Idea: Use fail2ban to write to server_proxy.conf

[instantdreams]

I'm just noodling this idea around, but for hosts that don't support iptables - or who want to be able to cleanly backup their configurations - I've been exploring if fail2ban could write to a file used by Nginx Proxy Manager.

Nginx supports a module called nxg_http_access_module. This allows the use of deny and allow directives to blacklist and whitelist IP addresses.

I'm not sure if Nginx Proxy Manager is built with this module enabled:

$ docker exec npm nginx -V 2>&1 | tr ' ' '\n' | grep 'http'
--http-log-path=/var/log/nginx/access.log
--http-client-body-temp-path=/var/cache/nginx/client_temp
--http-proxy-temp-path=/var/cache/nginx/proxy_temp
--http-fastcgi-temp-path=/var/cache/nginx/fastcgi_temp
--http-uwsgi-temp-path=/var/cache/nginx/uwsgi_temp
--http-scgi-temp-path=/var/cache/nginx/scgi_temp
--with-http_addition_module
--with-http_auth_request_module
--with-http_dav_module
--with-http_flv_module
--with-http_gunzip_module
--with-http_gzip_static_module
--with-http_mp4_module
--with-http_random_index_module
--with-http_realip_module
--with-http_secure_link_module
--with-http_slice_module
--with-http_ssl_module
--with-http_stub_status_module
--with-http_sub_module
--with-http_v2_module

If it was, the following structure could be added to file data/nginx/custom/server_proxy.conf which is one of the custom configuration files:

allow all;

Then, within the fail2ban configuration, a custom action could be defined such as this:

actionban = sed -i '$ a deny <ip>;' server_proxy.conf

actionunban = sed -i "/deny <ip>;/d" server_proxy.conf

To make this work, fail2ban needs access to the volume where the npm file server_proxy.conf is located, and npm would need the http_access module loaded.

Is this reasonable?