feat: plug-and-play refactor — docker-npm action, CF support, whitelist live-update
- Replace iptables-allports with docker-npm action (DOCKER-USER + xt_string X-Forwarded-For matching + INPUT chain) matching user's working setup - Add telegram_notif.sh (deployed to /data/action.d/ at first run, user-editable) - Add cloudflare.conf action; jail.cloudflare.local enabled via CF compose file - Two compose files: docker-compose.yml (standard) and docker-compose.cloudflare.yml - entrypoint: modprobe xt_string, DOCKER-USER chain check, CF jail auto-selection, telegram_notif.sh deployment to persistent volume on first run - Fix whitelist live-update: addignoreip/delignoreip called alongside jail.local write - Hardcode AUTOBAN_THR=75 and DEFAULT_DAYS=3 (remove env vars) - Include Nginx Proxy Manager in both compose files with shared log bind mount - Rewrite filters for actual NPM log format ([Client <HOST>] real IP extraction) - Add DATA_DIR, Telegram, CF API key fields to .env.example Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
This commit is contained in:
67
.env.example
67
.env.example
@@ -1,47 +1,46 @@
|
||||
# ── F2B Control Center — environment configuration ───────────────────────────
|
||||
# Copy this file to .env and fill in your values.
|
||||
# Only NPM_LOG_DIR is strictly required to get started.
|
||||
# cp .env.example .env then fill in your values.
|
||||
# ─────────────────────────────────────────────────────────────────────────────
|
||||
|
||||
# ── Required ──────────────────────────────────────────────────────────────────
|
||||
|
||||
# Path to your Nginx Proxy Manager log directory on the host.
|
||||
# This directory will be mounted read-only inside the container.
|
||||
# Common paths:
|
||||
# /opt/npm/data/logs
|
||||
# /home/docker/NGINX/data/logs
|
||||
# /docker/nginx-proxy-manager/data/logs
|
||||
NPM_LOG_DIR=/opt/npm/data/logs
|
||||
# ── Data directory ────────────────────────────────────────────────────────────
|
||||
# Host path where NPM data, logs, and certs are stored.
|
||||
# NPM logs will be at: ${DATA_DIR}/npm/logs/proxy-host-*_access.log
|
||||
DATA_DIR=./data
|
||||
|
||||
# ── Dashboard ─────────────────────────────────────────────────────────────────
|
||||
|
||||
# Port the dashboard listens on (host port when using network_mode: host)
|
||||
# Port the dashboard listens on (direct host port — network_mode: host)
|
||||
DASHBOARD_PORT=4000
|
||||
|
||||
# ── AbuseIPDB integration (optional but recommended) ─────────────────────────
|
||||
# Enables IP reputation lookups and auto-ban by abuse score.
|
||||
# Free API keys available at https://www.abuseipdb.com/
|
||||
ABUSEIPDB_API_KEY=
|
||||
|
||||
# Minimum AbuseIPDB confidence score (0–100) to trigger auto-ban
|
||||
AUTOBAN_THRESHOLD=75
|
||||
|
||||
# ── Log scanning ──────────────────────────────────────────────────────────────
|
||||
|
||||
# Default lookback window when scanning nginx logs (days)
|
||||
DEFAULT_LOOKBACK_DAYS=3
|
||||
|
||||
# Comma-separated CIDR subnets to skip during log scanning and banning.
|
||||
# Include your LAN, Docker bridge, and any trusted networks.
|
||||
# ── Network ───────────────────────────────────────────────────────────────────
|
||||
# Comma-separated CIDRs to skip during log scanning and banning.
|
||||
# Include your LAN, Docker bridge, and any other trusted networks.
|
||||
SUBNETS_TO_IGNORE=10.0.0.0/8,172.16.0.0/12,192.168.0.0/16
|
||||
|
||||
# ── Optional integrations ─────────────────────────────────────────────────────
|
||||
# ── AbuseIPDB (optional but recommended) ─────────────────────────────────────
|
||||
# Enables IP reputation lookups and the AUTO-BAN feature.
|
||||
# Free API keys: https://www.abuseipdb.com/
|
||||
ABUSEIPDB_API_KEY=
|
||||
|
||||
# Webhook URL: receives a POST request on every manual ban action.
|
||||
# Payload: { "action": "ban", "ip": "1.2.3.4", "jail": "manual-bans", "ts": "..." }
|
||||
# Examples: Discord webhook, n8n, Slack, custom endpoint
|
||||
# ── Telegram notifications (optional) ────────────────────────────────────────
|
||||
# Sends a message on ban/unban/start/stop events.
|
||||
# 1. Create a bot via @BotFather → copy the token
|
||||
# 2. Get your chat ID (send a message to the bot, then:
|
||||
# curl https://api.telegram.org/bot<TOKEN>/getUpdates)
|
||||
TELEGRAM_BOT_TOKEN=
|
||||
TELEGRAM_CHAT_ID=
|
||||
|
||||
# ── Cloudflare (docker-compose.cloudflare.yml only) ───────────────────────────
|
||||
# Required when using docker-compose.cloudflare.yml.
|
||||
# Global API Key from: https://dash.cloudflare.com/profile/api-tokens
|
||||
CF_EMAIL=
|
||||
CF_APIKEY=
|
||||
|
||||
# ── Webhook (optional) ────────────────────────────────────────────────────────
|
||||
# POST to this URL on every manual ban from the dashboard.
|
||||
# Payload: { "action": "ban", "ip": "...", "jail": "manual-bans", "ts": "..." }
|
||||
WEBHOOK_URL=
|
||||
|
||||
# Path to a custom script to run after whitelist changes (e.g. Cloudflare sync).
|
||||
# The script is executed as a background fire-and-forget process.
|
||||
# ── Cloudflare whitelist sync (optional) ──────────────────────────────────────
|
||||
# Path (inside the container) to a script run after any whitelist change.
|
||||
# Mount your script into the container and set this path.
|
||||
# CF_SYNC=/usr/local/bin/cloudflare-whitelist-sync.sh
|
||||
|
||||
Reference in New Issue
Block a user