Open PS1TD opened 3 months ago
I had the same problem :(
I think I'm seeing the same things myself. Is this plugin working? 🤔
Hello all,
Thanks for your interest in this Traefik plugin !
I've released https://github.com/tomMoulard/fail2ban/releases/tag/v0.8.2 with an intensive logging approach. Can you try again your issue with the latest version and tell me if it's still relevant ?
Thanks !
I'm immediately hit with an error when trying to load the latest version into Traefik:
2024-09-06T20:15:38Z INF Loading plugins... plugins=["GeoBlock","fail2ban"]
2024-09-06T20:15:39Z ERR plugins-storage/sources/gop-281385154/src/github.com/tomMoulard/fail2ban/pkg/data/data.go:14:9: panic: github.com/tomMoulard/fail2ban/pkg/data(...) module=github.com/tomMoulard/fail2ban plugin=plugin-fail2ban runtime=
panic: reflect.Set: value of type string is not assignable to type struct { Logger *stdlib.logLogger } [recovered]
panic: reflect.Set: value of type string is not assignable to type struct { Logger *stdlib.logLogger }
goroutine 1 [running]:
github.com/traefik/yaegi/interp.runCfg.func1()
github.com/traefik/yaegi@v0.16.1/interp/run.go:226 +0x1ae
panic({0x4976d20?, 0xc0022411f0?})
runtime/panic.go:770 +0x132
reflect.Value.assignTo({0x4976d20?, 0xc002240c10?, 0xc002240c10?}, {0x5a6e45b, 0xb}, 0xc0020b58c0, 0x0)
reflect/value.go:3356 +0x299
reflect.Value.Set({0xc0020b58c0?, 0xc002272040?, 0xc002272030?}, {0x4976d20?, 0xc002240c10?, 0xc001e0a2f0?})
reflect/value.go:2325 +0xe6
github.com/traefik/yaegi/interp.call.func9(0xc001dc9600)
github.com/traefik/yaegi@v0.16.1/interp/run.go:1391 +0xbc5
github.com/traefik/yaegi/interp.runCfg(0xc002220f00, 0xc001dc9600, 0x1?, 0x1?)
github.com/traefik/yaegi@v0.16.1/interp/run.go:234 +0x285
github.com/traefik/yaegi/interp.(*Interpreter).run(0xc001cd7d48, 0xc002261400, 0xc00231bb01?)
github.com/traefik/yaegi@v0.16.1/interp/run.go:119 +0x395
github.com/traefik/yaegi/interp.(*Interpreter).importSrc(0xc001cd7d48, {0xc00231bb90, 0x28}, {0xc00231bb01, 0x27}, 0x1)
github.com/traefik/yaegi@v0.16.1/interp/src.go:162 +0xf3b
github.com/traefik/yaegi/interp.(*Interpreter).gta.func1(0xc0021f5b80)
github.com/traefik/yaegi@v0.16.1/interp/gta.go:273 +0xcdb
github.com/traefik/yaegi/interp.(*node).Walk(0xc0021f5b80, 0xc00269c710, 0x0)
github.com/traefik/yaegi@v0.16.1/interp/interp.go:282 +0x2e
github.com/traefik/yaegi/interp.(*node).Walk(0xc0021f5540, 0xc00269c710, 0x0)
github.com/traefik/yaegi@v0.16.1/interp/interp.go:286 +0x6b
github.com/traefik/yaegi/interp.(*node).Walk(0xc0021f52c0, 0xc00269c710, 0x0)
github.com/traefik/yaegi@v0.16.1/interp/interp.go:286 +0x6b
github.com/traefik/yaegi/interp.(*Interpreter).gta(0xc001cd7d48, 0xc0021f52c0, {0xc00231bb90, 0x28}, {0xc00231b741, 0x28}, {0xc001ca50e7, 0x5})
github.com/traefik/yaegi@v0.16.1/interp/gta.go:20 +0x22b
github.com/traefik/yaegi/interp.(*Interpreter).importSrc(0xc001cd7d48, {0xc001da78e0, 0x1e}, {0xc00231b741, 0x28}, 0x1)
github.com/traefik/yaegi@v0.16.1/interp/src.go:109 +0x925
github.com/traefik/yaegi/interp.(*Interpreter).gta.func1(0xc0021c1180)
github.com/traefik/yaegi@v0.16.1/interp/gta.go:273 +0xcdb
github.com/traefik/yaegi/interp.(*node).Walk(0xc0021c1180, 0xc00269d458, 0x0)
github.com/traefik/yaegi@v0.16.1/interp/interp.go:282 +0x2e
github.com/traefik/yaegi/interp.(*node).Walk(0xc0021c0140, 0xc00269d458, 0x0)
github.com/traefik/yaegi@v0.16.1/interp/interp.go:286 +0x6b
github.com/traefik/yaegi/interp.(*node).Walk(0xc0021b1e00, 0xc00269d458, 0x0)
github.com/traefik/yaegi@v0.16.1/interp/interp.go:286 +0x6b
github.com/traefik/yaegi/interp.(*Interpreter).gta(0xc001cd7d48, 0xc0021b1e00, {0xc001da78e0, 0x1e}, {0xc001da7821, 0x1e}, {0xc001c912e8, 0x8})
github.com/traefik/yaegi@v0.16.1/interp/gta.go:20 +0x22b
github.com/traefik/yaegi/interp.(*Interpreter).importSrc(0xc001cd7d48, {0xc001c90e88, 0x4}, {0xc001da7821, 0x1e}, 0x1)
github.com/traefik/yaegi@v0.16.1/interp/src.go:109 +0x925
github.com/traefik/yaegi/interp.(*Interpreter).gta.func1(0xc0021b1b80)
github.com/traefik/yaegi@v0.16.1/interp/gta.go:273 +0xcdb
github.com/traefik/yaegi/interp.(*node).Walk(0xc0021b1b80, 0xc00269e1a0, 0x0)
github.com/traefik/yaegi@v0.16.1/interp/interp.go:282 +0x2e
github.com/traefik/yaegi/interp.(*node).Walk(0xc0021b1a40, 0xc00269e1a0, 0x0)
github.com/traefik/yaegi@v0.16.1/interp/interp.go:286 +0x6b
github.com/traefik/yaegi/interp.(*node).Walk(0xc0021b17c0, 0xc00269e1a0, 0x0)
github.com/traefik/yaegi@v0.16.1/interp/interp.go:286 +0x6b
github.com/traefik/yaegi/interp.(*Interpreter).gta(0xc001cd7d48, 0xc0021b17c0, {0xc001c90e88, 0x4}, {0xc001c90e88, 0x4}, {0xc001c90e88, 0x4})
github.com/traefik/yaegi@v0.16.1/interp/gta.go:20 +0x22b
github.com/traefik/yaegi/interp.(*Interpreter).gtaRetry(0xc001cd7d48, {0xc00269e388?, 0xc0016854a0?, 0xc00269e2c8?}, {0xc001c90e88, 0x4}, {0xc001c90e88, 0x4})
github.com/traefik/yaegi@v0.16.1/interp/gta.go:395 +0x158
github.com/traefik/yaegi/interp.(*Interpreter).CompileAST(0xc001cd7d48, {0x698b9a0?, 0xc0016854a0?})
github.com/traefik/yaegi@v0.16.1/interp/program.go:92 +0x11f
github.com/traefik/yaegi/interp.(*Interpreter).compileSrc(0xc001cd7d48, {0xc00231b680?, 0x1?}, {0x0?, 0xc00231b680?}, 0xa0?)
github.com/traefik/yaegi@v0.16.1/interp/program.go:64 +0xaa
github.com/traefik/yaegi/interp.(*Interpreter).eval(0xc001cd7d48, {0xc00231b680?, 0xc00269e8c8?}, {0x0?, 0x1?}, 0x0?)
github.com/traefik/yaegi@v0.16.1/interp/interp.go:554 +0x25
github.com/traefik/yaegi/interp.(*Interpreter).Eval(...)
github.com/traefik/yaegi@v0.16.1/interp/interp.go:496
github.com/traefik/traefik/v3/pkg/plugins.newInterpreter({0x69bd0c0, 0xc001f5f8c0}, {0xc001c753e0, 0x25}, {0xc001da6a00, 0x1e})
github.com/traefik/traefik/v3/pkg/plugins/middlewareyaegi.go:140 +0x589
github.com/traefik/traefik/v3/pkg/plugins.newMiddlewareBuilder({0x69bd0c0?, 0xc001f5f8c0?}, {0xc001c753e0?, 0x1?}, 0xc001b0f9e0, {0xc001c806e0?, 0x69bcfe0?}, {{0x0, 0x0, 0x0}, ...})
github.com/traefik/traefik/v3/pkg/plugins/builder.go:142 +0x16f
github.com/traefik/traefik/v3/pkg/plugins.NewBuilder(0xc001c47310, 0xc001c77710, 0xc002590270)
github.com/traefik/traefik/v3/pkg/plugins/builder.go:55 +0x6d5
main.createPluginBuilder(0xc001a434a0?)
github.com/traefik/traefik/v3/cmd/traefik/plugins.go:18 +0x2b
main.setupServer(0xc001b0e120)
github.com/traefik/traefik/v3/cmd/traefik/traefik.go:238 +0xa86
main.runCmd(0xc001b0e120)
github.com/traefik/traefik/v3/cmd/traefik/traefik.go:117 +0x2b4
main.main.func1({0xc001957bc0?, 0xc0001d2080?, 0x10?})
github.com/traefik/traefik/v3/cmd/traefik/traefik.go:65 +0x19
github.com/traefik/paerser/cli.run(0xc0018f3200, {0xc0001d2080, 0x0?, 0x0})
github.com/traefik/paerser@v0.2.0/cli/commands.go:133 +0x243
github.com/traefik/paerser/cli.execute(0xc0018f3200, {0xc0001d2080, 0x2, 0x2}, 0x28?)
github.com/traefik/paerser@v0.2.0/cli/commands.go:76 +0x6cf
github.com/traefik/paerser/cli.Execute(...)
github.com/traefik/paerser@v0.2.0/cli/commands.go:51
main.main()
github.com/traefik/traefik/v3/cmd/traefik/traefik.go:81 +0x554
traefik.yml
has just this for the plugin loading:
experimental:
plugins:
GeoBlock:
moduleName: "github.com/PascalMinder/geoblock"
version: "v0.2.8"
fail2ban:
moduleName: "github.com/tomMoulard/fail2ban"
version: "v0.8.2"
indeed, my bad, I've released https://github.com/tomMoulard/fail2ban/tree/v0.8.3 that should fix this particular panic issue.
indeed, my bad, I've released https://github.com/tomMoulard/fail2ban/tree/v0.8.3 that should fix this particular panic issue.
This new version loads fine, but doesn't log anything beyond the initial first message.
2024/09/07 10:02:33 Plugin: FailToBan is up and running
The middleware configuration I've got is:
http:
middlewares:
fail2ban:
plugin:
fail2ban:
logLevel: DEBUG
# allowlist:
# ip: 10.150.0.0/16
# denylist:
# ip: 192.168.0.0/24
rules:
bantime: 5m
enabled: true
findtime: 30s
maxretry: 5
statuscode: "400,401,403-499"
And much like with the initial case described by @PS1TD, this version blocks connectivity after just opening a loading screen, as if 200s were 400s...
Did you enable traefik DEBUG log level ? If so, have you the following log ?
DBG github.com/traefik/traefik/v3/pkg/plugins/plugins.go:30 > Loading of plugin: fail2ban: github.com/tomMoulard/fail2ban@v0.8.3
Good point. I failed to notice this bit from the documentation:
Please note that Fail2ban logs will only be visible when Traefik's log level is set to DEBUG
After setting this I'm... well, I'm getting a bit overly swarmed with logs now.
But I think I've managed to isolate a fragment of fail2ban
, from startup to this middelware blocking me from accessing a login page (i.e. I've not yet provided any credentials, valid or invalid). While this should not matter, I'm attempting to access "Home Assistant", to which I've got the credentials cached (i.e. there should be no 400s at all).
Note: I've removed all routing information from the logs as other services are being frequently accessed and add a lot of noise, and I've stripped a module=github.com/tomMoulard/fail2ban plugin=plugin-fail2ban runtime=
suffix from fail2ban
logs. Finally I've had to remove fail2ban
"Write: buf:" rows, as they are VERY long and break the limits of posting on GitHub. If those are required I'll find some other ways to share them.
2024-09-07T15:59:52Z DBG github.com/traefik/traefik/v3/pkg/middlewares/observability/middleware.go:33 > Adding tracing to middleware entryPointName=websecure middlewareName=fail2ban@file routerName=haos@file
2024-09-07T15:59:54Z DBG github.com/traefik/traefik/v3/pkg/server/configurationwatcher.go:227 > Configuration received config={"http":{"middlewares":{"fail2ban":{"plugin":{"fail2ban":{"logLevel":"DEBUG","rules":{"bantime":"5m","enabled":"true","findtime":"30s","maxretry":"5","statuscode":"400,401,403-499"}}}}..."
2024/09/07 16:00:12 Plugin: FailToBan is up and running
2024/09/07 16:00:14 Plugin: FailToBan is up and running
2024-09-07T16:00:22Z DBG fmt/print.go:225 > data: &{RemoteIP:10.152.4.15}
2024-09-07T16:00:22Z DBG fmt/print.go:225 > data: &{RemoteIP:10.152.4.15}
2024-09-07T16:00:22Z DBG fmt/print.go:225 > IP 10.152.4.15 not is denied
2024-09-07T16:00:22Z DBG fmt/print.go:225 > data: &{RemoteIP:10.152.4.15}
2024-09-07T16:00:22Z DBG fmt/print.go:225 > IP 10.152.4.15 not is allowed
2024-09-07T16:00:22Z DBG fmt/print.go:225 > data: &{RemoteIP:10.152.4.15}
2024-09-07T16:00:22Z DBG fmt/print.go:225 > url / not is allowed
2024-09-07T16:00:22Z DBG fmt/print.go:225 > welcome "10.152.4.15"
2024-09-07T16:00:22Z DBG fmt/print.go:225 > status handler
2024-09-07T16:00:22Z DBG fmt/print.go:225 > data: &{RemoteIP:10.152.4.15}
2024-09-07T16:00:22Z DBG fmt/print.go:225 > Write header: code: 200
2024-09-07T16:00:22Z DBG fmt/print.go:225 > catcher: {XheaderMap:map[Content-Encoding:[deflate] Content-Length:[2297] Content-Type:[text/html; charset=utf-8] Date:[Sat, 07 Sep 2024 16:00:29 GMT] Referrer-Policy:[no-referrer] Server:[] X-Content-Type-Options:[nosniff] X-Frame-Options:[SAMEORIGIN]] Xcode:200 XhttpCodeRanges:[[400 400] [401 401] [403 499]] XcaughtFilteredCode:false XresponseWriter:0xc00220eae0 XheadersSent:true Xbytes:[] XallowedRequest:false}
2024-09-07T16:00:22Z DBG fmt/print.go:225 > data: &{RemoteIP:10.152.4.15}
2024-09-07T16:00:22Z DBG fmt/print.go:225 > data: &{RemoteIP:10.152.4.15}
2024-09-07T16:00:22Z DBG fmt/print.go:225 > IP 10.152.4.15 not is denied
2024-09-07T16:00:22Z DBG fmt/print.go:225 > data: &{RemoteIP:10.152.4.15}
2024-09-07T16:00:22Z DBG fmt/print.go:225 > IP 10.152.4.15 not is allowed
2024-09-07T16:00:22Z DBG fmt/print.go:225 > data: &{RemoteIP:10.152.4.15}
2024-09-07T16:00:22Z DBG fmt/print.go:225 > url /frontend_latest/core.ydYtuXnHVAs.js not is allowed
2024-09-07T16:00:22Z DBG fmt/print.go:225 > welcome back "10.152.4.15" for the 2 time
2024-09-07T16:00:22Z DBG fmt/print.go:225 > data: &{RemoteIP:10.152.4.15}
2024-09-07T16:00:22Z DBG fmt/print.go:225 > status handler
2024-09-07T16:00:22Z DBG fmt/print.go:225 > data: &{RemoteIP:10.152.4.15}
2024-09-07T16:00:22Z DBG fmt/print.go:225 > data: &{RemoteIP:10.152.4.15}
2024-09-07T16:00:22Z DBG fmt/print.go:225 > IP 10.152.4.15 not is denied
2024-09-07T16:00:22Z DBG fmt/print.go:225 > data: &{RemoteIP:10.152.4.15}
2024-09-07T16:00:22Z DBG fmt/print.go:225 > IP 10.152.4.15 not is allowed
2024-09-07T16:00:22Z DBG fmt/print.go:225 > data: &{RemoteIP:10.152.4.15}
2024-09-07T16:00:22Z DBG fmt/print.go:225 > data: &{RemoteIP:10.152.4.15}
2024-09-07T16:00:22Z DBG fmt/print.go:225 > url /frontend_latest/app.okM55PX7yEE.js not is allowed
2024-09-07T16:00:22Z DBG fmt/print.go:225 > data: &{RemoteIP:10.152.4.15}
2024-09-07T16:00:22Z DBG fmt/print.go:225 > welcome back "10.152.4.15" for the 3 time
2024-09-07T16:00:22Z DBG fmt/print.go:225 > IP 10.152.4.15 not is denied
2024-09-07T16:00:22Z DBG fmt/print.go:225 > data: &{RemoteIP:10.152.4.15}
2024-09-07T16:00:22Z DBG fmt/print.go:225 > IP 10.152.4.15 not is allowed
2024-09-07T16:00:22Z DBG fmt/print.go:225 > status handler
2024-09-07T16:00:22Z DBG fmt/print.go:225 > data: &{RemoteIP:10.152.4.15}
2024-09-07T16:00:22Z DBG fmt/print.go:225 > data: &{RemoteIP:10.152.4.15}
2024-09-07T16:00:22Z DBG fmt/print.go:225 > url /static/images/ohf-badge.svg not is allowed
2024-09-07T16:00:22Z DBG fmt/print.go:225 > welcome back "10.152.4.15" for the 4 time
2024-09-07T16:00:22Z DBG fmt/print.go:225 > status handler
2024-09-07T16:00:22Z DBG fmt/print.go:225 > data: &{RemoteIP:10.152.4.15}
2024-09-07T16:00:22Z DBG fmt/print.go:225 > Write header: code: 200
2024-09-07T16:00:22Z DBG fmt/print.go:225 > data: &{RemoteIP:10.152.4.15}
2024-09-07T16:00:22Z DBG fmt/print.go:225 > data: &{RemoteIP:10.152.4.15}
2024-09-07T16:00:22Z DBG fmt/print.go:225 > data: &{RemoteIP:10.152.4.15}
2024-09-07T16:00:22Z DBG fmt/print.go:225 > data: &{RemoteIP:10.152.4.15}
2024-09-07T16:00:22Z DBG fmt/print.go:225 > data: &{RemoteIP:10.152.4.15}
2024-09-07T16:00:22Z DBG fmt/print.go:225 > IP 10.152.4.15 not is denied
2024-09-07T16:00:22Z DBG fmt/print.go:225 > IP 10.152.4.15 not is denied
2024-09-07T16:00:22Z DBG fmt/print.go:225 > data: &{RemoteIP:10.152.4.15}
2024-09-07T16:00:22Z DBG fmt/print.go:225 > data: &{RemoteIP:10.152.4.15}
2024-09-07T16:00:22Z DBG fmt/print.go:225 > IP 10.152.4.15 not is allowed
2024-09-07T16:00:22Z DBG fmt/print.go:225 > IP 10.152.4.15 not is denied
2024-09-07T16:00:22Z DBG fmt/print.go:225 > data: &{RemoteIP:10.152.4.15}
2024-09-07T16:00:22Z DBG fmt/print.go:225 > data: &{RemoteIP:10.152.4.15}
2024-09-07T16:00:22Z DBG fmt/print.go:225 > data: &{RemoteIP:10.152.4.15}
2024-09-07T16:00:22Z DBG fmt/print.go:225 > url /static/fonts/roboto/Roboto-Regular.woff2 not is allowed
2024-09-07T16:00:22Z DBG fmt/print.go:225 > IP 10.152.4.15 not is allowed
2024-09-07T16:00:22Z DBG fmt/print.go:225 > IP 10.152.4.15 not is allowed
2024-09-07T16:00:22Z DBG fmt/print.go:225 > "10.152.4.15" is banned for 5>=5 request
2024-09-07T16:00:22Z DBG fmt/print.go:225 > data: &{RemoteIP:10.152.4.15}
2024-09-07T16:00:22Z DBG fmt/print.go:225 > data: &{RemoteIP:10.152.4.15}
2024-09-07T16:00:22Z DBG fmt/print.go:225 > url /static/fonts/roboto/Roboto-Medium.woff2 not is allowed
2024-09-07T16:00:22Z DBG fmt/print.go:225 > url /hacsfiles/iconset.js not is allowed
2024-09-07T16:00:22Z DBG fmt/print.go:225 > "10.152.4.15" is still banned since "2024-09-07T16:00:22Z", 6 request
2024-09-07T16:00:22Z DBG fmt/print.go:225 > "10.152.4.15" is still banned since "2024-09-07T16:00:22Z", 7 request
2024-09-07T16:00:22Z DBG fmt/print.go:225 > catcher: {XheaderMap:map[Accept-Ranges:[bytes] Cache-Control:[public, max-age=2678400] Content-Encoding:[br] Content-Length:[15482] Content-Type:[text/javascript] Date:[Sat, 07 Sep 2024 16:00:29 GMT] Etag:["17eefe1f5dc34c00-3c7a"] Last-Modified:[Sun, 25 Aug 2024 14:11:58 GMT] Referrer-Policy:[no-referrer] Server:[] Vary:[Accept-Encoding] X-Content-Type-Options:[nosniff] X-Frame-Options:[SAMEORIGIN]] Xcode:200 XhttpCodeRanges:[[400 400] [401 401] [403 499]] XcaughtFilteredCode:false XresponseWriter:0xc001d61900 XheadersSent:true Xbytes:[] XallowedRequest:false}
2024-09-07T16:00:22Z DBG fmt/print.go:225 > Write header: code: 200
2024-09-07T16:00:22Z DBG fmt/print.go:225 > Write header: code: 200
2024-09-07T16:00:22Z DBG fmt/print.go:225 > catcher: {XheaderMap:map[Accept-Ranges:[bytes] Cache-Control:[public, max-age=2678400] Content-Encoding:[gzip] Content-Length:[3522] Content-Type:[image/svg+xml] Date:[Sat, 07 Sep 2024 16:00:29 GMT] Etag:["17eefe1f5dc34c00-dc2"] Last-Modified:[Sun, 25 Aug 2024 14:11:58 GMT] Referrer-Policy:[no-referrer] Server:[] Vary:[Accept-Encoding] X-Content-Type-Options:[nosniff] X-Frame-Options:[SAMEORIGIN]] Xcode:200 XhttpCodeRanges:[[400 400] [401 401] [403 499]] XcaughtFilteredCode:false XresponseWriter:0xc00220f4a0 XheadersSent:true Xbytes:[] XallowedRequest:false}
2024-09-07T16:00:22Z DBG fmt/print.go:225 > catcher: {XheaderMap:map[Accept-Ranges:[bytes] Cache-Control:[public, max-age=2678400] Content-Encoding:[br] Content-Length:[74998] Content-Type:[text/javascript] Date:[Sat, 07 Sep 2024 16:00:29 GMT] Etag:["17eefe1f5dc34c00-124f6"] Last-Modified:[Sun, 25 Aug 2024 14:11:58 GMT] Referrer-Policy:[no-referrer] Server:[] Vary:[Accept-Encoding] X-Content-Type-Options:[nosniff] X-Frame-Options:[SAMEORIGIN]] Xcode:200 XhttpCodeRanges:[[400 400] [401 401] [403 499]] XcaughtFilteredCode:false XresponseWriter:0xc002130c40 XheadersSent:true Xbytes:[] XallowedRequest:false}
2024-09-07T16:00:22Z DBG fmt/print.go:225 > data: &{RemoteIP:10.152.4.15}
2024-09-07T16:00:22Z DBG fmt/print.go:225 > data: &{RemoteIP:10.152.4.15}
2024-09-07T16:00:22Z DBG fmt/print.go:225 > IP 10.152.4.15 not is denied
2024-09-07T16:00:22Z DBG fmt/print.go:225 > data: &{RemoteIP:10.152.4.15}
2024-09-07T16:00:22Z DBG fmt/print.go:225 > IP 10.152.4.15 not is allowed
2024-09-07T16:00:22Z DBG fmt/print.go:225 > data: &{RemoteIP:10.152.4.15}
2024-09-07T16:00:22Z DBG fmt/print.go:225 > url /auth/token not is allowed
2024-09-07T16:00:22Z DBG fmt/print.go:225 > "10.152.4.15" is still banned since "2024-09-07T16:00:22Z", 8 request
Like @PS1TD I'm not using any urlregexps
in the configuration, nor any denylist
nor allowlist
. I.e. I'm just interested in filtering based on status codes.
Hi, I just stumbled upon the same problem and think that the issue is here: https://github.com/tomMoulard/fail2ban/blob/6b3824f01a31135e9f1e9fd1cdb56a4b62eb4c86/fail2ban.go#L143
The f2b-handler is called in the chain before the status-code-handler and thus fail2bans EVERY request (see also here: https://github.com/tomMoulard/fail2ban/blob/6b3824f01a31135e9f1e9fd1cdb56a4b62eb4c86/pkg/chain/chain.go#L84 )
I think that f2bHandler.New(f2b),
should not be in the handler-chain at all for this to work...
Indeed I could try reversing the order in the chain but I doupt I will work as you intend.
For you last part, removing the handler will remove it's ability to catch status codes. But indeed, it will count twice the request in the handler.
The status-code handler internally calls the f2b if a proper status-code is detected. Why call the f2b-handler "naked" (without any preconditions) in the chain at all? It then counts every request against the "maxRetry", even "legal" ones with a 200 response-code.
I'd think that inside the chain one would need a handler that continues blocking, if an IP is already on the ban-list, but that does not blindly increase ip.count towards maxRetries. Increasing the counter for an IP may only happen if a precondition for a "failed"-request is met (like inside the URLRegexBan or the http-status-handler).
(I'm not able to write Go-code myself, otherwise I'd create a merge-request)
Experiencing the same problem requests get banned after maxretry
attempts regardless of the status code (#153
Have the same issue here with Fail2Ban v0.8.3
and Traefik v3.1.6
For some reason my setup does not recognize successful status codes and bans on the 11th request. I also don't see anything in the logs even though I have enabled DEBUG logging. Setup: