Merge remote-tracking branch 'upstream/master' into credential-cache-simple

3 years ago · feff121a9b
parent f52984e4c3 4dbefe8e3a
commit feff121a9b
3 changed files with 25 additions and 8 deletions
--- a/docs/faq.rst
+++ b/docs/faq.rst
@ -528,25 +528,42 @@ The above will block flagged IPs for a week, you can of course change it to you
  
  actionstart = iptables -N f2b-bad-auth
                iptables -A f2b-bad-auth -j RETURN
-                iptables -I FORWARD -p tcp -m multiport --dports 1:1024 -j f2b-bad-auth
+                iptables -I DOCKER-USER -p tcp -m multiport --dports 1:1024 -j f2b-bad-auth
  
-  actionstop = iptables -D FORWARD -p tcp -m multiport --dports 1:1024 -j f2b-bad-auth
+  actionstop = iptables -D DOCKER-USER -p tcp -m multiport --dports 1:1024 -j f2b-bad-auth
               iptables -F f2b-bad-auth
               iptables -X f2b-bad-auth
  
-  actioncheck = iptables -n -L FORWARD | grep -q 'f2b-bad-auth[ \t]'
+  actioncheck = iptables -n -L DOCKER-USER | grep -q 'f2b-bad-auth[ \t]'
  
  actionban = iptables -I f2b-bad-auth 1 -s <ip> -j DROP
  
  actionunban = iptables -D f2b-bad-auth -s <ip> -j DROP

-5. Restart Fail2Ban
+Using DOCKER-USER chain ensures that the blocked IPs are processed in the correct order with Docker. See more in: https://docs.docker.com/network/iptables/
+
+5. Configure and restart the Fail2Ban service
+
+Make sure Fail2Ban is started after the Docker service by adding a partial override which appends this to the existing configuration.
+
+.. code-block:: bash
+
+  sudo systemctl edit fail2ban
+
+Add the override and save the file.
+
+.. code-block:: bash
+
+  [Unit]
+  After=docker.service
+
+Restart the Fail2Ban service.

 .. code-block:: bash

  sudo systemctl restart fail2ban

-*Issue reference:* `85`_, `116`_, `171`_, `584`_, `592`_.
+*Issue reference:* `85`_, `116`_, `171`_, `584`_, `592`_, `1727`_.

 Users can't change their password from webmail
 ``````````````````````````````````````````````
@ -670,7 +687,7 @@ iptables -t nat -A POSTROUTING -o eth0 -p tcp --dport 25 -j SNAT --to <your mx i
 .. _`1090`: https://github.com/Mailu/Mailu/issues/1090
 .. _`unbound`: https://nlnetlabs.nl/projects/unbound/about/
 .. _`1438`: https://github.com/Mailu/Mailu/issues/1438
-
+.. _`1727`: https://github.com/Mailu/Mailu/issues/1727

 A user gets ``Sender address rejected: Access denied. Please check the`` ``message recipient […] and try again`` even though the sender is legitimate?
 ``````````````````````````````````````````````````````````````````````````````````````````````````````````````````````````````````````````````````````
--- a/optional/unbound/unbound.conf
+++ b/optional/unbound/unbound.conf
@ -2,7 +2,7 @@ server:
  verbosity: 1
  interface: 0.0.0.0
  interface: ::0
-  logfile: /dev/stdout
+  logfile: ""
  do-ip4: yes
  do-ip6: yes
  do-udp: yes
--- a/setup/flavors/compose/docker-compose.yml
+++ b/setup/flavors/compose/docker-compose.yml
@ -26,7 +26,7 @@ services:
    {% if bind4 %}
      - "{{ bind4 }}:{{ port }}:{{ port }}"
    {% endif %}
-    {% if bind6 %}
+    {% if ipv6_enabled and bind6 %}
      - "{{ bind6 }}:{{ port }}:{{ port }}"
    {% endif %}
    {% endfor %}