search

tomMoulard / fail2ban

Traefik plugin on fail2ban middleware
MIT License
190 stars 10 forks source link

Config from Labels is not extracted #86

Closed la7eralus closed 8 months ago

la7eralus commented 8 months ago

Hello, I manage the f2b config via docker labels:

Initialisation (command):
- --experimental.plugins.traefik-fail2ban-plugin.modulename=github.com/tomMoulard/fail2ban
- --experimental.plugins.traefik-fail2ban-plugin.version=v0.7.1

Label:
- "traefik.http.middlewares.fail2ban-plugin.plugin.traefik-fail2ban-plugin.enabled=true"
- "traefik.http.middlewares.fail2ban-plugin.plugin.traefik-fail2ban-plugin.bantime=3h"
- "traefik.http.middlewares.fail2ban-plugin.plugin.traefik-fail2ban-plugin.findtime=2m"
- "traefik.http.middlewares.fail2ban-plugin.plugin.traefik-fail2ban-plugin.maxretry=2"
- "traefik.http.routers.catch-all.middlewares=catch-all-ratelimit,catch-all-redirect,fail2ban-plugin,modsec-plugin"

But it looks like my settings are ignored, since the log is showing this:

10/23/2023 6:48:11 PM 2023/10/23 18:48:11 Bantime: 5m0s
10/23/2023 6:48:11 PM 2023/10/23 18:48:11 Findtime: 2m0s
10/23/2023 6:48:11 PM 2023/10/23 18:48:11 FailToBan Rules : '{Bantime:5m0s Findtime:2m0s URLRegexpAllow:[] URLRegexpBan:[] MaxRetry:0 Enabled:true}'
10/23/2023 6:48:11 PM 2023/10/23 18:48:11 Plugin: FailToBan is up and running

I double checked the example: https://github.com/tomMoulard/fail2ban/blob/main/docker-compose.yml and the code, but couldn't find an issue with my config: https://github.com/tomMoulard/fail2ban/blob/2790061e862b27fb62a992822cd6d9bd2beed887/fail2ban.go#L43

I think its interesting, that it somehow managed to interpret the enabled flag, but not the other parameters, the case should be correct, as seen in the example and the sources.

tomMoulard commented 8 months ago

Hello @5olu7ion,

Thanks for your interest in this Traefik Plugin!

Indeed, the default plugin configuration enables the Plugin by default.

As for your issue, I need to reproduce your issue to confirm the bug. So I will class this issue as bug/possible until there is someone that can reproduce this issue. Can you give your traefik configuration as well?

la7eralus commented 8 months ago

Thanks for your quick reply :-) I tailored a little example:

version: '3.6'
services:
  traefik:
    image: traefik:latest
    container_name: traefik
    restart: unless-stopped
    environment:
      - TZ=Europe/Berlin
    ports:
      - 80:80
    volumes:
      - /var/run/docker.sock:/var/run/docker.sock:ro
    command:
      - --global.sendanonymoususage=false
      - --api.dashboard=false
      - --api.insecure=false
      - --log.level=INFO
      - --accesslog=true
      - --accesslog.fields.names.StartUTC=drop
      - --providers.docker.watch=true
      - --providers.docker.exposedByDefault=false
      - --providers.docker.network=services
      - --entrypoints.web.address=:80
      - --experimental.plugins.traefik-fail2ban-plugin.modulename=github.com/tomMoulard/fail2ban
      - --experimental.plugins.traefik-fail2ban-plugin.version=v0.7.1
    networks:                                                            
      - services
    labels:
      - "traefik.enable=true"
      - "traefik.http.routers.catch-all.rule=Host(`localhost`)"
      - "traefik.http.middlewares.fail2ban-plugin.plugin.traefik-fail2ban-plugin.enabled=true"
      - "traefik.http.middlewares.fail2ban-plugin.plugin.traefik-fail2ban-plugin.bantime=3h"
      - "traefik.http.middlewares.fail2ban-plugin.plugin.traefik-fail2ban-plugin.findtime=2m"
      - "traefik.http.middlewares.fail2ban-plugin.plugin.traefik-fail2ban-plugin.maxretry=2"
      - "traefik.http.routers.catch-all.middlewares=fail2ban-plugin"

networks:                                                                    
  services:
    name: services

It shows the same output as on my Server:

[user:~/Desktop] 7s $ docker compose up
[+] Running 5/5
 ✔ traefik 4 layers [⣿⣿⣿⣿]      0B/0B      Pulled                                                                                                                                                                                       19.5s 
   ✔ 96526aa774ef Pull complete                                                                                                                                                                                                          3.2s 
   ✔ eeed05813ad6 Pull complete                                                                                                                                                                                                          1.3s 
   ✔ 86ea8083d7bc Pull complete                                                                                                                                                                                                         15.5s 
   ✔ cea349f5f8a7 Pull complete                                                                                                                                                                                                          1.9s 
[+] Running 2/0
 ✔ Network services   Created                                                                                                                                                                                                            0.0s 
 ✔ Container traefik  Created                                                                                                                                                                                                            0.0s 
Attaching to traefik
traefik  | time="2023-10-23T19:21:07+02:00" level=info msg="Configuration loaded from flags."
traefik  | time="2023-10-23T19:21:07+02:00" level=info msg="Traefik version 2.10.5 built on 2023-10-11T13:54:02Z"
traefik  | time="2023-10-23T19:21:07+02:00" level=info msg="\nStats collection is disabled.\nHelp us improve Traefik by turning this feature on :)\nMore details on: https://doc.traefik.io/traefik/contributing/data-collection/\n"
traefik  | time="2023-10-23T19:21:07+02:00" level=info msg="Starting provider aggregator aggregator.ProviderAggregator"
traefik  | time="2023-10-23T19:21:07+02:00" level=info msg="Starting provider *docker.Provider"
traefik  | time="2023-10-23T19:21:08+02:00" level=info msg="Starting provider *traefik.Provider"
traefik  | time="2023-10-23T19:21:08+02:00" level=info msg="Starting provider *acme.ChallengeTLSALPN"
traefik  | 2023/10/23 19:21:08 Bantime: 5m0s
traefik  | 2023/10/23 19:21:08 Findtime: 2m0s
traefik  | 2023/10/23 19:21:08 FailToBan Rules : '{Bantime:5m0s Findtime:2m0s URLRegexpAllow:[] URLRegexpBan:[] MaxRetry:0 Enabled:true}'
traefik  | 2023/10/23 19:21:08 Plugin: FailToBan is up and running
tomMoulard commented 8 months ago

Perfect, thanks, I will look into it.

tomMoulard commented 8 months ago

Hello @5olu7ion,

To solve your issue, the plugin configuration is :

traefik-fail2ban-plugin:
  rules: # <-- this is missing
    bantime: "3h"
    findtime: "2m"
    maxretry: 2
    enabled: true
la7eralus commented 8 months ago

Seems like I should have tripple checked the example ;-) Thank you very much and sorry for this trivial question, your suggestion worked perfectly. ´´´ 10/24/2023 8:24:55 PM 2023/10/24 20:24:55 Bantime: 3h0m0s 10/24/2023 8:24:55 PM 2023/10/24 20:24:55 Findtime: 2m0s 10/24/2023 8:24:55 PM 2023/10/24 20:24:55 FailToBan Rules : '{Bantime:3h0m0s Findtime:2m0s URLRegexpAllow:[] URLRegexpBan:[] MaxRetry:2 Enabled:true}' ´´´