GitHub linguist .yml, fail2ban config fixes

2020-09-25 11:41:15 -04:00
parent 770be0ef4b
commit 3b4ad7c45c
4 changed files with 10 additions and 2 deletions
--- a/ansible/roles/common/files/fail2ban/jails/nginx.local
+++ b/ansible/roles/common/files/fail2ban/jails/nginx.local
@@ -1,9 +1,11 @@
 [nginx-limit-req]
 enabled = true
 port = http,https
+logpath = %(nginx_error_log)s
 findtime = 600
 bantime = 1w
 maxretry = 8
+ignoreip  = 127.0.0.1/32 192.168.1.0/24

 [nginx-http-auth]
 enabled = true
@@ -11,10 +13,12 @@ port = http,https
 logpath = %(nginx_error_log)s
 bantime = 2w
 maxretry = 5
+ignoreip  = 127.0.0.1/32 192.168.1.0/24

 [nginx-botsearch]
 enabled = true
 port = http,https
-logpath = %(nginx_error_log)s
+logpath = %(nginx_access_log)s
 bantime = 1w
 maxretry = 5
+ignoreip  = 127.0.0.1/32 192.168.1.0/24
--- a/ansible/roles/common/files/fail2ban/jails/sshd.local
+++ b/ansible/roles/common/files/fail2ban/jails/sshd.local
@@ -6,5 +6,5 @@ backend   = systemd
 maxretry  = 5
 findtime  = 1d
 bantime   = 2w
-ignoreip  = 127.0.0.1/8 192.168.1.0/24
+ignoreip  = 127.0.0.1/32 192.168.1.0/24
 logpath   = %(sshd_log)s
--- a/ansible/roles/http/templates/nginx/sites/ci.bdebyl.net.https.conf.j2
+++ b/ansible/roles/http/templates/nginx/sites/ci.bdebyl.net.https.conf.j2
@@ -8,6 +8,9 @@ server {
  server_name {{ ci_server_name }};

  add_header              Strict-Transport-Security max-age=6307200;
+  add_header              Allow "GET, POST, HEAD" always;
+
+  limit_except GET POST { deny all; }

  ssl_certificate         /etc/letsencrypt/live/{{ ci_server_name }}/fullchain.pem;
  ssl_certificate_key     /etc/letsencrypt/live/{{ ci_server_name }}/privkey.pem;