joao.goncalves
/
NgixProxy_Pathfinder
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

fix: isolate dynamic config (blacklist) to separate volume and bake static configs to prevent mount errors

This commit is contained in:
João Pedro Toledo Goncalves 2026-02-06 14:45:03 -03:00
parent 21a9c393c5
commit 56a9c5e91a
5 changed files with 14 additions and 50 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

28
docker-compose.yml
View File

@ -10,26 +10,24 @@ services:
# - "122:122/tcp" # SSH # - "122:122/tcp" # SSH
volumes: volumes:
# Volumes para Configurações (Persistência Interna) # Volumes para Configurações (Persistência Interna)
# nginx.conf é copiado no Build para evitar erro de mount "not a directory" # nginx.conf e snippets estáticos são "assados" na imagem (Dockerfile)
# - ./nginx/nginx.conf:/etc/nginx/nginx.conf:ro
# Diretórios são montados para permitir hot-reload e Fail2Ban # Volume Compartilhado e Persistente (Blacklist Dinâmica)
- ./nginx/conf.d:/etc/nginx/conf.d - dynamic_conf:/etc/nginx/dynamic
- ./nginx/snippets:/etc/nginx/snippets
- ./nginx/modsec:/etc/nginx/modsec
# Persistência de Dados e Certificados # Persistência de Dados e Certificados
- ./ssl:/etc/nginx/ssl - ./ssl:/etc/nginx/ssl
- ./certbot:/etc/letsencrypt - ./certbot:/etc/letsencrypt
- ./logs:/var/log/nginx - ./logs:/var/log/nginx:rw
# Customização do Shell # Customização do Shell
- ./.bashrc:/root/.bashrc:ro - ./.bashrc:/root/.bashrc:ro
environment: environment:
- TZ=America/Sao_Paulo - TZ=America/Sao_Paulo
# Sidecar Fail2Ban - Proteção
fail2ban: fail2ban:
image: linuxserver/fail2ban:latest image: lscr.io/linuxserver/fail2ban:latest
container_name: fail2ban-sidecar container_name: fail2ban-sidecar
network_mode: host network_mode: host
cap_add: cap_add:
@ -39,19 +37,13 @@ services:
volumes: volumes:
- ./logs:/var/log/nginx:ro # Monitora os logs do Nginx - ./logs:/var/log/nginx:ro # Monitora os logs do Nginx
- ./fail2ban/data:/config # Configurações do F2B - ./fail2ban/data:/config # Configurações do F2B
# A blacklist precisa ser persistente e compartilhada, então mantemos o mount apenas dela ou do snippets se precisarmos escrever - dynamic_conf:/etc/nginx/dynamic # Escreve na Blacklist Dinâmica do Nginx
- ./nginx/snippets:/etc/nginx/snippets # Fail2Ban escreve aqui (blacklist.conf)
- /var/run/docker.sock:/var/run/docker.sock # Para reload do Nginx - /var/run/docker.sock:/var/run/docker.sock # Para reload do Nginx
user: root # Necessário para interagir com o socket user: root # Necessário para interagir com o socket
environment: environment:
- TZ=America/Sao_Paulo
- PUID=1000 - PUID=1000
- PGID=1000 - PGID=1000
- FAIL2BAN_LOGLEVEL=INFO
test-backend: volumes:
image: traefik/whoami dynamic_conf:
container_name: test-backend
restart: always
# Na network host, ele vai ouvir em uma porta alta para não conflitar
command: --port 8080
network_mode: host

4
fail2ban/data/action.d/nginx-blacklist.conf
View File

@ -2,5 +2,5 @@
actionstart = touch /etc/nginx/snippets/blacklist.conf actionstart = touch /etc/nginx/snippets/blacklist.conf
actionstop = actionstop =
actioncheck = actioncheck =
actionban = echo "deny <ip>;" >> /etc/nginx/snippets/blacklist.conf && docker exec nginx-proxy nginx -s reload actionban = echo "deny <ip>;" >> /etc/nginx/dynamic/blacklist.conf && docker exec nginx-proxy nginx -s reload
actionunban = sed -i "/deny <ip>;/d" /etc/nginx/snippets/blacklist.conf && docker exec nginx-proxy nginx -s reload actionunban = sed -i "/deny <ip>;/d" /etc/nginx/dynamic/blacklist.conf && docker exec nginx-proxy nginx -s reload

29
nginx/conf.d/test.local.conf
View File

@ -1,29 +0,0 @@
upstream test_backend {
server 127.0.0.1:8080;
keepalive 32;
}
server {
listen 80;
server_name test.local;
access_log /var/log/nginx/test.local.access.log detailed_proxy;
error_log /var/log/nginx/test.local.error.log warn;
include snippets/well_known.conf;
include snippets/security_actions.conf;
location / {
proxy_pass http://test_backend;
include snippets/proxy_params.conf;
limit_req zone=global_limit burst=20 nodelay;
limit_req zone=punishment_limit burst=5 nodelay;
}
location ~* \.(webp|avif|heic|apng|jpg|jpeg|gif|png|ico|svg|mjs|js|ts|wasm|json|woff2?|ttf|otf|eot|css|less|scss)$ {
include snippets/cache_optimizer.conf;
add_header Cache-Control $cache_control_header;
proxy_cache_valid 200 1d;
proxy_pass http://test_backend;
}
}

1
nginx/dynamic/blacklist.conf Normal file
View File

@ -0,0 +1 @@
# Blacklist dinâmica - Gerada pelo Fail2Ban

2
nginx/nginx.conf
View File

@ -58,7 +58,7 @@ http {
include /etc/nginx/snippets/rate_limit.conf; include /etc/nginx/snippets/rate_limit.conf;
# Ativação Global da Blacklist # Ativação Global da Blacklist
include /etc/nginx/snippets/blacklist.conf; include /etc/nginx/dynamic/blacklist.conf;
# Site Configurations # Site Configurations
include /etc/nginx/conf.d/*.conf; include /etc/nginx/conf.d/*.conf;