Menu
I'm interested in setting up fail2ban with my Traefik deployment. I found a gist that has some snippets in it, but I'm not clear on how to use them. Can anyone fill in the blanks please? Or, is there a better way to implement fail2ban style security with Traefik?
292
This container is designed to allow fail2ban to function at the host level, as well as at the docker container level. If you are running applications on the host, you will need to set the chain to INPUT in the jail for that application.
We're publishing the default HTTP ports 80 and 443 on the host, and making sure the container is placed within the web network we've created earlier on. Finally, we're giving this container a static name called traefik .
Go back to your browser ( http://localhost:8080/api/rawdata ) and see that Traefik has automatically detected the new instance of the container. The output will show alternatively one of the followings: Hostname: a656c8ddca6c IP: 172.27.
Traefik is a modern HTTP reverse proxy and load balancer that makes deploying microservices easy. Traefik integrates with your existing infrastructure components (Docker, Swarm mode, Kubernetes, Marathon, Consul, Etcd, Rancher, Amazon ECS, ...) and configures itself automatically and dynamically.
I was able to accomplish this starting with the gist you posted. This is under the assumptions you have Traefik already working, want to block IPs that have HTTP Basic Auth failures, and ban them with iptables. There's a couple of pieces so let me start with the container configurations:
version: '2'
services:
traefik:
image: traefik:alpine
volumes:
- /apps/docker/traefik/traefik.toml:/traefik.toml:ro
- /apps/docker/traefik/acme:/etc/traefik/acme
- /var/log/traefik:/var/log
ports:
- 8080:8080/tcp
- 80:80/tcp
- 443:443/tcp
command:
- --web
- --accessLog.filePath=/var/log/access.log
- --accessLog.filters.statusCodes=400-499
You can see here I am writing the log file to /var/log/access.log and only getting access codes to 400-499. I am then mounting that file to my host /var/log/traefik:/var/log
Now for the fail2ban part, I am using a fail2ban docker container rather than installing on my host, but you could technically do it there too.
version: '2'
services:
fail2ban:
image: crazymax/fail2ban:latest
network_mode: "host"
cap_add:
- NET_ADMIN
- NET_RAW
volumes:
- /var/log:/var/log:ro
- /apps/docker/fail2ban/data:/data
You can see I mount the /var/log directory into the fail2ban container as read only.
The /apps/docker/fail2ban/data/jail.d/traefik.conf file contains:
[traefik-auth]
enabled = true
logpath = /var/log/traefik/access.log
port = http,https
The /apps/docker/fail2ban/data/filter.d/traefik-auth.conf file contains:
[Definition]
failregex = ^<HOST> \- \S+ \[\] \"(GET|POST|HEAD) .+\" 401 .+$
ignoreregex =
The default ban action is to ban via iptables. If you want to change that you can change the default banaction in the traefik.conf, for example:
[DEFAULT]
banaction = cloudflare
[traefik-auth]
enabled = true
logpath = /var/log/traefik/access.log
port = http,https
Actions are here: https://github.com/fail2ban/fail2ban/tree/0.11/config/action.d
If you need to modify one, copy the file to the /apps/docker/fail2ban/data/action.d directory and restart the container.
63
If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With
