如何在运行Nginx的Docker容器中实现Fail2Ban

Question

我试图在使用我的Nginx日志的对接环境中实现fail2ban。<--我将来可能只针对整个traefik日志。

version: '3'
services:
  fail2ban:
    image: 'crazymax/fail2ban:latest'
    restart: 'always'
    network_mode: 'host'
    cap_add:
      - 'NET_ADMIN'
      - 'NET_RAW'
    volumes:
      - 'nginx-log:/var/log:ro'
      - 'fail2ban-data:/data'
    env_file:
      - './fail2ban.env'
  laravel-mysql:
    [SNIP]
  laravel-php:
    [SNIP]
  laravel-nginx:
    image: 'nginx:alpine'
    restart: 'always'
    depends_on:
      - 'laravel-php'
    expose:
      - '80'
    volumes:
      - 'laravel-src:/var/www/html'
      - './nginx.conf:/etc/nginx/conf.d/default.conf'
      - 'nginx-log:/var/log/nginx'
    networks:
      - 'traefik'
      - 'laravel'
    labels:
      - 'traefik.enable=true'
      - 'traefik.docker.network=traefik'
      - 'traefik.http.routers.nginx.entrypoints=http'
      - 'traefik.http.routers.nginx.rule=Host(`${DOMAIN}`) || Host(`www.${DOMAIN}`)'
      - 'traefik.http.routers.nginx.middlewares=redirect@file'
      - 'traefik.http.routers.nginx-https.rule=Host(`${DOMAIN}`) || Host(`www.${DOMAIN}`)'
      - 'traefik.http.routers.nginx-https.tls=true'
      - 'traefik.http.routers.nginx-https.tls.certresolver=${DNS_PROVIDER}'
      - 'traefik.http.routers.nginx-https.tls.domains[0].main=${DOMAIN}'
      - 'traefik.http.routers.nginx-https.tls.domains[1].main=www.${DOMAIN}'
      - 'traefik.http.routers.nginx.service=nginx'
      - 'traefik.http.services.nginx.loadbalancer.server.port=80'
      - 'traefik.http.services.nginx.loadBalancer.passHostHeader=true'
      - 'traefik.http.middlewares.https_redirect.redirectscheme.scheme=https'
      - 'traefik.http.middlewares.https-redirect.redirectscheme.scheme=https'
      - 'traefik.http.middlewares.https-redirect.headers.customrequestheaders.X-Forwarded-Proto=https'
      - 'traefik.http.routers.nginx.middlewares=https-redirect'
      - 'traefik.http.middlewares.https_redirect.redirectscheme.permanent=true'
      - 'traefik.http.routers.http_catchall.rule=HostRegexp(`{any:.+}`)'
      - 'traefik.http.routers.http_catchall.entrypoints=http'
      - 'traefik.http.routers.http_catchall.middlewares=https_redirect'
networks:
  laravel:
    driver: 'bridge'
  traefik:
    name: '${TRAEFIK_NETWORK}'
    external: 'true'
volumes:
  laravel-database:
    driver: 'local'
  laravel-src:
    driver: 'local'
  nginx-log:
    driver: 'local'
  fail2ban-data:
    driver: 'local'

运行docker logs laravel_fail2ban_1 --tail 100后的docker-compose up -d向我展示：

Setting timezone to Europe/London...
Setting SSMTP configuration...
WARNING: SSMTP_HOST must be defined if you want fail2ban to send emails
Initializing files and folders...
Setting Fail2ban configuration...
Checking for custom actions in /data/action.d...
Checking for custom filters in /data/filter.d...
2021-08-01 11:40:13,199 fail2ban.configreader   [1]: INFO    Loading configs for fail2ban under /etc/fail2ban
2021-08-01 11:40:13,202 fail2ban.configparserinc[1]: INFO      Loading files: ['/etc/fail2ban/fail2ban.conf']
2021-08-01 11:40:13,203 fail2ban.configparserinc[1]: INFO      Loading files: ['/etc/fail2ban/fail2ban.conf']
2021-08-01 11:40:13,204 fail2ban                [1]: INFO    Using socket file /var/run/fail2ban/fail2ban.sock
2021-08-01 11:40:13,204 fail2ban                [1]: INFO    Using pid file /var/run/fail2ban/fail2ban.pid, [INFO] logging to STDOUT
2021-08-01 11:40:13,218 fail2ban.configreader   [1]: INFO    Loading configs for jail under /etc/fail2ban
2021-08-01 11:40:13,219 fail2ban.configparserinc[1]: INFO      Loading files: ['/etc/fail2ban/jail.conf']
2021-08-01 11:40:13,255 fail2ban.configparserinc[1]: INFO      Loading files: ['/etc/fail2ban/paths-debian.conf']
2021-08-01 11:40:13,257 fail2ban.configparserinc[1]: INFO      Loading files: ['/etc/fail2ban/paths-common.conf']
2021-08-01 11:40:13,260 fail2ban.configparserinc[1]: INFO      Loading files: ['/etc/fail2ban/paths-overrides.local']
2021-08-01 11:40:13,263 fail2ban.configparserinc[1]: INFO      Loading files: ['/etc/fail2ban/paths-common.conf', '/etc/fail2ban/paths-debian.conf', '/etc/fail2ban/jail.conf']
2021-08-01 11:40:13,369 fail2ban.server         [1]: INFO    --------------------------------------------------
2021-08-01 11:40:13,372 fail2ban.server         [1]: INFO    Starting Fail2ban v0.11.2
2021-08-01 11:40:13,373 fail2ban.observer       [1]: INFO    Observer start...
2021-08-01 11:40:13,382 fail2ban.database       [1]: INFO    Connected to fail2ban persistent database '/data/db/fail2ban.sqlite3'
2021-08-01 11:40:13,385 fail2ban.database       [1]: WARNING New database created. Version '4'
Server ready

如果我现在试图强调我的应用程序，在fail2ban中不会填充任何日志，但是如果我--follow我的nginx容器日志，我会看到请求被触发。

如果我docker exec -it -u root laravel_fail2ban_1 /bin/bash -c 'ls -la /var/log'，我可以在正确的位置看到我的日志：

total 8
drwxr-xr-x    2 root     root          4096 Aug  1 11:35 .
drwxr-xr-x    1 root     root          4096 Dec 16  2020 ..
lrwxrwxrwx    1 root     root            11 Jul  6 20:40 access.log -> /dev/stdout
lrwxrwxrwx    1 root     root            11 Jul  6 20:40 error.log -> /dev/stderr

我发现问题可能是当我尝试cat /var/log/access.log时。它被符号链接到/dev/stdout，这意味着终端试图连接到它。我无法在运行时断开连接：

docker exec -it -u root laravel_fail2ban_1 /bin/bash -c 'unlink /var/log/access.log'
unlink: can't remove file '/var/log/access.log': Read-only file system

任何帮助都能帮上忙。我需要将符号链接保存在卷上，这样我就可以在我的nginx容器上使用docker日志。

Answer 1

如果/var/log/access.log是stdout的一个符号链接，那么它就不能在另一个容器中使用：/dev/stdout指向当前进程的stdout，所以当fail2ban尝试从它读取时，它会得到自己的stdout，而不是nginx进程的stdout。

如果希望fail2ban能够从nginx读取日志，则需要将它们写入实际文件。如果还希望它们出现在容器标准输出上，则可以在nginx容器的背景中运行类似于tail -f的内容。