titaniumtown/server-config
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

fail2ban: ignoreip from local network

Browse Source
This commit is contained in:
Simon Gardling
2026-01-27 18:51:08 -05:00
parent 2183ea8363
commit a61fedb015
1 changed files with 6 additions and 0 deletions
Download Patch File Download Diff File Expand all files Collapse all files

6
services/caddy.nix
View File

@@ -89,6 +89,12 @@ in
port = "http,https"; port = "http,https";
logpath = "/var/log/caddy/access-*.log"; logpath = "/var/log/caddy/access-*.log";
# defaults: maxretry=5, findtime=10m, bantime=10m # defaults: maxretry=5, findtime=10m, bantime=10m
# Ignore local network IPs - NAT hairpinning causes all LAN traffic to
# appear from the router IP (192.168.1.1). Banning it blocks all internal access.
# Browser subrequests for static assets (favicon.ico, etc.) without Authorization
# headers cause 401s that quickly trigger the ban threshold.
ignoreip = "127.0.0.1/8 ::1 192.168.1.0/24";
}; };
filter.Definition = { filter.Definition = {
# Match Caddy JSON logs with 401 Unauthorized status (failed basic auth) # Match Caddy JSON logs with 401 Unauthorized status (failed basic auth)