diff --git a/nixos/hosts/framework-server/fail2ban/traefik.nix b/nixos/hosts/framework-server/fail2ban/traefik.nix
index 4b4d610d..e29bef86 100644
--- a/nixos/hosts/framework-server/fail2ban/traefik.nix
+++ b/nixos/hosts/framework-server/fail2ban/traefik.nix
@@ -8,7 +8,7 @@
traefik-general-forceful-browsing = {
settings = {
enabled = true;
- filter = "traefik-general-forceful-browsingo";
+ filter = "traefik-general-forceful-browsing";
action = ''action-ban-docker-forceful-browsing'';
logpath = "/var/log/traefik/access.log";
backend = "auto";
@@ -35,5 +35,15 @@
# ignore common errors like missing media files or JS/CSS/TXT/ICO stuff
ignoreregex = ^{"ClientAddr":".*","ClientHost":"","ClientPort":".*","ClientUsername":".*","DownstreamContentSize":.*,"DownstreamStatus":.*,"Duration":.*,"OriginContentSize":.*,"OriginDuration":.*,"OriginStatus":(405|404|403|402|401),"Overhead":.*,"RequestAddr":".*","RequestContentSize":.*,"RequestCount":.*,"RequestHost":".*","RequestMethod":".*","RequestPath":".*(\.png|\.txt|\.jpg|\.ico|\.js|\.css|\.ttf|\.woff|\.woff2)(/)*?","RequestPort":".*","RequestProtocol":".*","RequestScheme":".*","RetryAttempts":.*,.*"StartLocal":".*","StartUTC":".*","TLSCipher":".*","TLSVersion":".*","entryPointName":".*","level":".*","msg":".*",("request_User-Agent":".*",){0,1}?"time":".*"}$
'');
+
+ "fail2ban/action.d/action-ban-docker-forceful-browsing.conf".text = pkgs.lib.mkDefault (pkgs.lib.mkAfter ''
+ [Definition]
+
+ actionban = iptables -I DOCKER-USER -m string --algo bm --string 'X-Forwarded-For: ' -j DROP
+ iptables -A INPUT -s -j DROP
+
+ actionunban = iptables -D DOCKER-USER -m string --algo bm --string 'X-Forwarded-For: ' -j DROP
+ iptables -D INPUT -s -j DROP
+ '');
};
}