feat: Fail2ban, auto configure reverse proxies

ansible/roles/fail2ban/templates/jail.local.j2

@@ -0,0 +1,51 @@
+# Fail2ban jails for Traefik
+# Each jail monitors different attack patterns
+
+[DEFAULT]
+bantime = 3600
+findtime = 600
+maxretry = 5
+
+# Authentication failures - strict rules
+[traefik-auth]
+enabled = true
+port = http,https
+filter = traefik-auth
+logpath = /var/log/traefik/access.log
+maxretry = 3
+findtime = 300
+bantime = 7200
+action = iptables-allports[name=traefik-auth]
+
+# 404 scanning/probing - moderate rules
+[traefik-404]
+enabled = true
+port = http,https
+filter = traefik-404
+logpath = /var/log/traefik/access.log
+maxretry = 20
+findtime = 300
+bantime = 3600
+action = iptables-allports[name=traefik-404]
+
+# Rate limiting violations - strict rules
+[traefik-ratelimit]
+enabled = true
+port = http,https
+filter = traefik-ratelimit
+logpath = /var/log/traefik/access.log
+maxretry = 5
+findtime = 60
+bantime = 1800
+action = iptables-allports[name=traefik-ratelimit]
+
+# Bad requests - lenient rules
+[traefik-badreq]
+enabled = true
+port = http,https
+filter = traefik-badreq
+logpath = /var/log/traefik/access.log
+maxretry = 10
+findtime = 300
+bantime = 1800
+action = iptables-allports[name=traefik-badreq]

ansible/roles/fail2ban/templates/traefik-404.conf.j2

@@ -0,0 +1,9 @@
+# Fail2ban filter for Traefik 404 scanning/probing
+# Blocks IPs that generate excessive 404 errors (scanning for vulnerabilities)
+
+[Definition]
+failregex = ^.*"ClientAddr":"<HOST>:\d+".*"RequestMethod":"(GET|POST|PUT|DELETE|PATCH)".*"DownstreamStatus":404.*$
+ignoreregex =
+
+# Example log line (JSON):
+# {"ClientAddr":"192.168.1.100:54321","DownstreamStatus":404,"RequestMethod":"GET",...}

ansible/roles/fail2ban/templates/traefik-auth.conf.j2

@@ -0,0 +1,9 @@
+# Fail2ban filter for Traefik authentication failures
+# Blocks IPs that repeatedly fail authentication (401 Unauthorized)
+
+[Definition]
+failregex = ^.*"ClientAddr":"<HOST>:\d+".*"RequestMethod":"(GET|POST|PUT|DELETE|PATCH)".*"DownstreamStatus":401.*$
+ignoreregex =
+
+# Example log line (JSON):
+# {"ClientAddr":"192.168.1.100:54321","DownstreamStatus":401,"RequestMethod":"GET",...}

ansible/roles/fail2ban/templates/traefik-badreq.conf.j2

@@ -0,0 +1,9 @@
+# Fail2ban filter for Traefik bad requests
+# Blocks IPs that generate excessive 4xx errors (bad requests, forbidden, etc.)
+
+[Definition]
+failregex = ^.*"ClientAddr":"<HOST>:\d+".*"RequestMethod":"(GET|POST|PUT|DELETE|PATCH)".*"DownstreamStatus":4\d{2}.*$
+ignoreregex = ^.*"DownstreamStatus":(401|404|429).*$
+
+# Catches all 4xx errors except 401, 404, 429 (handled by specific filters)
+# Example: 400 Bad Request, 403 Forbidden, etc.

ansible/roles/fail2ban/templates/traefik-ratelimit.conf.j2

@@ -0,0 +1,9 @@
+# Fail2ban filter for Traefik rate limiting
+# Blocks IPs that trigger rate limit responses (429 Too Many Requests)
+
+[Definition]
+failregex = ^.*"ClientAddr":"<HOST>:\d+".*"RequestMethod":"(GET|POST|PUT|DELETE|PATCH)".*"DownstreamStatus":429.*$
+ignoreregex =
+
+# Example log line (JSON):
+# {"ClientAddr":"192.168.1.100:54321","DownstreamStatus":429,"RequestMethod":"POST",...}