Merge pull request #4047 from billfor/nginx

Update nginx-limit-req filter (extended to ban hosts failed by limit connection in ngx_http_limit_conn_module);
closes gh-3674

ChangeLog

@@ -85,6 +85,7 @@ ver. 1.1.1-dev-1 (20??/??/??) - development nightly edition
 * `action.d/firewallcmd-rich-*.conf` - fixed incorrect quoting, disabling port variable expansion
   by substitution of rich rule (gh-3815)
 * `filter.d/dovecot.conf` - add support for latest Dovecot 2.4 release (gh-4016)
+* `filter.d/nginx-limit-req.conf` - extended to ban hosts failed by limit connection in ngx_http_limit_conn_module (gh-3674, gh-4047)
 * `filter.d/proxmox.conf` - add support to Proxmox Web GUI (gh-2966)
 * `filter.d/openvpn.conf` - new filter and jail for openvpn recognizing failed TLS handshakes (gh-2702)
 * `filter.d/sendmail-reject.conf` - also recognize "Domain of sender address ... does not resolve" (gh-4035)

config/filter.d/nginx-limit-req.conf

@@ -36,6 +36,7 @@ before = nginx-error-common.conf
 #   ngx_limit_req_zones = lr_zone|lr_zone2
 #
 ngx_limit_req_zones = [^"]+
+ngx_limit_con_zones = [^"]+
 
 # Depending on limit_req_log_level directive (may be: info | notice | warn | error):
 __err_type = [a-z]+
@@ -46,7 +47,7 @@ __err_type = [a-z]+
 # failregex = ^%(__prefix_line)slimiting requests, excess: [\d\.]+ by zone "(?:%(ngx_limit_req_zones)s)", client: <HOST>, server: \S*, request: "\S+ \S+ HTTP/\d+\.\d+", host: "\S+"(, referrer: "\S+")?\s*$
 
 # Shortly, much faster and stable version of regexp:
-failregex = ^%(__prefix_line)slimiting requests, excess: [\d\.]+ by zone "(?:%(ngx_limit_req_zones)s)", client: <HOST>,
+failregex = ^%(__prefix_line)s(?:limiting|delaying) (?:request|connection)s?(?:, excess: [\d\.]+,?)? by zone "(?:%(ngx_limit_req_zones)s)", client: <ADDR>,
 
 ignoreregex = 
 

fail2ban/tests/files/logs/nginx-limit-req

@@ -11,6 +11,18 @@
 # failJSON: { "time": "2016-09-30T08:36:06", "match": true, "host": "2001:db8::80da:af6b:8b2c" }
 2016/09/30 08:36:06 [error] 22923#0: *4758725916 limiting requests, excess: 15.243 by zone "one", client: 2001:db8::80da:af6b:8b2c, server: example.com, request: "GET / HTTP/1.1", host: "example.com"
 
+# failJSON: { "time": "2025-08-01T04:24:17", "match": true , "host": "206.189.215.97" }
+2025/08/01 04:24:17 [warn] 4772#4772: *68 delaying request, excess: 0.841, by zone "req_limit", client: 206.189.215.97, server: myserver.net, request: "GET /ab2h HTTP/1.1", host: "22.18.134.49"
+
+# failJSON: { "time": "2025-08-01T14:32:27", "match": true , "host": "104.248.81.143" }
+2025/08/01 14:32:27 [warn] 31733#31733: *21 delaying request, excess: 0.850, by zone "req_limit", client: 104.248.81.143, server: myserver.net, request: "GET /favicon.ico HTTP/1.1", host: "myserver.net", referrer: "https://myserver.net/"
+
+# failJSON: { "time": "2025-08-03T03:17:28", "match": true , "host": "128.199.22.141" }
+2025/08/03 03:17:28 [error] 25808#25808: *598 limiting connections by zone "conn_limit", client: 128.199.22.141, server: myserver.net, request: "GET /favicon.ico HTTP/1.1", host: "84.108.142.49", referrer: "https://xxx.com/"
+
+# failJSON: { "time": "2025-08-03T13:56:22", "match": true , "host": "162.240.161.123" }
+2025/08/03 13:56:22 [error] 943#943: *60 limiting connections by zone "conn_limit", client: 162.240.161.123, server: myserver.net, request: "GET /.env HTTP/1.1", host: "app.myserver.net"
+
 # filterOptions: [{"logtype": "journal"}]
 
 # failJSON: { "match": true , "host": "192.0.2.2" }