This plugin is a small but growing implementation of a fail2ban instance as a middleware plugin for traefik. It is inspired by other implementations similar in the goal but is tailored to our needs.
Inspirations taken from:
Installation instructions are provided via the traefik Plugin Catalog.
- traefik v2.10+ is required due to now having a vendored dependency which results in go routine panics in previous traefik versions.
All configuration options may be specified either in config files or as CLI parameters.
There can be configured certain ip addresses or ranges which are either always allowed or always denied access. Blocking always takes precedence before allowing access and allowing access takes precedence before executing other fail2ban rules.
testData:
alwaysAllowed:
ip: "::1,127.0.0.1"
alwaysDenied:
ip: "192.168.0.0/24"In order to help managing the use of this plugin the level of logged messages can be adjusted.
testData:
logLevel: "INFO"The ultimate goal is to support any rule matcher fail2ban supports themselves but implementation follows the direct needs of our projects.
Currently the implemented settings consist of:
testData:
rules:
banTime: "3h"
findTime: "10m"
maxRetries: 4
response:
statusCodes: "400,401,403-499"Prior to executing the defined rules if the Remote IP is in the alwaysDenied-list the request will be immediately
denied. This applies for the alwaysAllowed-list accordingly.
In the first request from an unknown IP address they are added to the pool starting the findTime timer:
In every subsequent request (while the findTime is not exceeded) the IP address counter in the pool is incremented and the rules are checked.
- First clean install vendor dependencies:
make clean vendor