https://github.com/juitde/traefik-plugin-fail2ban
Block or allow IPs depending on various conditions
https://github.com/juitde/traefik-plugin-fail2ban
traefik-middleware traefik-plugin
Last synced: 6 months ago
JSON representation
Block or allow IPs depending on various conditions
- Host: GitHub
- URL: https://github.com/juitde/traefik-plugin-fail2ban
- Owner: juitde
- License: mit
- Created: 2023-01-31T13:10:25.000Z (over 3 years ago)
- Default Branch: main
- Last Pushed: 2025-10-17T07:42:51.000Z (9 months ago)
- Last Synced: 2025-10-18T10:38:46.178Z (9 months ago)
- Topics: traefik-middleware, traefik-plugin
- Language: Go
- Homepage:
- Size: 36.1 KB
- Stars: 16
- Watchers: 5
- Forks: 4
- Open Issues: 1
-
Metadata Files:
- Readme: README.md
- License: LICENSE
Awesome Lists containing this project
README
# Fail2Ban middleware plugin for traefik reverse proxy

This plugin is a small but growing implementation of a fail2ban instance as a middleware plugin for traefik. It is
inspired by other implementations similar in the goal but is tailored to our needs.
Inspirations taken from:
- https://github.com/tomMoulard/fail2ban
- https://github.com/safing/scanblock
## Installation
Installation instructions are provided via the [traefik Plugin Catalog](https://plugins.traefik.io/plugins/).
### CAUTION: Breaking Changes
#### Version 0.2.0
- traefik v2.10+ is required due to now having a vendored dependency which results
in go routine panics in previous traefik versions.
## Configuration
All configuration options may be specified either in config files or as CLI parameters.
### Always allowing or blocking certain IPs(/IP-ranges)
There can be configured certain ip addresses or ranges which are either always allowed or always denied access.
Blocking always takes precedence before allowing access and allowing access takes precedence before executing other
fail2ban rules.
```yaml
testData:
alwaysAllowed:
ip: "::1,127.0.0.1"
alwaysDenied:
ip: "192.168.0.0/24"
```
### Restricting logging messages
In order to help managing the use of this plugin the level of logged messages can be adjusted.
```yaml
testData:
logLevel: "INFO"
```
### Fail2Ban rules
The ultimate goal is to support any rule matcher fail2ban supports themselves but implementation follows the direct
needs of our projects.
Currently the implemented settings consist of:
```yaml
testData:
rules:
banTime: "3h"
findTime: "10m"
maxRetries: 4
response:
statusCodes: "400,401,403-499"
errorCode: "403"
```
## Processing requests
Prior to executing the defined rules if the Remote IP is in the `alwaysDenied`-list the request will be immediately
denied. This applies for the `alwaysAllowed`-list accordingly.
In the first request from an unknown IP address they are added to the pool starting the `findTime` timer:
In every subsequent request (while the findTime is not exceeded) the IP address counter in the pool is incremented
and the rules are checked.
# How to develop in this project
- First clean install vendor dependencies: `make clean vendor`