gitea
dd7f8dd1a2
Dockerized Fail2Ban + dashboard for Nginx Proxy Manager. - Single-container image (fail2ban + Node.js + supervisord) - Pre-built NPM filters: badbot, http-errors, npm-probe, manual-bans - Web dashboard with live ban feed, log scanner, AbuseIPDB integration - Configurable via environment variables and .env file - Persistent volumes for config and ban history - Webhook support for ban event notifications - README, .gitignore, MIT license Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
93 lines
3.8 KiB
YAML
93 lines
3.8 KiB
YAML
# ── F2B Control Center — docker-compose ──────────────────────────────────────
|
|
#
|
|
# QUICK START:
|
|
# 1. cp .env.example .env
|
|
# 2. Set NPM_LOG_DIR to your Nginx Proxy Manager log path
|
|
# 3. docker-compose up -d
|
|
#
|
|
# NETWORK MODE:
|
|
# network_mode: host is the recommended default.
|
|
# This allows fail2ban's iptables rules to block traffic at the host level,
|
|
# which is required when Nginx Proxy Manager receives traffic from the host
|
|
# network stack (the typical Docker-based NPM setup).
|
|
#
|
|
# If you only want the dashboard (no active iptables blocking), you can
|
|
# switch to bridge networking by commenting out network_mode and
|
|
# uncommenting the ports section instead.
|
|
# ─────────────────────────────────────────────────────────────────────────────
|
|
|
|
version: "3.9"
|
|
|
|
services:
|
|
f2b-control-center:
|
|
build: .
|
|
image: f2b-control-center:latest
|
|
container_name: f2b-control-center
|
|
restart: unless-stopped
|
|
|
|
# Required for iptables rules to manipulate the host network stack.
|
|
# network_mode: host makes the container share the host's network namespace,
|
|
# so fail2ban bans affect traffic arriving at the host.
|
|
network_mode: host
|
|
|
|
# Alternative (bridge mode — dashboard only, no host-level blocking):
|
|
# Comment out network_mode above and uncomment these:
|
|
# ports:
|
|
# - "${DASHBOARD_PORT:-4000}:4000"
|
|
# cap_add:
|
|
# - NET_ADMIN
|
|
# - NET_RAW
|
|
|
|
environment:
|
|
# ── Dashboard ────────────────────────────────────────────────────────
|
|
PORT: "${DASHBOARD_PORT:-4000}"
|
|
|
|
# AbuseIPDB integration (optional but recommended)
|
|
# Get a free API key at https://www.abuseipdb.com/
|
|
ABUSEIPDB_API_KEY: "${ABUSEIPDB_API_KEY:-}"
|
|
|
|
# Auto-ban: AbuseIPDB confidence score threshold (0-100)
|
|
AUTOBAN_THRESHOLD: "${AUTOBAN_THRESHOLD:-75}"
|
|
|
|
# Default lookback window for nginx log scanning (days)
|
|
DEFAULT_LOOKBACK_DAYS: "${DEFAULT_LOOKBACK_DAYS:-3}"
|
|
|
|
# Comma-separated CIDR subnets to ignore in scans and bans
|
|
SUBNETS_TO_IGNORE: "${SUBNETS_TO_IGNORE:-10.0.0.0/8,172.16.0.0/12,192.168.0.0/16}"
|
|
|
|
# Optional: POST ban events to this URL (e.g. Discord webhook, n8n, etc.)
|
|
WEBHOOK_URL: "${WEBHOOK_URL:-}"
|
|
|
|
# ── Internal paths — change only if you remap volumes ────────────────
|
|
LOG_DIR: "/nginx-logs"
|
|
FAIL2BAN_LOG: "/var/log/fail2ban.log"
|
|
JAIL_LOCAL: "/etc/fail2ban/jail.local"
|
|
MANUAL_JAIL: "manual-bans"
|
|
BAN_HIST_FILE: "/data/ban-history.json"
|
|
|
|
volumes:
|
|
# ── REQUIRED: your Nginx Proxy Manager access log directory ──────────
|
|
# Change NPM_LOG_DIR in .env to match your setup.
|
|
# Default paths for common NPM Docker setups:
|
|
# /opt/npm/data/logs (appdata-style)
|
|
# /home/docker/NGINX/data/logs
|
|
# /docker/nginx-proxy-manager/data/logs
|
|
- "${NPM_LOG_DIR:-/opt/npm/data/logs}:/nginx-logs:ro"
|
|
|
|
# ── Persistent application data (ban history) ─────────────────────
|
|
- f2b-data:/data
|
|
|
|
# ── Fail2ban configuration (survives container updates) ───────────
|
|
# Edit /etc/fail2ban/jail.local inside the container or mount a local
|
|
# directory here to manage config files outside the container.
|
|
- f2b-config:/etc/fail2ban
|
|
|
|
labels:
|
|
com.f2b-control-center.description: "Fail2Ban Control Center for Nginx Proxy Manager"
|
|
|
|
volumes:
|
|
f2b-data:
|
|
driver: local
|
|
f2b-config:
|
|
driver: local
|