如何在 Docker 容器 运行 Nginx 中实施 Fail2Ban
How to implement Fail2Ban inside a Docker container running Nginx
我正在尝试在使用我的 Nginx 日志的 docker 环境中实施 fail2ban。 <-- 我将来可能只针对整个 traefik 日志。
version: '3'
services:
fail2ban:
image: 'crazymax/fail2ban:latest'
restart: 'always'
network_mode: 'host'
cap_add:
- 'NET_ADMIN'
- 'NET_RAW'
volumes:
- 'nginx-log:/var/log:ro'
- 'fail2ban-data:/data'
env_file:
- './fail2ban.env'
laravel-mysql:
[SNIP]
laravel-php:
[SNIP]
laravel-nginx:
image: 'nginx:alpine'
restart: 'always'
depends_on:
- 'laravel-php'
expose:
- '80'
volumes:
- 'laravel-src:/var/www/html'
- './nginx.conf:/etc/nginx/conf.d/default.conf'
- 'nginx-log:/var/log/nginx'
networks:
- 'traefik'
- 'laravel'
labels:
- 'traefik.enable=true'
- 'traefik.docker.network=traefik'
- 'traefik.http.routers.nginx.entrypoints=http'
- 'traefik.http.routers.nginx.rule=Host(`${DOMAIN}`) || Host(`www.${DOMAIN}`)'
- 'traefik.http.routers.nginx.middlewares=redirect@file'
- 'traefik.http.routers.nginx-https.rule=Host(`${DOMAIN}`) || Host(`www.${DOMAIN}`)'
- 'traefik.http.routers.nginx-https.tls=true'
- 'traefik.http.routers.nginx-https.tls.certresolver=${DNS_PROVIDER}'
- 'traefik.http.routers.nginx-https.tls.domains[0].main=${DOMAIN}'
- 'traefik.http.routers.nginx-https.tls.domains[1].main=www.${DOMAIN}'
- 'traefik.http.routers.nginx.service=nginx'
- 'traefik.http.services.nginx.loadbalancer.server.port=80'
- 'traefik.http.services.nginx.loadBalancer.passHostHeader=true'
- 'traefik.http.middlewares.https_redirect.redirectscheme.scheme=https'
- 'traefik.http.middlewares.https-redirect.redirectscheme.scheme=https'
- 'traefik.http.middlewares.https-redirect.headers.customrequestheaders.X-Forwarded-Proto=https'
- 'traefik.http.routers.nginx.middlewares=https-redirect'
- 'traefik.http.middlewares.https_redirect.redirectscheme.permanent=true'
- 'traefik.http.routers.http_catchall.rule=HostRegexp(`{any:.+}`)'
- 'traefik.http.routers.http_catchall.entrypoints=http'
- 'traefik.http.routers.http_catchall.middlewares=https_redirect'
networks:
laravel:
driver: 'bridge'
traefik:
name: '${TRAEFIK_NETWORK}'
external: 'true'
volumes:
laravel-database:
driver: 'local'
laravel-src:
driver: 'local'
nginx-log:
driver: 'local'
fail2ban-data:
driver: 'local'
运行 docker logs laravel_fail2ban_1 --tail 100 docker-compose up -d 显示我:
Setting timezone to Europe/London...
Setting SSMTP configuration...
WARNING: SSMTP_HOST must be defined if you want fail2ban to send emails
Initializing files and folders...
Setting Fail2ban configuration...
Checking for custom actions in /data/action.d...
Checking for custom filters in /data/filter.d...
2021-08-01 11:40:13,199 fail2ban.configreader [1]: INFO Loading configs for fail2ban under /etc/fail2ban
2021-08-01 11:40:13,202 fail2ban.configparserinc[1]: INFO Loading files: ['/etc/fail2ban/fail2ban.conf']
2021-08-01 11:40:13,203 fail2ban.configparserinc[1]: INFO Loading files: ['/etc/fail2ban/fail2ban.conf']
2021-08-01 11:40:13,204 fail2ban [1]: INFO Using socket file /var/run/fail2ban/fail2ban.sock
2021-08-01 11:40:13,204 fail2ban [1]: INFO Using pid file /var/run/fail2ban/fail2ban.pid, [INFO] logging to STDOUT
2021-08-01 11:40:13,218 fail2ban.configreader [1]: INFO Loading configs for jail under /etc/fail2ban
2021-08-01 11:40:13,219 fail2ban.configparserinc[1]: INFO Loading files: ['/etc/fail2ban/jail.conf']
2021-08-01 11:40:13,255 fail2ban.configparserinc[1]: INFO Loading files: ['/etc/fail2ban/paths-debian.conf']
2021-08-01 11:40:13,257 fail2ban.configparserinc[1]: INFO Loading files: ['/etc/fail2ban/paths-common.conf']
2021-08-01 11:40:13,260 fail2ban.configparserinc[1]: INFO Loading files: ['/etc/fail2ban/paths-overrides.local']
2021-08-01 11:40:13,263 fail2ban.configparserinc[1]: INFO Loading files: ['/etc/fail2ban/paths-common.conf', '/etc/fail2ban/paths-debian.conf', '/etc/fail2ban/jail.conf']
2021-08-01 11:40:13,369 fail2ban.server [1]: INFO --------------------------------------------------
2021-08-01 11:40:13,372 fail2ban.server [1]: INFO Starting Fail2ban v0.11.2
2021-08-01 11:40:13,373 fail2ban.observer [1]: INFO Observer start...
2021-08-01 11:40:13,382 fail2ban.database [1]: INFO Connected to fail2ban persistent database '/data/db/fail2ban.sqlite3'
2021-08-01 11:40:13,385 fail2ban.database [1]: WARNING New database created. Version '4'
Server ready
如果我现在尝试对我的应用程序施加压力,fail2ban 中不会填充任何日志,但如果我 --follow 我的 nginx 容器日志,我会看到请求被触发。
如果我 docker exec -it -u root laravel_fail2ban_1 /bin/bash -c 'ls -la /var/log' 我可以在正确的位置看到我的日志:
total 8
drwxr-xr-x 2 root root 4096 Aug 1 11:35 .
drwxr-xr-x 1 root root 4096 Dec 16 2020 ..
lrwxrwxrwx 1 root root 11 Jul 6 20:40 access.log -> /dev/stdout
lrwxrwxrwx 1 root root 11 Jul 6 20:40 error.log -> /dev/stderr
我发现问题可能出在我尝试 cat /var/log/access.log 时。它与 /dev/stdout 符号链接,这意味着终端尝试附加到它。我无法在 运行:
时取消链接
docker exec -it -u root laravel_fail2ban_1 /bin/bash -c 'unlink /var/log/access.log'
unlink: can't remove file '/var/log/access.log': Read-only file system
感谢任何帮助使它正常工作。我需要在卷上保留符号链接,以便我可以在我的 nginx 容器上使用 docker 日志。
如果 /var/log/access.log 是 stdout 的符号链接,它不会在其他容器中可用:/dev/stdout 指向当前进程的 stdout , 所以当 fail2ban 尝试读取它时,它会得到自己的标准输出,而不是 nginx 进程的标准输出。
如果您希望 fail2ban 能够从 nginx 读取日志,您需要将它们写入实际文件。如果你也希望它们出现在容器标准输出上,你可以运行在nginx容器的背景中tail -f之类的东西。
我正在尝试在使用我的 Nginx 日志的 docker 环境中实施 fail2ban。 <-- 我将来可能只针对整个 traefik 日志。
version: '3'
services:
fail2ban:
image: 'crazymax/fail2ban:latest'
restart: 'always'
network_mode: 'host'
cap_add:
- 'NET_ADMIN'
- 'NET_RAW'
volumes:
- 'nginx-log:/var/log:ro'
- 'fail2ban-data:/data'
env_file:
- './fail2ban.env'
laravel-mysql:
[SNIP]
laravel-php:
[SNIP]
laravel-nginx:
image: 'nginx:alpine'
restart: 'always'
depends_on:
- 'laravel-php'
expose:
- '80'
volumes:
- 'laravel-src:/var/www/html'
- './nginx.conf:/etc/nginx/conf.d/default.conf'
- 'nginx-log:/var/log/nginx'
networks:
- 'traefik'
- 'laravel'
labels:
- 'traefik.enable=true'
- 'traefik.docker.network=traefik'
- 'traefik.http.routers.nginx.entrypoints=http'
- 'traefik.http.routers.nginx.rule=Host(`${DOMAIN}`) || Host(`www.${DOMAIN}`)'
- 'traefik.http.routers.nginx.middlewares=redirect@file'
- 'traefik.http.routers.nginx-https.rule=Host(`${DOMAIN}`) || Host(`www.${DOMAIN}`)'
- 'traefik.http.routers.nginx-https.tls=true'
- 'traefik.http.routers.nginx-https.tls.certresolver=${DNS_PROVIDER}'
- 'traefik.http.routers.nginx-https.tls.domains[0].main=${DOMAIN}'
- 'traefik.http.routers.nginx-https.tls.domains[1].main=www.${DOMAIN}'
- 'traefik.http.routers.nginx.service=nginx'
- 'traefik.http.services.nginx.loadbalancer.server.port=80'
- 'traefik.http.services.nginx.loadBalancer.passHostHeader=true'
- 'traefik.http.middlewares.https_redirect.redirectscheme.scheme=https'
- 'traefik.http.middlewares.https-redirect.redirectscheme.scheme=https'
- 'traefik.http.middlewares.https-redirect.headers.customrequestheaders.X-Forwarded-Proto=https'
- 'traefik.http.routers.nginx.middlewares=https-redirect'
- 'traefik.http.middlewares.https_redirect.redirectscheme.permanent=true'
- 'traefik.http.routers.http_catchall.rule=HostRegexp(`{any:.+}`)'
- 'traefik.http.routers.http_catchall.entrypoints=http'
- 'traefik.http.routers.http_catchall.middlewares=https_redirect'
networks:
laravel:
driver: 'bridge'
traefik:
name: '${TRAEFIK_NETWORK}'
external: 'true'
volumes:
laravel-database:
driver: 'local'
laravel-src:
driver: 'local'
nginx-log:
driver: 'local'
fail2ban-data:
driver: 'local'
运行 docker logs laravel_fail2ban_1 --tail 100 docker-compose up -d 显示我:
Setting timezone to Europe/London...
Setting SSMTP configuration...
WARNING: SSMTP_HOST must be defined if you want fail2ban to send emails
Initializing files and folders...
Setting Fail2ban configuration...
Checking for custom actions in /data/action.d...
Checking for custom filters in /data/filter.d...
2021-08-01 11:40:13,199 fail2ban.configreader [1]: INFO Loading configs for fail2ban under /etc/fail2ban
2021-08-01 11:40:13,202 fail2ban.configparserinc[1]: INFO Loading files: ['/etc/fail2ban/fail2ban.conf']
2021-08-01 11:40:13,203 fail2ban.configparserinc[1]: INFO Loading files: ['/etc/fail2ban/fail2ban.conf']
2021-08-01 11:40:13,204 fail2ban [1]: INFO Using socket file /var/run/fail2ban/fail2ban.sock
2021-08-01 11:40:13,204 fail2ban [1]: INFO Using pid file /var/run/fail2ban/fail2ban.pid, [INFO] logging to STDOUT
2021-08-01 11:40:13,218 fail2ban.configreader [1]: INFO Loading configs for jail under /etc/fail2ban
2021-08-01 11:40:13,219 fail2ban.configparserinc[1]: INFO Loading files: ['/etc/fail2ban/jail.conf']
2021-08-01 11:40:13,255 fail2ban.configparserinc[1]: INFO Loading files: ['/etc/fail2ban/paths-debian.conf']
2021-08-01 11:40:13,257 fail2ban.configparserinc[1]: INFO Loading files: ['/etc/fail2ban/paths-common.conf']
2021-08-01 11:40:13,260 fail2ban.configparserinc[1]: INFO Loading files: ['/etc/fail2ban/paths-overrides.local']
2021-08-01 11:40:13,263 fail2ban.configparserinc[1]: INFO Loading files: ['/etc/fail2ban/paths-common.conf', '/etc/fail2ban/paths-debian.conf', '/etc/fail2ban/jail.conf']
2021-08-01 11:40:13,369 fail2ban.server [1]: INFO --------------------------------------------------
2021-08-01 11:40:13,372 fail2ban.server [1]: INFO Starting Fail2ban v0.11.2
2021-08-01 11:40:13,373 fail2ban.observer [1]: INFO Observer start...
2021-08-01 11:40:13,382 fail2ban.database [1]: INFO Connected to fail2ban persistent database '/data/db/fail2ban.sqlite3'
2021-08-01 11:40:13,385 fail2ban.database [1]: WARNING New database created. Version '4'
Server ready
如果我现在尝试对我的应用程序施加压力,fail2ban 中不会填充任何日志,但如果我 --follow 我的 nginx 容器日志,我会看到请求被触发。
如果我 docker exec -it -u root laravel_fail2ban_1 /bin/bash -c 'ls -la /var/log' 我可以在正确的位置看到我的日志:
total 8
drwxr-xr-x 2 root root 4096 Aug 1 11:35 .
drwxr-xr-x 1 root root 4096 Dec 16 2020 ..
lrwxrwxrwx 1 root root 11 Jul 6 20:40 access.log -> /dev/stdout
lrwxrwxrwx 1 root root 11 Jul 6 20:40 error.log -> /dev/stderr
我发现问题可能出在我尝试 cat /var/log/access.log 时。它与 /dev/stdout 符号链接,这意味着终端尝试附加到它。我无法在 运行:
docker exec -it -u root laravel_fail2ban_1 /bin/bash -c 'unlink /var/log/access.log'
unlink: can't remove file '/var/log/access.log': Read-only file system
感谢任何帮助使它正常工作。我需要在卷上保留符号链接,以便我可以在我的 nginx 容器上使用 docker 日志。
如果 /var/log/access.log 是 stdout 的符号链接,它不会在其他容器中可用:/dev/stdout 指向当前进程的 stdout , 所以当 fail2ban 尝试读取它时,它会得到自己的标准输出,而不是 nginx 进程的标准输出。
如果您希望 fail2ban 能够从 nginx 读取日志,您需要将它们写入实际文件。如果你也希望它们出现在容器标准输出上,你可以运行在nginx容器的背景中tail -f之类的东西。