Merge changes from kiekerjan special

conf/fail2ban/filter.d/nginx-geoipblock.conf

@@ -0,0 +1,12 @@
+# Fail2Ban filter Mail-in-a-Box geo ip block
+
+[INCLUDES]
+
+before = common.conf
+
+[Definition]
+
+_daemon = mailinabox
+
+failregex = .* - Geoip blocked <HOST>
+ignoreregex =

conf/fail2ban/filter.d/ssh-geoipblock.conf

@@ -0,0 +1,10 @@
+# Fail2Ban filter sshd ip block according to https://www.axllent.org/docs/ssh-geoip/
+
+[INCLUDES]
+
+before = common.conf
+
+[Definition]
+
+failregex = .* DENY geoipblocked connection from <HOST>
+ignoreregex =

conf/fail2ban/jail.d/nginx-general.conf

@@ -0,0 +1,9 @@
+[nginx-badbots]
+enabled  = true
+port     = http,https
+filter   = nginx-badbots
+logpath  = /var/log/nginx/access.log
+maxretry = 2
+
+[nginx-http-auth]
+enabled = true

conf/geoiplookup.conf

@@ -0,0 +1,3 @@
+# UPPERCASE space-separated country codes to ACCEPT
+# See e.g. https://dev.maxmind.com/geoip/legacy/codes/iso3166/ for allowable codes
+ALLOW_COUNTRIES=""

conf/nginx-primaryonly.conf

@@ -9,6 +9,30 @@
 	rewrite ^/admin$ /admin/;
 	rewrite ^/admin/munin$ /admin/munin/ redirect;
 	location /admin/ {
+		# By default not blocked
+                set $block_test 1;
+
+                # block the continents
+                if ($allowed_continent = no) {
+                        set $block_test 0;
+                }
+
+                # in addition, block the countries
+                if ($denied_country = no) {
+                        set $block_test 0;
+                }
+
+                # allow some countries
+                if ($allowed_country = yes) {
+                        set $block_test 1;
+                }
+
+                # if 0, then blocked
+                if ($block_test = 0) {
+                        access_log /var/log/nginx/geoipblock.log geoipblock;
+                        return 444;
+                }
+
 		proxy_pass http://127.0.0.1:10222/;
 		proxy_set_header X-Forwarded-For $remote_addr;
 		add_header X-Frame-Options "DENY";

conf/nginx/conf.d/10-geoblock.conf

@@ -0,0 +1,22 @@
+# GeoIP databases
+geoip_country /usr/share/GeoIP/GeoIP.dat;
+geoip_city /usr/share/GeoIP/GeoIPCity.dat;
+
+# map the list of denied countries
+# see e.g. https://dev.maxmind.com/geoip/legacy/codes/iso3166/ for allowable
+# countries
+map $geoip_country_code $denied_country {
+   default yes;
+   }
+
+# map the list of allowed countries
+map $geoip_country_code $allowed_country {
+   default no;
+   }
+
+# map the continents to allow
+map $geoip_city_continent_code $allowed_continent {
+   default yes;
+   }
+
+log_format geoipblock '[$time_local] - Geoip blocked $remote_addr';