Fossil SCM

Added section #fail2ban to the Debian nginx server guide.

wyoung 2020-11-16 02:30 trunk

Commit 46d5fd16ad33749afdc26a5c96dae31d2ec4d9ef8a1ca0b2c9656ea262045e3f

Parent 0e63df14904c97f…

1 file changed +41 -1

M www/server/debian/nginx.md

+41 -1

		--- www/server/debian/nginx.md
		+++ www/server/debian/nginx.md
		@@ -211,14 +211,54 @@
211	211	rewrite ^/code(/.*) $1 break;
212	212	proxy_pass http://127.0.0.1:12345;
213	213	}
214	214
215	215	The most common thing people get wrong when hand-rolling a configuration
216		-like this is to get the slashes wrong. Fossil is senstitive to this. For
	216	+like this is to get the slashes wrong. Fossil is sensitive to this. For
217	217	instance, Fossil will not collapse double slashes down to a single
218	218	slash, as some other HTTP servers will.
219	219
	220	+
	221	+## <a name="fail2ban"></a> Integrating `fail2ban`
	222	+
	223	+You can have `fail2ban` recognize attacks and automatically block them,
	224	+but the stock configuration doesn’t work with our Fossil setup above, so
	225	+we have to do a bit of local adjustment.
	226	+
	227	+First, install it:
	228	+
	229	+ sudo apt install fail2ban
	230	+
	231	+Out of the box, you get SSH monitoring only. There are nginx monitors
	232	+included with the package, but they don’t look in the right places for
	233	+the right things. We’d like it to react to Fossil `/login` failures, for
	234	+example. Put the following into
	235	+`/etc/fail2ban/filter.d/nginx-fossil-login.conf`:
	236	+
	237	+ [Definition]
	238	+ failregex = ^<HOST> - .POST ./login HTTP/..." 401
	239	+
	240	+That teaches `fail2ban` how to recognize the errors logged by Fossil
	241	+[as of 2.14](/info/39d7eb0e22). (Earlier versions of Fossil returned
	242	+HTTP status code 200 for this, so you couldn’t distinguish a successful
	243	+login from a failure.)
	244	+
	245	+Then in `/etc/fail2ban/jail.local`, add this section:
	246	+
	247	+ [nginx-fossil-login]
	248	+ enabled = true
	249	+ logpath = /var/log/nginx/*-https-access.log
	250	+
	251	+The last line is the key: it tells `fail2ban` where we’ve put all of our
	252	+per-repo access logs in the nginx config above.
	253	+
	254	+There’s a [lot more you can do][dof2b], but that gets us out of scope of
	255	+this guide.
	256	+
	257	+
	258	+[dof2b]: https://www.digitalocean.com/community/tutorials/how-to-protect-an-nginx-server-with-fail2ban-on-ubuntu-14-04
	259	+
220	260
221	261	## <a name="tls"></a> Adding TLS (HTTPS) Support
222	262
223	263	One of the [many ways](../../ssl.wiki) to provide TLS-encrypted HTTP access
224	264	(a.k.a. HTTPS) to Fossil is to run it behind a web proxy that supports
225	265

	--- www/server/debian/nginx.md
	+++ www/server/debian/nginx.md
	@@ -211,14 +211,54 @@
211	rewrite ^/code(/.*) $1 break;
212	proxy_pass http://127.0.0.1:12345;
213	}
214
215	The most common thing people get wrong when hand-rolling a configuration
216	like this is to get the slashes wrong. Fossil is senstitive to this. For
217	instance, Fossil will not collapse double slashes down to a single
218	slash, as some other HTTP servers will.
219








































220
221	## <a name="tls"></a> Adding TLS (HTTPS) Support
222
223	One of the [many ways](../../ssl.wiki) to provide TLS-encrypted HTTP access
224	(a.k.a. HTTPS) to Fossil is to run it behind a web proxy that supports
225

	--- www/server/debian/nginx.md
	+++ www/server/debian/nginx.md
	@@ -211,14 +211,54 @@
211	rewrite ^/code(/.*) $1 break;
212	proxy_pass http://127.0.0.1:12345;
213	}
214
215	The most common thing people get wrong when hand-rolling a configuration
216	like this is to get the slashes wrong. Fossil is sensitive to this. For
217	instance, Fossil will not collapse double slashes down to a single
218	slash, as some other HTTP servers will.
219
220
221	## <a name="fail2ban"></a> Integrating `fail2ban`
222
223	You can have `fail2ban` recognize attacks and automatically block them,
224	but the stock configuration doesn’t work with our Fossil setup above, so
225	we have to do a bit of local adjustment.
226
227	First, install it:
228
229	sudo apt install fail2ban
230
231	Out of the box, you get SSH monitoring only. There are nginx monitors
232	included with the package, but they don’t look in the right places for
233	the right things. We’d like it to react to Fossil `/login` failures, for
234	example. Put the following into
235	`/etc/fail2ban/filter.d/nginx-fossil-login.conf`:
236
237	[Definition]
238	failregex = ^<HOST> - .POST ./login HTTP/..." 401
239
240	That teaches `fail2ban` how to recognize the errors logged by Fossil
241	[as of 2.14](/info/39d7eb0e22). (Earlier versions of Fossil returned
242	HTTP status code 200 for this, so you couldn’t distinguish a successful
243	login from a failure.)
244
245	Then in `/etc/fail2ban/jail.local`, add this section:
246
247	[nginx-fossil-login]
248	enabled = true
249	logpath = /var/log/nginx/*-https-access.log
250
251	The last line is the key: it tells `fail2ban` where we’ve put all of our
252	per-repo access logs in the nginx config above.
253
254	There’s a [lot more you can do][dof2b], but that gets us out of scope of
255	this guide.
256
257
258	[dof2b]: https://www.digitalocean.com/community/tutorials/how-to-protect-an-nginx-server-with-fail2ban-on-ubuntu-14-04
259
260
261	## <a name="tls"></a> Adding TLS (HTTPS) Support
262
263	One of the [many ways](../../ssl.wiki) to provide TLS-encrypted HTTP access
264	(a.k.a. HTTPS) to Fossil is to run it behind a web proxy that supports
265

Fossil SCM

Keyboard Shortcuts