How get ip_ban_enabled to work using Nginx

If enabled, configure Nginx with a list of IP addresses directly from Cloudflare that will be used for set_real_ip_from directive Nginx config. This is so the ip_ban_enabled feature can be used and work correctly in /config/customize.yaml.

is stated on the Nginx proxy documentation. Really sorry to say, but I dont understand this, other than that any traffic reaching HA will no pass Nginx per definition so the default ip_bans isnt effective any longer?

how to configure that now? I would not know where to start selecting cloudfare ip’s or even understand why this needs cloudfare settings in the first place.,…

this is my current http config:

# Uncomment this if you are using SSL/TLS, running in Docker container, etc.
#  base_url: !secret base_url
#  ssl_certificate: /ssl/fullchain.pem
#  ssl_key: /ssl/privkey.pem
  ip_ban_enabled: true
  login_attempts_threshold: 5
#  cors_allowed_origins:
#    -
#    -
  use_x_forwarded_for: true
#    -

please have a look? thanks

What option in which addon is this about?
If I understand correctly what it does, it will likely conflict with HA trusted_proxies management…

I suggest taking a look at this

You need to run a fail2ban docker. I use this:

  fail2ban: #
    container_name: fail2ban
    image: crazymax/fail2ban:latest
    restart: unless-stopped
    hostname: UNRAID
    network_mode: host
    - NET_RAW 
    - /mnt/cache/appdata/fail2ban:/data
    - /var/log:/var/log:ro
    - /mnt/cache/appdata/homeassistant/home-assistant.log:/home/home-assistant.log # => to unban docker exec -it fail2ban fail2ban-client set ha unbanip => fail2ban-client status ha
    env_file: secrets/.fail2ban
    - "com.centurylinklabs.watchtower.enable=true" 

This are the environment variables in .fail2ban

F2B_LOG_TARGET=/data/log/fail2ban.log #STDOUT

this is copied from the Nginx add-on documentation displayed I the add-on panel, but also on addons/nginx_proxy/ at 7c6bced05534d9c8b5c60b4d3f36de0a3d892e9c · home-assistant/addons · GitHub

using HA OS, I suppose I would need an add-on for that? Which I haven’t found just yet…

if you have the portainer addon, you can create a “stack”.
Basically use docker compose. But you need to map the HA logs to the fail2ban docker.

ok, I have portainer, but never use it :wink: will check this out most certainly.

not exactly sure I understand what you say here (huge understatement…)

In portainer go to stack list, then add stack and copy the docker compose I provided editing it to reflect your folder structure.

Fail2ban needs to see the homeassistant log file. In my example I do it like this:


This effectively puts the ha log file inside the fail2ban docker

1 Like