How get ip_ban_enabled to work using Nginx

Mariusthvdb · July 20, 2021, 7:22am

If enabled, configure Nginx with a list of IP addresses directly from Cloudflare that will be used for set_real_ip_from directive Nginx config. This is so the ip_ban_enabled feature can be used and work correctly in /config/customize.yaml.

is stated on the Nginx proxy documentation. Really sorry to say, but I dont understand this, other than that any traffic reaching HA will no pass Nginx per definition so the default ip_bans isnt effective any longer?

how to configure that now? I would not know where to start selecting cloudfare ip’s or even understand why this needs cloudfare settings in the first place.,…

this is my current http config:

http:
# Uncomment this if you are using SSL/TLS, running in Docker container, etc.
#  base_url: !secret base_url
#  ssl_certificate: /ssl/fullchain.pem
#  ssl_key: /ssl/privkey.pem
  ip_ban_enabled: true
  login_attempts_threshold: 5
#  cors_allowed_origins:
#    - https://www.home-assistant.io
#    - https://cast.home-assistant.io
  use_x_forwarded_for: true
  trusted_proxies:
#    - 127.0.0.1
    - 172.30.33.7
    - 172.30.32.0/24

please have a look? thanks

koying · July 20, 2021, 8:56am

What option in which addon is this about?
If I understand correctly what it does, it will likely conflict with HA trusted_proxies management…

juan11perez · July 20, 2021, 9:52am

I suggest taking a look at this

You need to run a fail2ban docker. I use this:

  fail2ban: #https://github.com/crazy-max/docker-fail2ban
    container_name: fail2ban
    image: crazymax/fail2ban:latest
    restart: unless-stopped
    hostname: UNRAID
    network_mode: host
    cap_add:
    - NET_ADMIN
    - NET_RAW 
    volumes:
    - /mnt/cache/appdata/fail2ban:/data
    - /var/log:/var/log:ro
    - /mnt/cache/appdata/homeassistant/home-assistant.log:/home/home-assistant.log # https://www.home-assistant.io/cookbook/fail2ban/ => to unban https://github.com/linuxserver/docker-letsencrypt docker exec -it fail2ban fail2ban-client set ha unbanip 192.168.1.1 => fail2ban-client status ha
    env_file: secrets/.fail2ban
    labels:
    - "com.centurylinklabs.watchtower.enable=true"

This are the environment variables in .fail2ban

F2B_LOG_TARGET=/data/log/fail2ban.log #STDOUT
F2B_LOG_LEVEL=INFO
F2B_DB_PURGE_AGE=1d
F2B_IPTABLES_CHAIN=DOCKER-USER
PGID=100
PUID=99
TZ=Asia/Dubai

Mariusthvdb · July 20, 2021, 10:01am

this is copied from the Nginx add-on documentation displayed I the add-on panel, but also on addons/nginx_proxy/DOCS.md at 7c6bced05534d9c8b5c60b4d3f36de0a3d892e9c · home-assistant/addons · GitHub

thanks.
using HA OS, I suppose I would need an add-on for that? Which I haven’t found just yet…

juan11perez · July 20, 2021, 10:31am

if you have the portainer addon, you can create a “stack”.
Basically use docker compose. But you need to map the HA logs to the fail2ban docker.

Mariusthvdb · July 20, 2021, 5:15pm

ok, I have portainer, but never use it will check this out most certainly.

not exactly sure I understand what you say here (huge understatement…)

juan11perez · July 20, 2021, 6:47pm

In portainer go to stack list, then add stack and copy the docker compose I provided editing it to reflect your folder structure.

Fail2ban needs to see the homeassistant log file. In my example I do it like this:

mnt/cache/appdata/homeassistant/home-assistant.log:/home/home-assistant.log

This effectively puts the ha log file inside the fail2ban docker