Configure the plugin for all my services

[Whisper40]

Hello, I discovered your plugin today ! This is how i have configured it :

command:
      - "--experimental.plugins.fail2ban.modulename=github.com/tommoulard/fail2ban"
      - "--experimental.plugins.fail2ban.version=v0.6.0"
labels:
      - "traefik.http.middlewares.fail2ban.plugin.fail2ban.rules.enabled=true"
      - "traefik.http.middlewares.fail2ban.plugin.fail2ban.rules.maxretry=4"
      - "traefik.http.middlewares.fail2ban.plugin.fail2ban.rules.bantime=1h"

My goal is to block the access of a service if there are for example 4 logins fails. Actually it does not works, i can repeat many login errors without problem. ( i restarted for sure )

I think that there is something that i don't have understand. I don't made any changes on my service (application) side. I should do something ??

I can see my middleware in traefik -> fail2ban@docker

Thanks for help :)

[tomMoulard]

Hi @Whisper40,

Thanks Thanks for your interest in Fail2Ban!

Did you add the middleware to your service ?

      - "traefik.http.routers.traefik.middlewares=fail2ban@docker"

[Whisper40]

Hi @tomMoulard

I actually have this on traefik side :

- "traefik.http.routers.traefik.middlewares=traefik-auth"
- "traefik.http.middlewares.traefik-auth.basicauth.users=account:${passwd_account}"

It should be like this ?

- "traefik.http.routers.traefik.middlewares=traefik-auth, fail2ban@docker"   # can i put just fail2ban and not with @docker ?
- "traefik.http.middlewares.traefik-auth.basicauth.users=account:${passwd_account}"

thanks !

[tomMoulard]

Yeah ! This way you are actually using the middleware on a router. See the configuration example.

[Whisper40]

Ok, so by doing this, only traefik will be protected by fail2ban. In my case i serve apps with all time a different name for the auth. Example :

- "traefik.http.routers.rutorrent_user-router.middlewares=user_app-auth"
another user : 
- "traefik.http.routers.rutorrent_user2-router.middlewares=user2_app-auth"

So is there something to put it as a global middleware ? ( in order to do not repeat the code everywhere ? )

[tomMoulard]

As you can see here, you can provide a list of middleware that will be added to the entrypoint itself, thus enabling it by default for services using the entrypoint.

[Whisper40]

Hum, when i add , fail2ban@docker , it just break traefik with a 404 not found on traefik admin page. Traefik version : traefik:v2.4 What i did :

command 
  - "--experimental.plugins.fail2ban.modulename=github.com/tommoulard/fail2ban"
  - "--experimental.plugins.fail2ban.version=v0.6.0"
labels
- "traefik.http.routers.traefik.middlewares=traefik-auth, fail2ban@docker"   
- "traefik.http.middlewares.traefik-auth.basicauth.users=account:${passwd_account}"

[tomMoulard]

Can you have a reproducible case, I mean a way to allow reproducing easily the issue quickly without having to configure and to build the whole context. For example, it could be a docker compose file with the minimal Traefik configuration (static and dynamic) that reproduce the issue and all the containers needed for the use case. Finally, all commands used to prove the issue.

Thanks

[Whisper40]

This is the docker-compose used with my domain :

You can remove the ssl part and cloudflare

version: '3.9'
services:
###################################
#  TRAEFIK
###################################
  traefik:
    image: traefik:v2.4
    container_name: traefik
    restart: unless-stopped
    command:
      # Globals
      - "--global.checkNewVersion=true"
      - "--global.sendAnonymousUsage=true"
      # Logs
      - "--log=true"
      - "--log.level=${DEBUG_LEVEL}"
      - "--accessLog=true"
      - "--accessLog.filePath=/log/traefik.log"
      - "--accessLog.bufferingSize=100"
      - "--accessLog.filters.statusCodes=400-499"
      - "--accesslog.fields.names.StartUTC=drop"
      # Http & Https      
      - "--entryPoints.web.address=:80"
      - "--entryPoints.websecure.address=:443"
      # Permits the update by user's services
      - "--api=true"
      # Docker Configuration      
      - "--providers.docker=true"
      - "--providers.docker.endpoint=unix:///var/run/docker.sock"
      - "--providers.docker.exposedByDefault=false"
      - "--providers.docker.network=traefik_proxy"
      - "--providers.docker.swarmMode=false"
      - "--providers.file.directory=/rules"
      - "--providers.file.watch=true"
      # Certificate Resolver
#       - "--certificatesResolvers.mydnschallenge.acme.caserver=https://acme-staging-v02.api.letsencrypt.org/directory"
      - "--certificatesresolvers.mydnschallenge.acme.email=${CF_API_EMAIL}"
      - "--certificatesresolvers.mydnschallenge.acme.dnschallenge.provider=cloudflare"
      - "--certificatesresolvers.mydnschallenge.acme.storage=/etc/traefik/acme.json"
      - "--serverstransport.insecureskipverify=true"

      # Traefik Plugins
      - "--experimental.plugins.fail2ban.modulename=github.com/tommoulard/fail2ban"
      - "--experimental.plugins.fail2ban.version=v0.6.0"
    labels:
      # Api
      - "traefik.enable=true"
      - "traefik.http.routers.traefik.rule=Host(`${TRAEFIK_BASE_URL}-${SERVER_BASE_URL}.${DOMAIN_URL}`)"
      - "traefik.http.services.traefik.loadbalancer.server.port=8080"
      - "traefik.http.services.traefik.loadbalancer.server.scheme=http"
      - "traefik.http.routers.traefik.service=api@internal"
      # Wildcard cert
      - "traefik.http.routers.traefik.tls.domains[0].main=${DOMAIN_URL}"
      - "traefik.http.routers.traefik.tls.domains[0].sans=*.${DOMAIN_URL}"
      - "traefik.http.routers.traefik.tls.certresolver=mydnschallenge"
      # Http -> Https
      - "traefik.http.routers.http-catchall.rule=HostRegexp(`{host:.+}`)"
      - "traefik.http.routers.http-catchall.entrypoints=web"
      - "traefik.http.routers.http-catchall.middlewares=redirect-to-https"
      - "traefik.http.middlewares.redirect-to-https.redirectscheme.scheme=https"
      - "traefik.http.routers.traefik.entrypoints=websecure"
      - "traefik.http.routers.traefik.tls=true"
      # Traefik Authentification
      - "traefik.http.routers.traefik.middlewares=traefik-auth, fail2ban@docker"
      - "traefik.http.middlewares.traefik-auth.basicauth.users=admin:${passwd_admin}"
      # Traefik Plugins Configuration
      - "traefik.http.middlewares.fail2ban.plugin.fail2ban.rules.enabled=true"
      - "traefik.http.middlewares.fail2ban.plugin.fail2ban.rules.maxretry=4"
      - "traefik.http.middlewares.fail2ban.plugin.fail2ban.rules.bantime=1h"
    volumes:
      - /var/run/docker.sock:/var/run/docker.sock
      - /usr/share/zoneinfo:/usr/share/zoneinfo:ro
      - $CONFIG_DIR/traefik:/etc/traefik
      - $CONFIG_DIR/traefik/logs:/log
    ports:
      - "80:80"
      - "443:443"
    environment:
      - CLOUDFLARE_EMAIL=${CF_API_EMAIL}
      - CLOUDFLARE_API_KEY=${CF_API_KEY}
      - TZ=${TZ}
    networks:
      - proxy
##########################################
# Networks
##########################################
networks:
  proxy:
    external:
      name: traefik_proxy

[tomMoulard]

Do you have the pilot token in your configuration ?

[Whisper40]

Yes i just deleted it for github ( pilot working )

[tomMoulard]

When using your docker-compose, I can see the error:

traefik_1  | time="2021-04-12T12:31:10Z" level=error msg="Error when Transforming rules: Could not parse Ports, bad format (hint: use something like \"80:443\" to filter all ports from 80 to 443)" routerName=traefik@docker entryPointName=websecure

Thus, you should add this line in your configuration to make fail2ban plugin to work:

      - "traefik.http.middlewares.fail2ban.plugin.fail2ban.rules.ports=80:443"

You have other errors on your traefik configuration, but they are not related to the plugin.

[Whisper40]

Ok, i think it should be added on traefik pilot documentation :) Yep on my side just a little error with rules ( wrong directory )