feat: auto-reload fail2ban when new NPM proxy-host logs appear
fail2ban only expands glob logpath at startup, so proxy-host-2_access.log and later files are never monitored until a manual reload. Adds logwatch.sh (supervisord-managed) that polls /nginx-logs every 30s and runs fail2ban-client reload whenever a new proxy-host-*_access.log is detected. Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
This commit is contained in:
@@ -46,7 +46,8 @@ COPY supervisor.conf /etc/supervisor/conf.d/f2b-control-center.conf
|
|||||||
# ── Startup and health ────────────────────────────────────────────────────────
|
# ── Startup and health ────────────────────────────────────────────────────────
|
||||||
COPY entrypoint.sh /entrypoint.sh
|
COPY entrypoint.sh /entrypoint.sh
|
||||||
COPY healthcheck.sh /healthcheck.sh
|
COPY healthcheck.sh /healthcheck.sh
|
||||||
RUN chmod +x /entrypoint.sh /healthcheck.sh
|
COPY logwatch.sh /logwatch.sh
|
||||||
|
RUN chmod +x /entrypoint.sh /healthcheck.sh /logwatch.sh
|
||||||
|
|
||||||
# ── Runtime directories ───────────────────────────────────────────────────────
|
# ── Runtime directories ───────────────────────────────────────────────────────
|
||||||
RUN mkdir -p /data /nginx-logs /var/log /var/run/fail2ban
|
RUN mkdir -p /data /nginx-logs /var/log /var/run/fail2ban
|
||||||
|
|||||||
22
logwatch.sh
Normal file
22
logwatch.sh
Normal file
@@ -0,0 +1,22 @@
|
|||||||
|
#!/bin/bash
|
||||||
|
# ── Log file watcher ──────────────────────────────────────────────────────────
|
||||||
|
# Polls /nginx-logs every 30s. If a new proxy-host-*_access.log appears,
|
||||||
|
# reloads fail2ban so it picks up the new file immediately.
|
||||||
|
# ─────────────────────────────────────────────────────────────────────────────
|
||||||
|
|
||||||
|
LOG_DIR="${LOG_DIR:-/nginx-logs}"
|
||||||
|
INTERVAL=30
|
||||||
|
|
||||||
|
known=$(ls "$LOG_DIR"/proxy-host-*_access.log 2>/dev/null | sort | tr '\n' ':')
|
||||||
|
|
||||||
|
echo "[logwatch] Watching $LOG_DIR for new proxy-host log files..."
|
||||||
|
|
||||||
|
while true; do
|
||||||
|
sleep "$INTERVAL"
|
||||||
|
current=$(ls "$LOG_DIR"/proxy-host-*_access.log 2>/dev/null | sort | tr '\n' ':')
|
||||||
|
if [ "$current" != "$known" ]; then
|
||||||
|
echo "[logwatch] New log file(s) detected — reloading fail2ban"
|
||||||
|
fail2ban-client reload 2>&1 | sed 's/^/[logwatch] /'
|
||||||
|
known="$current"
|
||||||
|
fi
|
||||||
|
done
|
||||||
@@ -37,6 +37,19 @@ stderr_logfile=/dev/stderr
|
|||||||
stderr_logfile_maxbytes=0
|
stderr_logfile_maxbytes=0
|
||||||
priority=10
|
priority=10
|
||||||
|
|
||||||
|
# ── log watcher ───────────────────────────────────────────────────────────────
|
||||||
|
[program:logwatch]
|
||||||
|
command=/logwatch.sh
|
||||||
|
autostart=true
|
||||||
|
autorestart=true
|
||||||
|
startretries=3
|
||||||
|
startsecs=5
|
||||||
|
stdout_logfile=/dev/stdout
|
||||||
|
stdout_logfile_maxbytes=0
|
||||||
|
stderr_logfile=/dev/stderr
|
||||||
|
stderr_logfile_maxbytes=0
|
||||||
|
priority=15
|
||||||
|
|
||||||
# ── dashboard ─────────────────────────────────────────────────────────────────
|
# ── dashboard ─────────────────────────────────────────────────────────────────
|
||||||
[program:dashboard]
|
[program:dashboard]
|
||||||
command=/usr/local/bin/node /app/server.js
|
command=/usr/local/bin/node /app/server.js
|
||||||
|
|||||||
Reference in New Issue
Block a user