NGINX SSL Proxy core addon: force IPv4 only?

wyx087 · January 7, 2020, 3:53pm

Is there a way to force IPv4 when using the SSL Proxy addon?

I’m using fail2ban on the host OS, HassIO installed using “generic Linux” method (docker). Fail2ban will read off homeassistant.log and get the login failure IP as per cookbook.
https://www.home-assistant.io/cookbook/fail2ban/

But it does not seem to work. NGINX reports IPv6 but somehow fail2ban bans IPv4 address. End result is I can still access my HA even when IPv4 is on the fail2ban banned list.
(I prefer fail2ban over HA http auth provider, because it gives me more tweaking options)

This thread suggests making changes in NGINX to disable IPv6:

So, how do I force the core NGINX addon (not the NGINX manager community addon) to disable IPv6?

Alternatively, is there more documentation and/or example on how to use “customize” options?

wyx087 · January 10, 2020, 10:25pm

Ok. from the addon run.sh and resulting /etc/nginx.conf, I’ve worked out:

default is included inside your HA server block, before location sub-block
servers is included after your HA server block

So I’ve attempted many different variations for the default and other proxy. None is successful.

First attempt was to use a single line in default file. But this is met with 443 address is already in use.

listen 443 ssl http2;

My final attempt, by redirecting twice?
\share\nginx_proxy_default.conf

        location / {
            proxy_pass http://localhost:812;
            proxy_set_header Host $host;
            proxy_redirect http:// https://;
            proxy_http_version 1.1;
            proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
            proxy_set_header Upgrade $http_upgrade;
            proxy_set_header Connection $connection_upgrade;
        }

With another proxy file \share\nginx_proxy\ha.conf:

    server {
        server_name x.duckdns.org;

        ssl_certificate /ssl/fullchain.pem;
        ssl_certificate_key /ssl/privkey.pem;

        # dhparams file
        ssl_dhparam /data/dhparams.pem;

        listen 812 ssl http2;
        add_header Strict-Transport-Security "max-age=31536000; includeSubDomains";
        ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
        ssl_ciphers "EECDH+AESGCM:EDH+AESGCM:AES256+EECDH:AES256+EDH:!aNULL:!eNULL:!EXPORT:!DES:!MD5:!PSK:!RC4";
        ssl_prefer_server_ciphers on;
        ssl_session_cache shared:SSL:10m;

        proxy_buffering off;

        location / {
            proxy_pass http://homeassistant.local.hass.io:8123;
            proxy_set_header Host $host;
            proxy_redirect http:// https://;
            proxy_http_version 1.1;
            proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
            proxy_set_header Upgrade $http_upgrade;
            proxy_set_header Connection $connection_upgrade;
        }
    }

Nothing gets me a running nginx server.

I’ve even tried downloading the addon source files and created an addon repository to host my modified nginx.conf. But somehow, the running /etc/nginx.conf in the container is still the old one??
https://github.com/wyx087/hassio-addons-example

Any help is much appreciated… just need to remote “[::]:” between listen and 443 in the resulting nginx docker container /etc/nginx.conf file

wyx087 · January 13, 2020, 1:48pm

I’m wondering whether I’m barking up the wrong tree?

Fail2Ban modifies IPtables on the host OS. But HA failed log-in is in docker container, goes from NGINX container to HA container via the docker interface 172 address range.
But I would have thought anything going into docker containers still has to pass through the host OS IPtable?

Currently, I’ve given up on this and resorted to use the built-in HTTP IP ban functionality. Hope people with more knowledge can find a way to get fail2ban to work on HassIO generic Linux install.

wyx087 · January 15, 2020, 8:35am

Well, my prayers have been answered.

github.com/home-assistant/addons

nginx_proxy: Remove IPv6 Listen statements from nginx.conf (#991)

committed 08:40AM - 14 Jan 20 UTC

moriahmorgan

+13 -5

* nginx_proxy: Remove IPv6 Listen statements from nginx.conf Pursuant to PR h…ttps://github.com/home-assistant/hassio-addons/pull/972, making this change hard-coded, rather than an option to be set in the Addon Config. * remove ipv6only=off statement from nginx.conf As mentioned in https://github.com/home-assistant/hassio-addons/pull/991#issuecomment-573351637 * Update config.json * Update CHANGELOG.md Co-authored-by: Pascal Vizeli <[email protected]>

BUT fail2ban still doesn’t work. It sees the IP (v4) in the log, its jail status shows the external IP has been banned. But I can still access HA through this external IP !?!

That confirms I’ve been barking up the wrong tree. The problem is somewhere else, not with IPv6 or v4. Problem is probably my configuration of fail2ban and/or docker host.