fix: full audit pass — placeholder logs, jq, allowipv6, stale refs

- entrypoint: create proxy-host-placeholder_access.log if no NPM logs exist so fail2ban can start before any proxy hosts are configured - docker-compose: remove :ro from nginx-logs mount (needed for placeholder) - Dockerfile: add jq (required by cloudflare.conf actionunban) - cloudflare.conf: replace python3 JSON parsing with jq; clean stale comments - jail.local + jail.cloudflare.local: add allowipv6 = auto to suppress warning - jail.cloudflare.local: remove stale .env and docker-compose.cloudflare.yml refs Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
2026-02-20 16:07:56 +00:00
parent add01db5f6
commit ec97c06d07
6 changed files with 27 additions and 39 deletions
--- a/fail2ban/action.d/cloudflare.conf
+++ b/fail2ban/action.d/cloudflare.conf
@@ -1,22 +1,12 @@
 [Definition]

-# ── Cloudflare IP Access Rules action ────────────────────────────────────────
-#
 # Blocks/unblocks IPs at the Cloudflare account level via the Access Rules API.
-# When enabled, a ban will be enforced by Cloudflare before traffic even
-# reaches your server — the most effective layer for high-volume attackers.
+# Bans are enforced by Cloudflare before traffic reaches your server.
+# Enable by setting CF_EMAIL + CF_APIKEY in docker-compose.yml.
 #
-# SETUP:
-#   1. Get your Global API Key from:
-#      https://dash.cloudflare.com/profile/api-tokens
-#   2. Set CF_EMAIL and CF_APIKEY in your .env file
-#   3. Use docker-compose.cloudflare.yml instead of docker-compose.yml
-#
-# NOTE: This uses the user-level Access Rules API, which applies the block
-#       across all zones on your Cloudflare account. For zone-scoped rules,
-#       replace the URL with:
-#       https://api.cloudflare.com/client/v4/zones/<ZONE_ID>/firewall/access_rules/rules
-# ─────────────────────────────────────────────────────────────────────────────
+# NOTE: Uses the user-level API — applies across all zones on your account.
+# For zone-scoped rules replace the URL with:
+#   https://api.cloudflare.com/client/v4/zones/<ZONE_ID>/firewall/access_rules/rules

 actionban = curl -s -X POST \
              -H "X-Auth-Email: %(cf_email)s" \
@@ -30,7 +20,7 @@ actionunban = RULE_ID=$(curl -s \
                -H "X-Auth-Email: %(cf_email)s" \
                -H "X-Auth-Key: %(cf_apikey)s" \
                "https://api.cloudflare.com/client/v4/user/firewall/access_rules/rules?configuration_target=ip&configuration_value=<ip>&mode=block&page=1&per_page=1" | \
-                python3 -c "import sys,json; r=json.load(sys.stdin).get('result',[]); print(r[0]['id'] if r else '')" 2>/dev/null) ; \
+                jq -r '.result[0].id // empty' 2>/dev/null) ; \
              [ -n "$RULE_ID" ] && \
              curl -s -X DELETE \
                -H "X-Auth-Email: %(cf_email)s" \
@@ -39,6 +29,5 @@ actionunban = RULE_ID=$(curl -s \
                > /dev/null 2>&1 || true

 [Init]
-# Populated from environment via jail.local — do not set here
 cf_email  =
 cf_apikey =