feat: plug-and-play refactor — docker-npm action, CF support, whitelist live-update

- Replace iptables-allports with docker-npm action (DOCKER-USER + xt_string X-Forwarded-For matching + INPUT chain) matching user's working setup - Add telegram_notif.sh (deployed to /data/action.d/ at first run, user-editable) - Add cloudflare.conf action; jail.cloudflare.local enabled via CF compose file - Two compose files: docker-compose.yml (standard) and docker-compose.cloudflare.yml - entrypoint: modprobe xt_string, DOCKER-USER chain check, CF jail auto-selection, telegram_notif.sh deployment to persistent volume on first run - Fix whitelist live-update: addignoreip/delignoreip called alongside jail.local write - Hardcode AUTOBAN_THR=75 and DEFAULT_DAYS=3 (remove env vars) - Include Nginx Proxy Manager in both compose files with shared log bind mount - Rewrite filters for actual NPM log format ([Client <HOST>] real IP extraction) - Add DATA_DIR, Telegram, CF API key fields to .env.example Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
2026-02-20 15:08:06 +00:00
parent dd7f8dd1a2
commit 920b69cfca
14 changed files with 446 additions and 224 deletions
--- a/docker-compose.yml
+++ b/docker-compose.yml
@@ -1,92 +1,69 @@
-# ── F2B Control Center — docker-compose ──────────────────────────────────────
+# ── F2B Control Center — standard stack ──────────────────────────────────────
+#
+# Includes: Nginx Proxy Manager + Fail2Ban + dashboard
 #
 # QUICK START:
-#   1. cp .env.example .env
-#   2. Set NPM_LOG_DIR to your Nginx Proxy Manager log path
-#   3. docker-compose up -d
+#   cp .env.example .env
+#   # edit .env — at minimum review DATA_DIR and SUBNETS_TO_IGNORE
+#   docker-compose up -d
 #
-# NETWORK MODE:
-#   network_mode: host is the recommended default.
-#   This allows fail2ban's iptables rules to block traffic at the host level,
-#   which is required when Nginx Proxy Manager receives traffic from the host
-#   network stack (the typical Docker-based NPM setup).
-#
-#   If you only want the dashboard (no active iptables blocking), you can
-#   switch to bridge networking by commenting out network_mode and
-#   uncommenting the ports section instead.
+# CLOUDFLARE:
+#   To also ban at the CF WAF level, use docker-compose.cloudflare.yml instead.
 # ─────────────────────────────────────────────────────────────────────────────

 version: "3.9"

 services:
+
+  # ── Nginx Proxy Manager ─────────────────────────────────────────────────────
+  npm:
+    image: jc21/nginx-proxy-manager:latest
+    container_name: nginx-proxy-manager
+    restart: unless-stopped
+    ports:
+      - "80:80"
+      - "443:443"
+      - "81:81"          # NPM admin UI (change or restrict in production)
+    volumes:
+      - ${DATA_DIR:-./data}/npm:/data
+      - ${DATA_DIR:-./data}/npm/logs:/data/logs   # shared with f2b (see below)
+      - ${DATA_DIR:-./data}/letsencrypt:/etc/letsencrypt
+
+  # ── F2B Control Center ──────────────────────────────────────────────────────
  f2b-control-center:
    build: .
    image: f2b-control-center:latest
    container_name: f2b-control-center
    restart: unless-stopped
+    depends_on:
+      - npm

-    # Required for iptables rules to manipulate the host network stack.
-    # network_mode: host makes the container share the host's network namespace,
-    # so fail2ban bans affect traffic arriving at the host.
+    # Host network mode is required so fail2ban's iptables rules affect the
+    # host network stack — blocking traffic before it reaches NPM containers.
    network_mode: host

-    # Alternative (bridge mode — dashboard only, no host-level blocking):
-    # Comment out network_mode above and uncomment these:
-    # ports:
-    #   - "${DASHBOARD_PORT:-4000}:4000"
-    # cap_add:
-    #   - NET_ADMIN
-    #   - NET_RAW
-
    environment:
-      # ── Dashboard ────────────────────────────────────────────────────────
-      PORT: "${DASHBOARD_PORT:-4000}"
-
-      # AbuseIPDB integration (optional but recommended)
-      # Get a free API key at https://www.abuseipdb.com/
-      ABUSEIPDB_API_KEY: "${ABUSEIPDB_API_KEY:-}"
-
-      # Auto-ban: AbuseIPDB confidence score threshold (0-100)
-      AUTOBAN_THRESHOLD: "${AUTOBAN_THRESHOLD:-75}"
-
-      # Default lookback window for nginx log scanning (days)
-      DEFAULT_LOOKBACK_DAYS: "${DEFAULT_LOOKBACK_DAYS:-3}"
-
-      # Comma-separated CIDR subnets to ignore in scans and bans
-      SUBNETS_TO_IGNORE: "${SUBNETS_TO_IGNORE:-10.0.0.0/8,172.16.0.0/12,192.168.0.0/16}"
-
-      # Optional: POST ban events to this URL (e.g. Discord webhook, n8n, etc.)
-      WEBHOOK_URL: "${WEBHOOK_URL:-}"
-
-      # ── Internal paths — change only if you remap volumes ────────────────
-      LOG_DIR:        "/nginx-logs"
-      FAIL2BAN_LOG:   "/var/log/fail2ban.log"
-      JAIL_LOCAL:     "/etc/fail2ban/jail.local"
-      MANUAL_JAIL:    "manual-bans"
-      BAN_HIST_FILE:  "/data/ban-history.json"
+      PORT:               "${DASHBOARD_PORT:-4000}"
+      ABUSEIPDB_API_KEY:  "${ABUSEIPDB_API_KEY:-}"
+      SUBNETS_TO_IGNORE:  "${SUBNETS_TO_IGNORE:-10.0.0.0/8,172.16.0.0/12,192.168.0.0/16}"
+      WEBHOOK_URL:        "${WEBHOOK_URL:-}"
+      TELEGRAM_BOT_TOKEN: "${TELEGRAM_BOT_TOKEN:-}"
+      TELEGRAM_CHAT_ID:   "${TELEGRAM_CHAT_ID:-}"
+      # Internal paths — only change if you remap volumes
+      LOG_DIR:       "/nginx-logs"
+      FAIL2BAN_LOG:  "/var/log/fail2ban.log"
+      JAIL_LOCAL:    "/etc/fail2ban/jail.local"
+      MANUAL_JAIL:   "manual-bans"
+      BAN_HIST_FILE: "/data/ban-history.json"

    volumes:
-      # ── REQUIRED: your Nginx Proxy Manager access log directory ──────────
-      # Change NPM_LOG_DIR in .env to match your setup.
-      # Default paths for common NPM Docker setups:
-      #   /opt/npm/data/logs        (appdata-style)
-      #   /home/docker/NGINX/data/logs
-      #   /docker/nginx-proxy-manager/data/logs
-      - "${NPM_LOG_DIR:-/opt/npm/data/logs}:/nginx-logs:ro"
-
-      # ── Persistent application data (ban history) ─────────────────────
+      # NPM logs — read-only. Shared with NPM via bind mount above.
+      - ${DATA_DIR:-./data}/npm/logs:/nginx-logs:ro
+      # Persistent app state (ban history)
      - f2b-data:/data
-
-      # ── Fail2ban configuration (survives container updates) ───────────
-      # Edit /etc/fail2ban/jail.local inside the container or mount a local
-      # directory here to manage config files outside the container.
+      # Fail2ban config — persists across image updates
      - f2b-config:/etc/fail2ban

-    labels:
-      com.f2b-control-center.description: "Fail2Ban Control Center for Nginx Proxy Manager"
-
 volumes:
  f2b-data:
-    driver: local
  f2b-config:
-    driver: local