Skip to content

Instantly share code, notes, and snippets.

@pedrom34

pedrom34/dav.subdomain.conf Secret

Last active July 8, 2022 07:06
Show Gist options
  • Star 0 You must be signed in to star a gist
  • Fork 0 You must be signed in to fork a gist
  • Save pedrom34/23d4ebdc5b3ff1ca6de371dbdb034996 to your computer and use it in GitHub Desktop.
Save pedrom34/23d4ebdc5b3ff1ca6de371dbdb034996 to your computer and use it in GitHub Desktop.
Download ZIP
How to deal with new “unauthorized” fail2ban jail in SWAG
Raw
dav.subdomain.conf
server {
listen 443 ssl;
listen [::]:443 ssl;
server_name dav.*;
add_header Content-Security-Policy "default-src 'none'; script-src 'self'; connect-src 'self'; img-src 'self'; style-src 'self';base-uri 'self';form-action 'self';font-src 'self';frame-ancestors 'none';";
include /config/nginx/ssl.conf;
client_max_body_size 0;
# enable for Authelia
#include /config/nginx/authelia-server.conf;
#GeoBlock
if ($lan-ip = yes) { set $geo-whitelist yes; }
if ($geo-whitelist = no) { return 404; }
location /baikal/html {
# enable for Authelia
#include /config/nginx/authelia-location.conf;
include /config/nginx/proxy.conf;
include /config/nginx/resolver.conf;
proxy_pass http://192.168.0.11:81;
}
}
Raw
jail.local
## Version 2022/01/09 - Changelog: https://github.com/linuxserver/docker-swag/commits/master/root/defaults/jail.local
# This is the custom version of the jail.conf for fail2ban
# Feel free to modify this and add additional filters
# Then you can drop the new filter conf files into the fail2ban-filters
# folder and restart the container
[DEFAULT]
# Prevents banning LAN subnets
ignoreip = 10.8.0.0/24
192.168.0.0/24
172.0.0.0/9
192.168.1.1
# Changes the default ban action from "iptables-multiport", which causes issues on some platforms, to "iptables-allports".
banaction = iptables-allports
# "bantime" is the number of seconds that a host is banned.
bantime = 43200
# A host is banned if it has generated "maxretry" during the last "findtime"
# seconds.
findtime = 600
# "maxretry" is the number of failures before a host get banned.
maxretry = 3
[ssh]
enabled = false
[nginx-http-auth]
enabled = true
filter = nginx-http-auth
port = http,https
logpath = /config/log/nginx/error.log
[nginx-badbots]
enabled = true
port = http,https
filter = nginx-badbots
logpath = /config/log/nginx/access.log
maxretry = 2
[nginx-botsearch]
enabled = true
port = http,https
filter = nginx-botsearch
logpath = /config/log/nginx/access.log
[nginx-deny]
enabled = true
port = http,https
filter = nginx-deny
logpath = /config/log/nginx/error.log
[nginx-unauthorized]
enabled = false
port = http,https
filter = nginx-unauthorized
logpath = /config/log/nginx/unauthorized.log
Raw
transmission.subdomain.conf
## Version 2021/05/18
# Make sure that DNS has a cname set for transmission
#
# Some Transmission Chrome extensions cannot handle HTTP/2 proxies as they
# rely on the HTTP Status Text to determine if they should add the
# X-Transmission-Session-Id header or not. HTTP/2 does not return this text
# so jQuery responses are empty. This causes RPCs to fail.
#
# If your extension is affected, you can remove http2 from the default server
# in /config/nginx/site-confs/default or listen on a different port that has
# no http2 servers defined. Better yet, submit a bug report with the
# extension developer to fix their extensions to support HTTP/2.
server {
listen 443 ssl;
listen [::]:443 ssl;
server_name transmission.*;
include /config/nginx/ssl.conf;
client_max_body_size 0;
# enable for ldap auth, fill in ldap details in ldap.conf
#include /config/nginx/ldap.conf;
# enable for Authelia
#include /config/nginx/authelia-server.conf;
#GeoBlock
if ($lan-ip = yes) { set $geo-whitelist yes; }
if ($geo-whitelist = no) { return 404; }
location / {
# enable the next two lines for http auth
#auth_basic "Restricted";
#auth_basic_user_file /config/nginx/.htpasswd;
# enable the next two lines for ldap auth
#auth_request /auth;
#error_page 401 =200 /ldaplogin;
# enable for Authelia
#include /config/nginx/authelia-location.conf;
include /config/nginx/proxy.conf;
include /config/nginx/resolver.conf;
set $upstream_app 192.168.0.11;
set $upstream_port 9092;
set $upstream_proto http;
proxy_pass $upstream_proto://$upstream_app:$upstream_port;
proxy_pass_header X-Transmission-Session-Id;
}
location ~ (/transmission)?/rpc {
include /config/nginx/proxy.conf;
include /config/nginx/resolver.conf;
set $upstream_app 192.168.0.11;
set $upstream_port 9092;
set $upstream_proto http;
proxy_pass $upstream_proto://$upstream_app:$upstream_port;
}
}
Raw
unauthorized.log
192.168.1.1 - Pierre [08/Jul/2022:06:39:49 +0200] "PROPFIND /baikal/html/dav.php/addressbooks/Pierre/default/ HTTP/2.0" 401 430 "-" "DAVx5/4.2.2-ose (2022/06/21; dav4jvm; okhttp/4.9.3) Android/11"
192.168.1.1 - Pierre [08/Jul/2022:06:39:49 +0200] "PROPFIND /baikal/html/dav.php/calendars/Pierre/medical/ HTTP/2.0" 401 427 "-" "DAVx5/4.2.2-ose (2022/06/21; dav4jvm; okhttp/4.9.3) Android/11"
192.168.1.1 - Pierre [08/Jul/2022:06:39:49 +0200] "PROPFIND /baikal/html/dav.php/calendars/Pierre/anniversaires/ HTTP/2.0" 401 433 "-" "DAVx5/4.2.2-ose (2022/06/21; dav4jvm; okhttp/4.9.3) Android/11"
192.168.1.1 - Pierre [08/Jul/2022:06:39:50 +0200] "PROPFIND /baikal/html/dav.php/addressbooks/Pierre/default/ HTTP/2.0" 401 430 "-" "DAVx5/4.2.2-ose (2022/06/21; dav4jvm; okhttp/4.9.3) Android/11"
192.168.1.1 - - [08/Jul/2022:07:33:32 +0200] "POST /transmission/rpc HTTP/1.1" 401 43 "-" "Transdroid Torrent Connect"
192.168.1.1 - - [08/Jul/2022:07:33:32 +0200] "POST /transmission/rpc HTTP/1.1" 401 43 "-" "Transdroid Torrent Connect"
192.168.1.1 - - [08/Jul/2022:07:33:32 +0200] "POST /transmission/rpc HTTP/1.1" 401 43 "-" "Transdroid Torrent Connect"
93.174.X.X - - [08/Jul/2022:07:58:50 +0200] "OPTIONS /docs/00.sync/zotero/ HTTP/2.0" 401 381 "-" "Mozilla/5.0 (Windows NT 10.0; WOW64; rv:60.0) Gecko/20100101 Firefox/60.0"
176.149.X.X - Pierre [08/Jul/2022:08:04:05 +0200] "PROPFIND /baikal/html/dav.php/calendars/Pierre/medical/ HTTP/2.0" 401 427 "-" "DAVx5/4.2.2-ose (2022/06/21; dav4jvm; okhttp/4.9.3) Android/11"
176.149.X.X - Pierre [08/Jul/2022:08:04:05 +0200] "PROPFIND /baikal/html/dav.php/addressbooks/Pierre/default/ HTTP/2.0" 401 430 "-" "DAVx5/4.2.2-ose (2022/06/21; dav4jvm; okhttp/4.9.3) Android/11"
176.149.X.X - Pierre [08/Jul/2022:08:04:05 +0200] "PROPFIND /baikal/html/dav.php/calendars/Pierre/anniversaires/ HTTP/2.0" 401 433 "-" "DAVx5/4.2.2-ose (2022/06/21; dav4jvm; okhttp/4.9.3) Android/11"
192.168.1.1 - Pierre [08/Jul/2022:08:33:32 +0200] "PROPFIND /baikal/html/dav.php/calendars/Pierre/anniversaires/ HTTP/2.0" 401 433 "-" "DAVx5/4.2.2-ose (2022/06/21; dav4jvm; okhttp/4.9.3) Android/11"
192.168.1.1 - - [08/Jul/2022:08:34:47 +0200] "GET /transmission/web/ HTTP/2.0" 401 43 "-" "Mozilla/5.0 (Windows NT 10.0; rv:100.0) Gecko/20100101 Firefox/100.0"
192.168.1.1 - - [08/Jul/2022:08:34:49 +0200] "POST /transmission/rpc HTTP/2.0" 401 43 "https://transmission.domain.tld/transmission/web/" "Mozilla/5.0 (Windows NT 10.0; rv:100.0) Gecko/20100101 Firefox/100.0"
Raw
webdav.subdomain.conf
server {
listen 443 ssl;
listen [::]:443 ssl;
server_name webdav.*;
include /config/nginx/ssl.conf;
client_max_body_size 0;
# enable for Authelia
#include /config/nginx/authelia-server.conf;
#GeoBlock
if ($lan-ip = yes) { set $geo-whitelist yes; }
if ($geo-whitelist = no) { return 404; }
location / {
# enable for Authelia
#include /config/nginx/authelia-location.conf;
include /config/nginx/proxy.conf;
include /config/nginx/resolver.conf;
set $upstream_app 192.168.0.4;
set $upstream_port 5005;
set $upstream_proto http;
proxy_pass $upstream_proto://$upstream_app:$upstream_port;
}
}
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment