t work with the X-Real-IP header, try changing it to X-Forwarded-For in Apache and
option forwardfor header X-Real-IP to option forwardfor on the haproxy frontend

Similar questions
A
Abdulla Mursalov2015-09-18 16:01:54
Similar to cycle tag in Handlebars? 4Reply
Z
Zrockigoryat2017-08-26 16:36:01
Is IT really dead in Russian universities? 5Reply
A
Anton Schultz2020-02-02 01:45:44
Is it possible to work in php with excel and google docs for opening, reading and overwriting? 2Reply
K
kot25662020-02-04 12:49:40
Access only to a subfolder (htaccess)? 2Reply
R
Roman2017-09-07 17:53:02
What is the best way to add images to the site? 5Reply

Didn't find what you were looking for?

Ask your question

Ask a Question

731 491 924 answers to any question