joao.goncalves
/
NgixProxy_Pathfinder
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

fix: isolate dynamic config (blacklist) to separate volume and bake static configs to prevent mount errors

This commit is contained in:
João Pedro Toledo Goncalves 2026-02-06 14:45:03 -03:00
parent 21a9c393c5
commit 56a9c5e91a
5 changed files with 14 additions and 50 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

28
docker-compose.yml
View File

@ -10,26 +10,24 @@ services:
# - "122:122/tcp" # SSH
volumes:
# Volumes para Configurações (Persistência Interna)
# nginx.conf é copiado no Build para evitar erro de mount "not a directory"
# - ./nginx/nginx.conf:/etc/nginx/nginx.conf:ro
# nginx.conf e snippets estáticos são "assados" na imagem (Dockerfile)
# Diretórios são montados para permitir hot-reload e Fail2Ban
- ./nginx/conf.d:/etc/nginx/conf.d
- ./nginx/snippets:/etc/nginx/snippets
- ./nginx/modsec:/etc/nginx/modsec
# Volume Compartilhado e Persistente (Blacklist Dinâmica)
- dynamic_conf:/etc/nginx/dynamic
# Persistência de Dados e Certificados
- ./ssl:/etc/nginx/ssl
- ./certbot:/etc/letsencrypt
- ./logs:/var/log/nginx
- ./logs:/var/log/nginx:rw
# Customização do Shell
- ./.bashrc:/root/.bashrc:ro
environment:
- TZ=America/Sao_Paulo
# Sidecar Fail2Ban - Proteção
fail2ban:
image: linuxserver/fail2ban:latest
image: lscr.io/linuxserver/fail2ban:latest
container_name: fail2ban-sidecar
network_mode: host
cap_add:
@ -39,19 +37,13 @@ services:
volumes:
- ./logs:/var/log/nginx:ro # Monitora os logs do Nginx
- ./fail2ban/data:/config # Configurações do F2B
# A blacklist precisa ser persistente e compartilhada, então mantemos o mount apenas dela ou do snippets se precisarmos escrever
- ./nginx/snippets:/etc/nginx/snippets # Fail2Ban escreve aqui (blacklist.conf)
- dynamic_conf:/etc/nginx/dynamic # Escreve na Blacklist Dinâmica do Nginx
- /var/run/docker.sock:/var/run/docker.sock # Para reload do Nginx
user: root # Necessário para interagir com o socket
environment:
- TZ=America/Sao_Paulo
- PUID=1000
- PGID=1000
- FAIL2BAN_LOGLEVEL=INFO
test-backend:
image: traefik/whoami
container_name: test-backend
restart: always
# Na network host, ele vai ouvir em uma porta alta para não conflitar
command: --port 8080
network_mode: host
volumes:
dynamic_conf:

4
fail2ban/data/action.d/nginx-blacklist.conf
View File

@ -2,5 +2,5 @@
actionstart = touch /etc/nginx/snippets/blacklist.conf
actionstop =
actioncheck =
actionban = echo "deny <ip>;" >> /etc/nginx/snippets/blacklist.conf && docker exec nginx-proxy nginx -s reload
actionunban = sed -i "/deny <ip>;/d" /etc/nginx/snippets/blacklist.conf && docker exec nginx-proxy nginx -s reload
actionban = echo "deny <ip>;" >> /etc/nginx/dynamic/blacklist.conf && docker exec nginx-proxy nginx -s reload
actionunban = sed -i "/deny <ip>;/d" /etc/nginx/dynamic/blacklist.conf && docker exec nginx-proxy nginx -s reload

29
nginx/conf.d/test.local.conf
View File

@ -1,29 +0,0 @@
upstream test_backend {
server 127.0.0.1:8080;
keepalive 32;
}
server {
listen 80;
server_name test.local;
access_log /var/log/nginx/test.local.access.log detailed_proxy;
error_log /var/log/nginx/test.local.error.log warn;
include snippets/well_known.conf;
include snippets/security_actions.conf;
location / {
proxy_pass http://test_backend;
include snippets/proxy_params.conf;
limit_req zone=global_limit burst=20 nodelay;
limit_req zone=punishment_limit burst=5 nodelay;
}
location ~* \.(webp|avif|heic|apng|jpg|jpeg|gif|png|ico|svg|mjs|js|ts|wasm|json|woff2?|ttf|otf|eot|css|less|scss)$ {
include snippets/cache_optimizer.conf;
add_header Cache-Control $cache_control_header;
proxy_cache_valid 200 1d;
proxy_pass http://test_backend;
}
}

1
nginx/dynamic/blacklist.conf Normal file
View File

@ -0,0 +1 @@
# Blacklist dinâmica - Gerada pelo Fail2Ban

2
nginx/nginx.conf
View File

@ -58,7 +58,7 @@ http {
include /etc/nginx/snippets/rate_limit.conf;
# Ativação Global da Blacklist
include /etc/nginx/snippets/blacklist.conf;
include /etc/nginx/dynamic/blacklist.conf;
# Site Configurations
include /etc/nginx/conf.d/*.conf;