How to implement fail2ban with Traefik
I was able to accomplish this starting with the gist you posted. This is under the assumptions you have Traefik already working, want to block IPs that have HTTP Basic Auth failures, and ban them with iptables. There's a couple of pieces so let me start with the container configurations:
Traefik docker-compose.yaml
version: '2'services: traefik: image: traefik:alpine volumes: - /apps/docker/traefik/traefik.toml:/traefik.toml:ro - /apps/docker/traefik/acme:/etc/traefik/acme - /var/log/traefik:/var/log ports: - 8080:8080/tcp - 80:80/tcp - 443:443/tcp command: - --web - --accessLog.filePath=/var/log/access.log - --accessLog.filters.statusCodes=400-499
You can see here I am writing the log file to /var/log/access.log
and only getting access codes to 400-499
. I am then mounting that file to my host /var/log/traefik:/var/log
Now for the fail2ban part, I am using a fail2ban docker container rather than installing on my host, but you could technically do it there too.
Fail2ban docker-compose.yaml
version: '2'services: fail2ban: image: crazymax/fail2ban:latest network_mode: "host" cap_add: - NET_ADMIN - NET_RAW volumes: - /var/log:/var/log:ro - /apps/docker/fail2ban/data:/data
You can see I mount the /var/log
directory into the fail2ban container as read only.
Fail2ban configuration
The /apps/docker/fail2ban/data/jail.d/traefik.conf
file contains:
[traefik-auth]enabled = truelogpath = /var/log/traefik/access.logport = http,https
The /apps/docker/fail2ban/data/filter.d/traefik-auth.conf
file contains:
[Definition]failregex = ^<HOST> \- \S+ \[\] \"(GET|POST|HEAD) .+\" 401 .+$ignoreregex =
Extra
The default ban action is to ban via iptables. If you want to change that you can change the default banaction
in the traefik.conf
, for example:
[DEFAULT]banaction = cloudflare[traefik-auth]enabled = truelogpath = /var/log/traefik/access.logport = http,https
Actions are here: https://github.com/fail2ban/fail2ban/tree/0.11/config/action.d
If you need to modify one, copy the file to the /apps/docker/fail2ban/data/action.d
directory and restart the container.