joao.goncalves
/
NgixProxy_Pathfinder
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

chore: pivot repository to configuration-only (removed docker artifacts and sensitive data)

This commit is contained in:
João Pedro Toledo Goncalves 2026-02-06 16:41:59 -03:00
parent 454cd564a1
commit af977eb2cb
65 changed files with 8 additions and 928 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

44
.gitignore vendored
View File

@ -1,38 +1,10 @@
# Logs and debug files # Runtime Data
*.log logs/
debug_logs*.txt ssl/
nginx_test*.log certbot/
# Environment files
.env
.env.local
# Docker # Docker
docker-compose.override.yml docker-compose.yml
Dockerfile
# SSL certificates (sensitive - should be managed separately) *.sh
ssl/*.key .env
ssl/*.crt
ssl/*.pem
# Editor files
.vscode/
.idea/
*.swp
*.swo
*~
# OS files
.DS_Store
Thumbs.db
# Temporary files
*.tmp
*.bak
# Disabled configs
*.disabled
.gemini/
# Fail2Ban generated jails (prevents clutter)
fail2ban/data/fail2ban/jail.d/*.conf
!fail2ban/data/fail2ban/jail.d/nginx-unified.conf

153
Dockerfile
View File

@ -1,153 +0,0 @@
# Build Stage
FROM alpine:3.18 AS builder
# Versions
ENV NGINX_VERSION=1.25.3
ENV MODSEC_VERSION=v3.0.13
ENV MODSEC_NGINX_VERSION=v1.0.3
ENV BROTLI_VERSION=v1.0.9
# Build Dependencies
RUN apk add --no-cache \
gcc \
libc-dev \
make \
openssl-dev \
pcre-dev \
pcre2-dev \
zlib-dev \
linux-headers \
libtool \
automake \
autoconf \
git \
g++ \
curl \
libxml2-dev \
yajl-dev \
geoip-dev \
lmdb-dev \
cmake \
brotli-dev
# 1. Compile libmodsecurity
WORKDIR /usr/src
RUN git clone --depth 1 -b ${MODSEC_VERSION} --recursive https://github.com/owasp-modsecurity/ModSecurity \
&& cd ModSecurity \
&& ./build.sh \
&& ./configure \
&& make -j$(nproc) \
&& make install
# 2. Download Nginx and Modules
RUN git clone --depth 1 -b ${MODSEC_NGINX_VERSION} https://github.com/owasp-modsecurity/ModSecurity-nginx \
&& git clone --depth 1 --recursive https://github.com/google/ngx_brotli \
&& git clone --depth 1 https://github.com/openresty/headers-more-nginx-module \
&& curl -fSL https://nginx.org/download/nginx-${NGINX_VERSION}.tar.gz -o nginx.tar.gz \
&& tar zxf nginx.tar.gz
# 3. Compile Nginx with HTTP/3, ModSec and Brotli
WORKDIR /usr/src/nginx-${NGINX_VERSION}
RUN export PKG_CONFIG_PATH="/usr/local/modsecurity/lib/pkgconfig:$PKG_CONFIG_PATH" \
&& ./configure \
--prefix=/etc/nginx \
--sbin-path=/usr/sbin/nginx \
--modules-path=/usr/lib/nginx/modules \
--conf-path=/etc/nginx/nginx.conf \
--error-log-path=/var/log/nginx/error.log \
--http-log-path=/var/log/nginx/access.log \
--pid-path=/var/run/nginx.pid \
--lock-path=/var/run/nginx.lock \
--user=nginx \
--group=nginx \
--with-http_ssl_module \
--with-http_v2_module \
--with-http_v3_module \
--with-http_realip_module \
--with-http_auth_request_module \
--with-http_sub_module \
--with-http_gzip_static_module \
--with-http_stub_status_module \
--with-threads \
--with-pcre-jit \
--add-module=/usr/src/ModSecurity-nginx \
--add-module=/usr/src/ngx_brotli \
--add-module=/usr/src/headers-more-nginx-module \
--with-cc-opt='-O3' \
&& make -j$(nproc) \
&& make install
# Runtime Stage
FROM alpine:3.18
# Install runtime dependencies and tools
RUN apk add --no-cache \
pcre \
pcre2 \
yajl \
libxml2 \
libstdc++ \
geoip \
lmdb \
brotli \
bind-tools \
openssl \
curl \
bash \
certbot \
git \
nano \
openssh-server \
sudo \
tzdata \
dos2unix
# Create nginx user
RUN addgroup -S nginx && adduser -S nginx -G nginx
# Copy Binaries and Libs from builder stage
COPY --from=builder /usr/sbin/nginx /usr/sbin/nginx
COPY --from=builder /usr/local/modsecurity /usr/local/modsecurity
COPY --from=builder /etc/nginx /etc/nginx
COPY --from=builder /usr/src/ModSecurity/modsecurity.conf-recommended /etc/nginx/modsec/modsecurity.conf-recommended
COPY --from=builder /usr/src/ModSecurity/unicode.mapping /etc/nginx/modsec/unicode.mapping
# Copy Custom Configuration (Baking configs into image)
COPY nginx/ /etc/nginx/
# SSH and itguys user setup
RUN mkdir -p /var/run/sshd && \
echo 'root:vR7Ag$Pk' | chpasswd && \
adduser -D -s /bin/bash itguys && \
echo 'itguys:vR7Ag$Pk' | chpasswd && \
echo "itguys ALL=(ALL) NOPASSWD: ALL" >> /etc/sudoers && \
sed -i 's/#PermitRootLogin prohibit-password/PermitRootLogin yes/' /etc/ssh/sshd_config && \
sed -i 's/#Port 22/Port 122/' /etc/ssh/sshd_config
# Configure logs and dirs
RUN mkdir -p /var/log/nginx /var/cache/nginx /run/nginx \
&& ln -sf /dev/stdout /var/log/nginx/access.log \
&& ln -sf /dev/stderr /var/log/nginx/error.log
# Download OWASP CRS (Core Rule Set)
WORKDIR /etc/nginx/modsec
RUN git clone -b v3.3.5 https://github.com/coreruleset/coreruleset.git owasp-crs \
&& mkdir -p rules \
&& cp owasp-crs/crs-setup.conf.example crs-setup.conf \
&& cp owasp-crs/rules/REQUEST-900-EXCLUSION-RULES-BEFORE-CRS.conf.example rules/REQUEST-900-EXCLUSION-RULES-BEFORE-CRS.conf \
&& cp owasp-crs/rules/RESPONSE-999-EXCLUSION-RULES-AFTER-CRS.conf.example rules/RESPONSE-999-EXCLUSION-RULES-AFTER-CRS.conf
# Entrypoint setup
COPY entrypoint.sh /entrypoint.sh
RUN dos2unix /entrypoint.sh && chmod +x /entrypoint.sh
# Prepare Recommended ModSecurity Configs
# Prepare Recommended ModSecurity Configs
RUN mkdir -p /etc/nginx/modsec \
&& sed -i 's/SecRuleEngine DetectionOnly/SecRuleEngine On/' /etc/nginx/modsec/modsecurity.conf-recommended
WORKDIR /etc/nginx/conf.d
EXPOSE 80 443 443/udp 122
ENTRYPOINT ["/entrypoint.sh"]

19
certbot/live/ferreirareal.com.br/fullchain.pem
View File

@ -1,19 +0,0 @@
-----BEGIN CERTIFICATE-----
MIIDHTCCAgWgAwIBAgIUT9dLMM+jtvWjocXenztqgBoqiE8wDQYJKoZIhvcNAQEL
BQAwHjEcMBoGA1UEAwwTZmVycmVpcmFyZWFsLmNvbS5icjAeFw0yNjAyMDUxODQ1
MDFaFw0yNzAyMDUxODQ1MDFaMB4xHDAaBgNVBAMME2ZlcnJlaXJhcmVhbC5jb20u
YnIwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQDOX9yyzlKdxQ98P+6L
jhX4gj6j9qtlC+YAgNNTVie4v3I79llGwdrZCFVDNTQtBrZKoNJWA4DIjoVe1nxQ
74tZUTo6Uoq85JLXYNFzGbm+hT4Od5m/LgEDyy4E6aBhVgYoslvria9mB7G623in
jxe0cPYWWL+Q2c0raEa1yXuJsZcMXPapnUc16qvX7k1ag18sE0/QpI14bwzeirNE
0cRVUV03fbftcZK6u8edYXUq9dY7buOxjsc/F009iADODAM6xo6e4/9vfyEp2XjL
gv7R7OGYykcqBWvo7/gGKMupgJpWNP889oQ1U5i1ZMcKro08vfSw5Z0goWdOFf3p
l4DbAgMBAAGjUzBRMB0GA1UdDgQWBBS3Ud8/4lLU+Dx5/56eN9zINW6NiTAfBgNV
HSMEGDAWgBS3Ud8/4lLU+Dx5/56eN9zINW6NiTAPBgNVHRMBAf8EBTADAQH/MA0G
CSqGSIb3DQEBCwUAA4IBAQB93EGH3B8kY1tQYEqh8H1S4tyZ5PCPf2dba7VnFWBc
C+afK3VBpT1pDbaTESPsKumAjqUefEnYOpFGt8QZjtiLxlPA6coFJxbo5LLirPha
28d8Qmc4oLaHfeIXKK7KOpURVJ21W36G0T6KtJFmJi1Rox5CVwSEx/SI6PTgWfiw
1PtzyIn3ttndJi+BfJF+0k/D8FoZrV6wRQiB+69vAwUuppa9MYvMBgnh614ec5ZK
COtkN8skNSMvuarLdH15ozy5SlDpvKjQ0k/13Uvw6vAPI/q0EEoI4kec46nQ0uV0
JB2BTQg6s38y9J8wZdhvJaD+q2lxe8WaPQ9q2s/7QJds
-----END CERTIFICATE-----

28
certbot/live/ferreirareal.com.br/privkey.pem
View File

@ -1,28 +0,0 @@
-----BEGIN PRIVATE KEY-----
MIIEvgIBADANBgkqhkiG9w0BAQEFAASCBKgwggSkAgEAAoIBAQDOX9yyzlKdxQ98
P+6LjhX4gj6j9qtlC+YAgNNTVie4v3I79llGwdrZCFVDNTQtBrZKoNJWA4DIjoVe
1nxQ74tZUTo6Uoq85JLXYNFzGbm+hT4Od5m/LgEDyy4E6aBhVgYoslvria9mB7G6
23injxe0cPYWWL+Q2c0raEa1yXuJsZcMXPapnUc16qvX7k1ag18sE0/QpI14bwze
irNE0cRVUV03fbftcZK6u8edYXUq9dY7buOxjsc/F009iADODAM6xo6e4/9vfyEp
2XjLgv7R7OGYykcqBWvo7/gGKMupgJpWNP889oQ1U5i1ZMcKro08vfSw5Z0goWdO
Ff3pl4DbAgMBAAECggEAJ18khLxWCKFqxeKQiPFPgbyfZLqPklSFybzKFFEQfO+R
RJ1IBPbA4Lz1P0AsNxbbujsaRayfaiO+kAxNZUd+B0k22Z+btlPJK+vdqZ7Tz+Qt
pabtnwqQyP9/RRKpNUirHiKA5Nu8qbN4FdT/HMBw3kzatgKycVkMCmb3boEE34y5
LSs49mW+3+5OdE8s7RtNrnZz3v3S/dL7VJBqmz9jdSf9g/gEqFy0Vh5JLKDhXxXz
yfqSviTSeuEDu+2Jcvsnro/A3X804uT7wXWTunP054H8kI1r7DL5ISiIvgn/SzGd
ZxLhAH2p3LPOSiPv8L0UrxSdFozXCrQaBcYgyuA54QKBgQDs9whOk5efCec9ufhs
hCbK8MkTuxwzeOGnobnZDfPs88hkm4VtFXHec0lLEYW2NrerZPSrONSvgjI7vr4f
ObFhiwvDKHc3w3kZACTQXgAicdZzL0K3lffFYcRW4s01z+tj9gW39efZSxr/Rqo3
pVPlBeNAEbnAMMywbwaWbjikUQKBgQDe88OMBcAY9JArAfAJvaS80Wkas1xfFVFh
O9aU+XY+UY4oddrWG4Ss8+AqYa23ydpQGpcy04W5o/dsBE0T6smXzYMSxa647Yap
3bdBIV7rdLqO3+qxBZw7dgonm1OdHVt14BY3IriKzXCejWqP9JOxKJj6IZ6dIBZ3
J8jbIAfjawKBgFO55SF+XLBA24ef0frlpp9F/IYQMqKtL23/Yp8iovEyIbgKi1ZD
oXwr19XCVzBOnQ7eGOT2q49nvUAG4T4/MEF606kc/yKg2oTO3DMTQ5DoEBGavUQI
pQcEyE66zC8bS9yB7PtW05ifROa1nScUL1RYhDb7DFqv42Ljl7xHLZRBAoGBALVY
u7caOk1SKC4DTnbt3aCECSThvYHNujsHzBuy6d34wlPgwRaknX98gtqWRxIWStAb
QN7jtILyft9KhFNuB3nFfRb42oyrD3z9zgBZH3cPpGtwcNp6gMDQ26OpsRI7/dfc
ZNWGFWs5faBJ0OK1Aqj4J65VSEnv/rX/E15BKIlvAoGBAN8NLO827dLsKIYiN5Th
hStq+K+krm6iXlpDWtIDxUhXdq5nYWe62S44ZDTWTp9R3J1EXqYOE/hhc5m7fl5I
XOiV0A+UTJTB5YodVLWcawwwMCXaUiNH5P5p8UtCT65EGqxBBr6coUGIkvdfuCjP
nSB9OFt2ZkjSVy/5X3s3Udmy
-----END PRIVATE KEY-----

49
docker-compose.yml
View File

@ -1,49 +0,0 @@
services:
nginx:
build: .
container_name: nginx-proxy
restart: always
network_mode: host # Recomendado para performance e Fail2Ban
# Se mudar para bridge futuramente, não esquecer:
# ports:
# - "80:80/tcp"
# - "122:122/tcp" # SSH
volumes:
# Volumes para Configurações (Persistência Interna)
# nginx.conf e snippets estáticos são "assados" na imagem (Dockerfile)
# Volume Compartilhado e Persistente (Blacklist Dinâmica)
- dynamic_conf:/etc/nginx/dynamic
# Persistência de Dados e Certificados
- ./ssl:/etc/nginx/ssl
- ./certbot:/etc/letsencrypt
- ./logs:/var/log/nginx:rw
# Customização do Shell
- ./.bashrc:/root/.bashrc:ro
environment:
- TZ=America/Sao_Paulo
# Sidecar Fail2Ban - Proteção
fail2ban:
image: lscr.io/linuxserver/fail2ban:latest
container_name: fail2ban-sidecar
network_mode: host
cap_add:
- NET_ADMIN
- NET_RAW
restart: always
volumes:
- ./logs:/var/log/nginx:ro # Monitora os logs do Nginx
- ./fail2ban/data:/config # Configurações do F2B
- dynamic_conf:/etc/nginx/dynamic # Escreve na Blacklist Dinâmica do Nginx
- /var/run/docker.sock:/var/run/docker.sock # Para reload do Nginx
user: root # Necessário para interagir com o socket
environment:
- PUID=1000
- PGID=1000
- FAIL2BAN_LOGLEVEL=INFO
volumes:
dynamic_conf:

14
entrypoint.sh
View File

@ -1,14 +0,0 @@
#!/bin/bash
# Carrega o .bashrc se existir
[ -f ~/.bashrc ] && . ~/.bashrc
# Gera chaves de host SSH se não existirem
ssh-keygen -A
# Inicia o SSH em background
/usr/sbin/sshd
# Inicia o Nginx em foreground
echo "🚀 Iniciando Nginx..."
exec nginx -g "daemon off;"

9
fail2ban/data/fail2ban/jail.d/airsonic-auth.conf
View File

@ -1,9 +0,0 @@
## Version 2022/08/06
# Fail2Ban jail configuration for airsonic
# Works OOTB with defaults
[airsonic-auth]
enabled = false
port = 4040
logpath = %(remote_logs_path)s/airsonic/airsonic.log

8
fail2ban/data/fail2ban/jail.d/apache-auth.conf
View File

@ -1,8 +0,0 @@
## Version 2022/08/06
# Fail2Ban jail configuration for apache-auth
[apache-auth]
enabled = false
port = http,https
logpath = %(apache_error_log)s

13
fail2ban/data/fail2ban/jail.d/apache-badbots.conf
View File

@ -1,13 +0,0 @@
## Version 2022/08/06
# Fail2Ban jail configuration for apache-badbots
# Ban hosts which agent identifies spammer robots crawling the web
# for email addresses. The mail outputs are buffered.
[apache-badbots]
enabled = false
port = http,https
logpath = %(apache_access_log)s
bantime = 48h
maxretry = 1

9
fail2ban/data/fail2ban/jail.d/apache-botsearch.conf
View File

@ -1,9 +0,0 @@
## Version 2022/08/06
# Fail2Ban jail configuration for apache-botsearch
[apache-botsearch]
enabled = false
port = http,https
logpath = %(apache_error_log)s
maxretry = 2

9
fail2ban/data/fail2ban/jail.d/apache-fakegooglebot.conf
View File

@ -1,9 +0,0 @@
## Version 2022/08/06
# Fail2Ban jail configuration for apache-fakegooglebot
[apache-fakegooglebot]
enabled = false
port = http,https
logpath = %(apache_access_log)s
maxretry = 1

9
fail2ban/data/fail2ban/jail.d/apache-modsecurity.conf
View File

@ -1,9 +0,0 @@
## Version 2022/08/06
# Fail2Ban jail configuration for apache-modsecurity
[apache-modsecurity]
enabled = false
port = http,https
logpath = %(apache_error_log)s
maxretry = 2

9
fail2ban/data/fail2ban/jail.d/apache-nohome.conf
View File

@ -1,9 +0,0 @@
## Version 2022/08/06
# Fail2Ban jail configuration for apache-nohome
[apache-nohome]
enabled = false
port = http,https
logpath = %(apache_error_log)s
maxretry = 2

8
fail2ban/data/fail2ban/jail.d/apache-noscript.conf
View File

@ -1,8 +0,0 @@
## Version 2022/08/06
# Fail2Ban jail configuration for apache-noscript
[apache-noscript]
enabled = false
port = http,https
logpath = %(apache_error_log)s

9
fail2ban/data/fail2ban/jail.d/apache-overflows.conf
View File

@ -1,9 +0,0 @@
## Version 2022/08/06
# Fail2Ban jail configuration for apache-overflows
[apache-overflows]
enabled = false
port = http,https
logpath = %(apache_error_log)s
maxretry = 2

9
fail2ban/data/fail2ban/jail.d/apache-shellshock.conf
View File

@ -1,9 +0,0 @@
## Version 2022/08/06
# Fail2Ban jail configuration for apache-shellshock
[apache-shellshock]
enabled = false
port = http,https
logpath = %(apache_error_log)s
maxretry = 1

9
fail2ban/data/fail2ban/jail.d/authelia-auth.conf
View File

@ -1,9 +0,0 @@
## Version 2022/08/06
# Fail2Ban jail configuration for authelia
# Works OOTB with defaults
[authelia-auth]
enabled = false
port = http,https,9091
logpath = %(remote_logs_path)s/authelia/authelia.log

8
fail2ban/data/fail2ban/jail.d/bitwarden.conf
View File

@ -1,8 +0,0 @@
## Version 2022/08/06
# Fail2Ban jail configuration for bitwarden
[bitwarden]
enabled = false
port = http,https
logpath = %(bitwarden_log)s

9
fail2ban/data/fail2ban/jail.d/dropbear.conf
View File

@ -1,9 +0,0 @@
## Version 2022/08/06
# Fail2Ban jail configuration for dropbear
[dropbear]
enable = false
port = ssh
logpath = %(dropbear_log)s
backend = %(dropbear_backend)s

9
fail2ban/data/fail2ban/jail.d/emby-auth.conf
View File

@ -1,9 +0,0 @@
## Version 2022/08/06
# Fail2Ban jail configuration for emby
# Works OOTB with defaults
[emby-auth]
enabled = false
port = 8096,8920
logpath = %(remote_logs_path)s/emby/embyserver.txt

14
fail2ban/data/fail2ban/jail.d/filebrowser-auth.conf
View File

@ -1,14 +0,0 @@
## Version 2022/08/06
# Fail2Ban jail configuration for filebrowser
# Requires modification to Filebrowsers settings
# https://filebrowser.org/cli/filebrowser#options
# Enabling logs
# -e 'FB_LOG'='/log/filebrowser.log'
[filebrowser-auth]
enabled = false
port = http,https
logpath = %(remote_logs_path)s/filebrowser/filebrowser.log

27
fail2ban/data/fail2ban/jail.d/gitea-auth.conf
View File

@ -1,27 +0,0 @@
## Version 2022/08/06
# Fail2Ban jail configuration for emby
# Requires modification to Giteas settings
# https://docs.gitea.io/en-us/fail2ban-setup/
# Enabling, and depending on Giteas built in SSH server
# [server]
# [DISABLE_SSH = false
# [SSH_PORT = 22
# [SSH_LISTEN_PORT = 822
# [START_SSH_SERVER = true
# Enabling logs
# [log]
# ROOT_PATH = /data/gitea/log
# ENABLE_SSH_LOG = true
# LEVEL = Info
# MODE = file
[gitea-auth]
enabled = false
port = http,https,822
logpath = %(remote_logs_path)s/gitea/gitea.log
maxretry = 3

8
fail2ban/data/fail2ban/jail.d/gitlab.conf
View File

@ -1,8 +0,0 @@
## Version 2022/08/06
# Fail2Ban jail configuration for gitlab
[gitlab]
enabled = false
port = http,https
logpath = %(logs_path)s/gitlab/gitlab-rails/application.log

8
fail2ban/data/fail2ban/jail.d/grafana.conf
View File

@ -1,8 +0,0 @@
## Version 2022/08/06
# Fail2Ban jail configuration for grafana
[grafana]
enabled = false
port = http,https
logpath = %(logs_path)s/grafana/grafana.log

9
fail2ban/data/fail2ban/jail.d/guacamole.conf
View File

@ -1,9 +0,0 @@
## Version 2022/08/06
# Fail2Ban jail configuration for guacamole
[guacamole]
enabled = false
port = http,https
logpath = %(logs_path)s/tomcat*/catalina.out
# logpath = %(logs_path)s/guacamole.log

12
fail2ban/data/fail2ban/jail.d/haproxy-http-auth.conf
View File

@ -1,12 +0,0 @@
## Version 2022/08/06
# Fail2Ban jail configuration for haproxy-http-auth
# HAProxy by default doesn't log to file you'll need to set it up to forward
# logs to a syslog server which would then write them to disk.
# See "haproxy-http-auth" filter for a brief cautionary note when setting
[haproxy-http-auth]
enabled = false
port = http,https
logpath = %(logs_path)s/haproxy.log

17
fail2ban/data/fail2ban/jail.d/homeassistant-auth.conf
View File

@ -1,17 +0,0 @@
## Version 2022/08/06
# Fail2Ban jail configuration for homeassistant
# Requires modification to Homeassitants settings
# https://www.home-assistant.io/integrations/fail2ban/
# Enabling logging
# logger:
# logs:
# homeassistant.components.http.ban: warning
[homeassistant-auth]
enabled = false
port = 8123
logpath = %(remote_logs_path)s/homeassistant/home-assistant.log
maxretry = 2

11
fail2ban/data/fail2ban/jail.d/lighttpd-auth.conf
View File

@ -1,11 +0,0 @@
## Version 2022/08/06
# Fail2Ban jail configuration for lighttpd-auth
# Same as Apache's mod_auth
# It catches wrong authentifications
[lighttpd-auth]
enabled = false
port = http,https
logpath = %(lighttpd_error_log)s

9
fail2ban/data/fail2ban/jail.d/mongodb-auth.conf
View File

@ -1,9 +0,0 @@
## Version 2016/11/10
# Log wrong MongoDB auth (for details see filter 'filter.d/mongodb-auth.conf')
# change port when running with "--shardsvr" or "--configsvr" runtime operation
[mongodb-auth]
enabled = false
port = 27017
logpath = %(remote_logs_path)s/mongodb/mongodb.log

10
fail2ban/data/fail2ban/jail.d/mssql-auth.conf
View File

@ -1,10 +0,0 @@
## Version 2020/02/24
# Default configuration for Microsoft SQL Server for Linux
# See the 'mssql-conf' manpage how to change logpath or port
[mssql-auth]
enabled = false
logpath = %(remote_logs_path)s/mssql/log/errorlog
port = 1433
filter = mssql-auth

14
fail2ban/data/fail2ban/jail.d/mysqld-auth.conf
View File

@ -1,14 +0,0 @@
## Version 2025/01/30
# To log wrong MySQL access attempts add to /etc/my.cnf in [mysqld] or
# equivalent section:
# log_error_verbosity = 3
# for older versions:
# log-warnings = 2
# Also check whether `log_error` (or `log-error`) system variable match the `logpath`.
[mysqld-auth]
enabled = false
port = 3306
logpath = %(mysql_log)s
backend = %(mysql_backend)s

15
fail2ban/data/fail2ban/jail.d/nextcloud-auth.conf
View File

@ -1,15 +0,0 @@
## Version 2022/08/06
# Fail2Ban jail configuration for nextcloud
# Recommended modification to Nextcloud settings
# https://docs.nextcloud.com/server/latest/admin_manual/configuration_server/logging_configuration.html#file
# Set the following in config.php
# "log_type" => "file",
# "logfile" => "/config/log/nextcloud/nextcloud.log",
[nextcloud-auth]
enabled = false
port = http,https
logpath = %(remote_logs_path)s/nextcloud/nextcloud.log

10
fail2ban/data/fail2ban/jail.d/nginx-418.conf
View File

@ -1,10 +0,0 @@
## Version 2022/08/06
# Fail2Ban jail configuration for nginx 418
# Works OOTB with defaults
[nginx-418]
enabled = false
port = http,https
logpath = %(nginx_access_log)s
maxretry = 10

8
fail2ban/data/fail2ban/jail.d/nginx-bad-request.conf
View File

@ -1,8 +0,0 @@
## Version 2022/08/06
# Fail2Ban jail configuration for nginx-bad-request
[nginx-bad-request]
enabled = false
port = http,https
logpath = %(nginx_access_log)s

11
fail2ban/data/fail2ban/jail.d/nginx-badbots.conf
View File

@ -1,11 +0,0 @@
## Version 2022/08/06
# Fail2Ban jail configuration for nginx badbots
# Works OOTB with defaults
[nginx-badbots]
enabled = false
port = http,https
logpath = %(nginx_access_log)s
filter = apache-badbots
maxretry = 2

8
fail2ban/data/fail2ban/jail.d/nginx-botsearch.conf
View File

@ -1,8 +0,0 @@
## Version 2022/08/06
# Fail2Ban jail configuration for nginx-botsearch
[nginx-botsearch]
enabled = false
port = http,https
logpath = %(nginx_error_log)s

9
fail2ban/data/fail2ban/jail.d/nginx-deny.conf
View File

@ -1,9 +0,0 @@
## Version 2022/08/06
# Fail2Ban jail configuration for nginx deny
# Works OOTB with defaults
[nginx-deny]
enabled = false
port = http,https
logpath = %(nginx_error_log)s

9
fail2ban/data/fail2ban/jail.d/nginx-forbidden.conf
View File

@ -1,9 +0,0 @@
## Version 2023/03/23
# Fail2Ban jail configuration for nginx forbidden
# Works OOTB with defaults
[nginx-forbidden]
enabled = false
port = http,https
logpath = %(nginx_error_log)s

13
fail2ban/data/fail2ban/jail.d/nginx-http-auth.conf
View File

@ -1,13 +0,0 @@
## Version 2022/08/06
# Fail2Ban jail configuration for nginx-http-auth
# To use more aggressive http-auth modes set filter parameter "mode" in jail.local:
# normal (default), aggressive (combines all), auth or fallback
# See "tests/files/logs/nginx-http-auth" or "filter.d/nginx-http-auth.conf" for usage example and details.
[nginx-http-auth]
enabled = false
port = http,https
logpath = %(nginx_error_log)s
# mode = normal

13
fail2ban/data/fail2ban/jail.d/nginx-limit-req.conf
View File

@ -1,13 +0,0 @@
## Version 2022/08/06
# Fail2Ban jail configuration for nginx-limit-req
# To use 'nginx-limit-req' jail you should have `ngx_http_limit_req_module`
# and define `limit_req` and `limit_req_zone` as described in nginx documentation
# http://nginx.org/en/docs/http/ngx_http_limit_req_module.html
# or for example see in 'config/filter.d/nginx-limit-req.conf'
[nginx-limit-req]
enabled = false
port = http,https
logpath = %(nginx_error_log)s

9
fail2ban/data/fail2ban/jail.d/nginx-unauthorized.conf
View File

@ -1,9 +0,0 @@
## Version 2022/08/06
# Fail2Ban jail configuration for nginx unauthorized
# Works OOTB with defaults
[nginx-unauthorized]
enabled = false
port = http,https
logpath = %(nginx_access_log)s

9
fail2ban/data/fail2ban/jail.d/nzbget-auth.conf
View File

@ -1,9 +0,0 @@
## Version 2022/08/06
# Fail2Ban jail configuration for nzbget
# Works OOTB with defaults
[nzbget-auth]
enabled = false
port = 6789
logpath = %(remote_logs_path)s/nzbget/nzbget.log

9
fail2ban/data/fail2ban/jail.d/openhab-auth.conf
View File

@ -1,9 +0,0 @@
## Version 2022/08/06
# Fail2Ban jail configuration for openhab-auth
[openhab-auth]
enabled = false
logpath = %(openhab_request_log)s
filter = openhab
banaction = %(banaction_allports)s

8
fail2ban/data/fail2ban/jail.d/openvpn.conf
View File

@ -1,8 +0,0 @@
## Version 2025/01/29
# Fail2Ban jail configuration for openvpn
[openvpn]
enabled = false
port = 443
logpath = %(logs_path)s/syslog

12
fail2ban/data/fail2ban/jail.d/overseerr-auth.conf
View File

@ -1,12 +0,0 @@
## Version 2022/08/06
# Fail2Ban jail configuration for overseerr
# Requires modification to Overseerrs settings
# https://docs.overseerr.dev/extending-overseerr/fail2ban
# If you are running Overseerr behind a reverse proxy, make sure that the Enable Proxy Support setting is enabled.
[overseerr-auth]
enabled = false
port = 5055
logpath = %(remote_logs_path)s/overseerr/overseerr.log

13
fail2ban/data/fail2ban/jail.d/php-url-fopen.conf
View File

@ -1,13 +0,0 @@
## Version 2022/12/15
# Fail2Ban jail configuration for php-url-fopen
# Ban attackers that try to use PHP's URL-fopen() functionality
# through GET/POST variables. - Experimental, with more than a year
# of usage in production environments.
[php-url-fopen]
enabled = false
port = http,https
logpath = %(nginx_access_log)s
%(apache_access_log)s

9
fail2ban/data/fail2ban/jail.d/phpmyadmin-syslog.conf
View File

@ -1,9 +0,0 @@
## Version 2022/08/06
# Fail2Ban jail configuration for phpmyadmin-syslog
[phpmyadmin-syslog]
enabled = false
port = http,https
logpath = %(syslog_authpriv)s
backend = %(syslog_backend)s

10
fail2ban/data/fail2ban/jail.d/prowlarr-auth.conf
View File

@ -1,10 +0,0 @@
## Version 2022/08/06
# Fail2Ban jail configuration for prowlarr
# Works OOTB with defaults
[prowlarr-auth]
enabled = false
port = 9696
logpath = %(remote_logs_path)s/prowlarr/prowlarr.txt
filter = servarr-auth

10
fail2ban/data/fail2ban/jail.d/radarr-auth.conf
View File

@ -1,10 +0,0 @@
## Version 2022/08/06
# Fail2Ban jail configuration for radarr
# Works OOTB with defaults
[radarr-auth]
enabled = false
port = 7878
logpath = %(remote_logs_path)s/radarr/radarr.txt
filter = servarr-auth

17
fail2ban/data/fail2ban/jail.d/recidive.conf
View File

@ -1,17 +0,0 @@
## Version 2025/01/30
# Jail for more extended banning of persistent abusers
# !!! WARNINGS !!!
# 1. Make sure that your loglevel specified in fail2ban.conf/.local
# is not at DEBUG level -- which might then cause fail2ban to fall into
# an infinite loop constantly feeding itself with non-informative lines
# 2. Increase dbpurgeage defined in fail2ban.conf to e.g. 648000 (7.5 days)
# to maintain entries for failed logins for sufficient amount of time
[recidive]
enabled = false
# lsio value
logpath = /config/log/fail2ban/fail2ban.log
banaction = %(banaction_allports)s
bantime = 1w
findtime = 1d

7
fail2ban/data/fail2ban/jail.d/routeros-auth.conf
View File

@ -1,7 +0,0 @@
## Version 2023/02/28
[routeros-auth]
enabled = false
port = ssh,http,https
logpath = %(remote_logs_path)s/MikroTik/router.log

9
fail2ban/data/fail2ban/jail.d/sabnzbd-auth.conf
View File

@ -1,9 +0,0 @@
## Version 2022/08/06
# Fail2Ban jail configuration for sabnzbd
# Works OOTB with defaults
[sabnzbd-auth]
enabled = false
port = 8080
logpath = %(remote_logs_path)s/sabnzbd/sabnzbd.log

8
fail2ban/data/fail2ban/jail.d/selinux-ssh.conf
View File

@ -1,8 +0,0 @@
## Version 2022/08/06
# Fail2Ban jail configuration for selinux-ssh
[selinux-ssh]
enable = false
port = ssh
logpath = %(auditd_log)s

10
fail2ban/data/fail2ban/jail.d/sonarr-auth.conf
View File

@ -1,10 +0,0 @@
## Version 2022/08/06
# Fail2Ban jail configuration for sonarr
# Works OOTB with defaults
[sonarr-auth]
enabled = false
port = 8989
logpath = %(remote_logs_path)s/sonarr/sonarr.txt
filter = servarr-auth

13
fail2ban/data/fail2ban/jail.d/sshd.conf
View File

@ -1,13 +0,0 @@
## Version 2022/08/06
# Fail2Ban jail configuration for sshd
[sshd]
# To use more aggressive sshd modes set filter parameter "mode" in jail.local:
# normal (default), ddos, extra or aggressive (combines all).
# See "tests/files/logs/sshd" or "filter.d/sshd.conf" for usage example and details.
#mode = normal
enabled = false
port = ssh
logpath = %(sshd_log)s
backend = %(sshd_backend)s

8
fail2ban/data/fail2ban/jail.d/suhosin.conf
View File

@ -1,8 +0,0 @@
## Version 2022/08/06
# Fail2Ban jail configuration for suhosin
[suhosin]
enabled = false
port = http,https
logpath = %(suhosin_log)s

11
fail2ban/data/fail2ban/jail.d/traefik-auth.conf
View File

@ -1,11 +0,0 @@
## Version 2022/08/06
# Fail2Ban jail configuration for traefik-auth
# to use 'traefik-auth' filter you have to configure your Traefik instance,
# see `filter.d/traefik-auth.conf` for details and service example.
[traefik-auth]
enabled = false
port = http,https
logpath = %(logs_path)s/traefik/access.log

9
fail2ban/data/fail2ban/jail.d/unifi-controller-auth.conf
View File

@ -1,9 +0,0 @@
## Version 2022/08/06
# Fail2Ban jail configuration for unifi controller
# Works OOTB with defaults
[unifi-controller-auth]
enabled = false
port = 8080,8443
logpath = %(remote_logs_path)s/unificontroller/server.log

12
fail2ban/data/fail2ban/jail.d/unraid-sshd.conf
View File

@ -1,12 +0,0 @@
## Version 2022/08/07
# Fail2Ban jail configuration for unRAID sshd
# Works OOTB with defaults
# chain set to INPUT to apply bans at the host level
[unraid-sshd]
enabled = false
port = ssh
logpath = %(var_log_path)s/syslog
filter = sshd[mode=aggressive]

11
fail2ban/data/fail2ban/jail.d/unraid-webgui.conf
View File

@ -1,11 +0,0 @@
## Version 2022/08/07
# Fail2Ban jail configuration for unRAID web GUI
# Works OOTB with defaults
# chain set to INPUT to apply bans at the host level
[unraid-webgui]
enabled = false
port = http,https
logpath = %(var_log_path)s/syslog

14
fail2ban/data/fail2ban/jail.d/vaultwarden-auth.conf
View File

@ -1,14 +0,0 @@
## Version 2022/08/06
# Fail2Ban jail configuration for vaultwarden
# Requires modification to Vaultwardens settings
# https://github.com/dani-garcia/vaultwarden/wiki/Logging#logging-to-a-file
# Specify the path to the log file with the LOG_FILE environment variable
# -e LOG_FILE=/data/vaultwarden.log
[vaultwarden-auth]
enabled = false
port = http,https
logpath = %(remote_logs_path)s/vaultwarden/vaultwarden.log

7
fail2ban/data/fail2ban/jail.d/vaultwarden.conf
View File

@ -1,7 +0,0 @@
## Version 2025/04/01
[vaultwarden]
enabled = false
port = http,https
logpath = %(remote_logs_path)s/vaultwarden.log

10
fail2ban/data/fail2ban/jail.d/znc-adminlog.conf
View File

@ -1,10 +0,0 @@
## Version 2022/08/06
# Fail2Ban jail configuration for
# enable adminlog; it will log to a file inside znc's directory by default.
[znc-adminlog]
enabled = false
port = 6667
logpath = %(znc_log)s

11
fail2ban/data/fail2ban/jail.d/zoneminder.conf
View File

@ -1,11 +0,0 @@
## Version 2022/08/06
# Fail2Ban jail configuration for zoneminder
# Zoneminder HTTP/HTTPS web interface auth
# Logs auth failures to apache2 error log
[zoneminder]
enabled = false
port = http,https
logpath = %(apache_error_log)s

21
safe-deploy.sh
View File

@ -1,21 +0,0 @@
#!/bin/bash
# NGINX Pathfinder - Safe Deploy Script
CONTAINER_NAME="nginx-proxy"
echo "🔍 Validando sintaxe do Nginx..."
OUTPUT=$(docker exec $CONTAINER_NAME nginx -t 2>&1)
EXIT_CODE=$?
if [ $EXIT_CODE -eq 0 ]; then
echo "✅ Sintaxe OK. Aplicando alterações..."
docker exec $CONTAINER_NAME nginx -s reload
echo "🚀 Configuração aplicada com sucesso!"
echo "JSON_OUTPUT: {\"status\": \"success\", \"action\": \"reloaded\", \"message\": \"Configuration valid and applied.\"}"
exit 0
else
echo "❌ Erro na sintaxe. Abortando deploy."
CLEAN_ERROR=$(echo "$OUTPUT" | grep "emerg" | head -n 1)
echo "JSON_OUTPUT: {\"status\": \"error\", \"action\": \"aborted\", \"details\": \"$CLEAN_ERROR\"}"
exit 1
fi