potentially fix fail2ban

2026-02-05 15:11:17 -05:00
parent a7d6018592
commit 954e124b49
2 changed files with 24 additions and 7 deletions
--- a/services/caddy.nix
+++ b/services/caddy.nix
@@ -92,13 +92,14 @@ in

      # Ignore local network IPs - NAT hairpinning causes all LAN traffic to
      # appear from the router IP (192.168.1.1). Banning it blocks all internal access.
-      # Browser subrequests for static assets (favicon.ico, etc.) without Authorization
-      # headers cause 401s that quickly trigger the ban threshold.
      ignoreip = "127.0.0.1/8 ::1 192.168.1.0/24";
    };
    filter.Definition = {
-      # Match Caddy JSON logs with 401 Unauthorized status (failed basic auth)
-      failregex = ''^.*"remote_ip":"<HOST>".*"status":401.*$'';
+      # Only match 401s where an Authorization header was actually sent.
+      # Without this, the normal HTTP Basic Auth challenge-response flow
+      # (browser probes without credentials, gets 401, then resends with
+      # credentials) counts every page visit as a "failure."
+      failregex = ''^.*"remote_ip":"<HOST>".*"Authorization":\["REDACTED"\].*"status":401.*$'';
      ignoreregex = "";
      datepattern = ''"ts":{Epoch}\.'';
    };