From 4fc6323ff038439e8b7d70ecf7d09488e0ac79a9 Mon Sep 17 00:00:00 2001
From: Georges Racinet <gracinet@anybox.fr>
Date: Fri, 7 Apr 2017 13:59:22 +0200
Subject: [PATCH] haproxy-http-auth: avoid port number in IPv6 addresses

The solution taken is to consume the port number explicitely in
the regexp.
---
 ChangeLog                                   | 1 +
 config/filter.d/haproxy-http-auth.conf      | 2 +-
 fail2ban/tests/files/logs/haproxy-http-auth | 2 ++
 3 files changed, 4 insertions(+), 1 deletion(-)

diff --git a/ChangeLog b/ChangeLog
index d644f330..07a144f4 100644
--- a/ChangeLog
+++ b/ChangeLog
@@ -23,6 +23,7 @@ TODO: implementing of options resp. other tasks from PR #1346
 * filter.d/sendmail-reject.conf:
   - rewritten using `prefregex` and used MLFID-related multi-line parsing;
   - optional parameter `mode` introduced: normal (default), extra or aggressive
+* filter.d/haproxy-http-auth: do not mistake client port for part of an IPv6 address (gh-1745)
 * `action.d/complain.conf`
   - fixed using new tag `<ip-rev>` (sh/dash compliant now)
 * `action.d/sendmail-geoip-lines.conf`
diff --git a/config/filter.d/haproxy-http-auth.conf b/config/filter.d/haproxy-http-auth.conf
index 298ca292..d85f5e9e 100644
--- a/config/filter.d/haproxy-http-auth.conf
+++ b/config/filter.d/haproxy-http-auth.conf
@@ -28,7 +28,7 @@ _daemon = haproxy
 #          (?:::f{4,6}:)?(?P<host>[\w\-.^_]+)
 # Values:  TEXT
 #
-failregex = ^%(__prefix_line)s<HOST>.*<NOSRV> -1/-1/-1/-1/\+*\d* 401
+failregex = ^%(__prefix_line)s<HOST>:\d+.*<NOSRV> -1/-1/-1/-1/\+*\d* 401
 
 # Option:  ignoreregex
 # Notes.:  regex to ignore. If this regex matches, the line is ignored.
diff --git a/fail2ban/tests/files/logs/haproxy-http-auth b/fail2ban/tests/files/logs/haproxy-http-auth
index 298f1972..5a5141fc 100644
--- a/fail2ban/tests/files/logs/haproxy-http-auth
+++ b/fail2ban/tests/files/logs/haproxy-http-auth
@@ -2,3 +2,5 @@
 Nov 14 22:45:27 test haproxy[760]: 192.168.33.1:58444 [14/Nov/2015:22:45:25.439] main app/app1 1939/0/1/0/1940 403 5168 - - ---- 3/3/0/0/0 0/0 "GET / HTTP/1.1"
 # failJSON: { "time": "2004-11-14T22:45:11", "match": true , "host": "192.168.33.1" }
 Nov 14 22:45:11 test haproxy[760]: 192.168.33.1:58430 [14/Nov/2015:22:45:11.608] main main/<NOSRV> -1/-1/-1/-1/0 401 248 - - PR-- 0/0/0/0/0 0/0 "GET / HTTP/1.1"
+# failJSON: { "time": "2004-11-14T22:45:11", "match": true , "host": "2001:db8::1234" }
+Nov 14 22:45:11 test haproxy[760]: 2001:db8::1234:58430 [14/Nov/2015:22:45:11.608] main main/<NOSRV> -1/-1/-1/-1/0 401 248 - - PR-- 0/0/0/0/0 0/0 "GET / HTTP/1.1"