My domain is: kein.go.ro
Hi! I'm trying to have nginx-proxy-manager block certain IPs after a given amount of failed login attempts for obvious reasons. I'm running things in container using Portainer to be exact (with the help of stacks). Here's a docker compose file I run for both nginx-proxy-manage & crowdsec:
version: '3.8'
services:
nginx-reverse-proxy:
image: 'jc21/nginx-proxy-manager:latest'
container_name: nginx-reverse-proxy
restart: unless-stopped
ports:
- '42393:80' # Public HTTP Port
- '42345:443' # Public HTTPS Port
- '78521:81' # Admin Web Port
volumes:
- ./data:/data
- ./letsencrypt:/etc/letsencrypt
- ./data/logs/nginx:/var/log/nginx # Montează jurnalul de acces al Nginx
crowdsec:
image: crowdsecurity/crowdsec:latest
container_name: crowdsec
restart: unless-stopped
volumes:
- ./data/backup/Nginx/crowdsec:/etc/crowdsec
- /var/run/docker.sock:/var/run/docker.sock
networks:
- crowdsec-network
cap_add:
- SYS_PTRACE
environment:
- TZ=UTC
networks:
crowdsec-network:
driver: bridge
My OS: Ubuntu 23.10 (GNU/Linux 6.5.0-41-generic x86_64)
The issue that I'm facing particularly is with nginx-logs.yaml, can't get it right somehow:
name. crowdsecurity/nginx-logs
description: "Parse Nginx access and error logs"
filter: "evt.Meta.service == 'http' && evt.Meta.log_type in ['http_access-log', 'http_error-log']"
grok:
patterns:
- 'NGINX_ACCESS %{IPORHOST:client_ip} - %{DATA:ident} %{DATA:auth} \[%{HTTPDATE:timestamp}\] "(?:%{WORD:verb} %{NOTSPACE:request}(?: HTTP/%{NUMBER:http_version})?|%{DATA})" %{NUMBER:response} (?:%{NUMBER:bytes}|-) %{QS:referrer} %{QS:agent}'
- 'NGINX_ERROR \[%{HTTPDATE:timestamp}\] %{LOGLEVEL:level} %{DATA:pid}#%{NUMBER}: \*%{NUMBER}: %{GREEDYDATA:message}, client: %{IPORHOST:client_ip}, server: %{DATA:server}, request: "%{DATA:request}", host: "%{DATA:host}"'
log file reads
cofiguration file '/etc/crowdsec/parsers/s02-enrich/nginx-logs.yaml': yaml: unmarshal errors:\n line 6: field on_success not found in type parser.Node".
Hope this gives you a general idea. Thank you for the help.