Merge branch 'main' into attachments

pull/82/head
Philipp Heckel 2022-01-07 12:33:34 +01:00
commit 70aefc2e48
5 changed files with 80 additions and 31 deletions

View File

@ -345,6 +345,7 @@ to maintain the client connection and the connection to ntfy.
worker_connections 40500; worker_connections 40500;
} }
``` ```
=== "/etc/systemd/system/nginx.service.d/override.conf" === "/etc/systemd/system/nginx.service.d/override.conf"
``` ```
# Allow 40,000 proxy connections (2x of the desired ntfy connection count; # Allow 40,000 proxy connections (2x of the desired ntfy connection count;
@ -353,6 +354,50 @@ to maintain the client connection and the connection to ntfy.
LimitNOFILE=40500 LimitNOFILE=40500
``` ```
### Banning bad actors (fail2ban)
If you put stuff on the Internet, bad actors will try to break them or break in. [fail2ban](https://www.fail2ban.org/)
and nginx's [ngx_http_limit_req_module module](http://nginx.org/en/docs/http/ngx_http_limit_req_module.html) can be used
to ban client IPs if they misbehave. This is on top of the [rate limiting](#rate-limiting) inside the ntfy server.
Here's an example for how ntfy.sh is configured, following the instructions from two tutorials ([here](https://easyengine.io/tutorials/nginx/fail2ban/)
and [here](https://easyengine.io/tutorials/nginx/block-wp-login-php-bruteforce-attack/)):
=== "/etc/nginx/nginx.conf"
```
http {
limit_req_zone $binary_remote_addr zone=one:10m rate=1r/s;
}
```
=== "/etc/nginx/sites-enabled/ntfy.sh"
```
# For each server/location block
server {
location / {
limit_req zone=one burst=1000 nodelay;
}
}
```
=== "/etc/fail2ban/filter.d/nginx-req-limit.conf"
```
[Definition]
failregex = limiting requests, excess:.* by zone.*client: <HOST>
ignoreregex =
```
=== "/etc/fail2ban/jail.local"
```
[nginx-req-limit]
enabled = true
filter = nginx-req-limit
action = iptables-multiport[name=ReqLimit, port="http,https", protocol=tcp]
logpath = /var/log/nginx/error.log
findtime = 600
bantime = 7200
maxretry = 10
```
## Config options ## Config options
Each config option can be set in the config file `/etc/ntfy/server.yml` (e.g. `listen-http: :80`) or as a Each config option can be set in the config file `/etc/ntfy/server.yml` (e.g. `listen-http: :80`) or as a
CLI option (e.g. `--listen-http :80`. Here's a list of all available options. Alternatively, you can set an environment CLI option (e.g. `--listen-http :80`. Here's a list of all available options. Alternatively, you can set an environment

View File

@ -6,33 +6,34 @@ set -e
# #
# TODO: This is only tested on Debian. # TODO: This is only tested on Debian.
# #
if [ "$1" = "configure" ] && [ -d /run/systemd/system ]; then if [ "$1" = "configure" ] || [ "$1" -ge 1 ]; then
# Create ntfy user/group if [ -d /run/systemd/system ]; then
id ntfy >/dev/null 2>&1 || useradd --system --no-create-home ntfy # Create ntfy user/group
chown ntfy.ntfy /var/cache/ntfy id ntfy >/dev/null 2>&1 || useradd --system --no-create-home ntfy
chmod 700 /var/cache/ntfy chown ntfy.ntfy /var/cache/ntfy
chmod 700 /var/cache/ntfy
# Hack to change permissions on cache file # Hack to change permissions on cache file
configfile="/etc/ntfy/server.yml" configfile="/etc/ntfy/server.yml"
if [ -f "$configfile" ]; then if [ -f "$configfile" ]; then
cachefile="$(cat "$configfile" | perl -n -e'/^\s*cache-file: ["'"'"']?([^"'"'"']+)["'"'"']?/ && print $1')" # Oh my, see #47 cachefile="$(cat "$configfile" | perl -n -e'/^\s*cache-file: ["'"'"']?([^"'"'"']+)["'"'"']?/ && print $1')" # Oh my, see #47
if [ -n "$cachefile" ]; then if [ -n "$cachefile" ]; then
chown ntfy.ntfy "$cachefile" || true chown ntfy.ntfy "$cachefile" || true
chmod 600 "$cachefile" || true chmod 600 "$cachefile" || true
fi
fi fi
fi
# Restart services # Restart services
systemctl --system daemon-reload >/dev/null || true systemctl --system daemon-reload >/dev/null || true
if systemctl is-active -q ntfy.service; then if systemctl is-active -q ntfy.service; then
echo "Restarting ntfy.service ..." echo "Restarting ntfy.service ..."
if [ -x /usr/bin/deb-systemd-invoke ]; then if [ -x /usr/bin/deb-systemd-invoke ]; then
deb-systemd-invoke try-restart ntfy.service >/dev/null || true deb-systemd-invoke try-restart ntfy.service >/dev/null || true
else else
systemctl restart ntfy.service >/dev/null || true systemctl restart ntfy.service >/dev/null || true
fi
fi fi
fi if systemctl is-active -q ntfy-client.service; then
if systemctl is-active -q ntfy-client.service; then
echo "Restarting ntfy-client.service ..." echo "Restarting ntfy-client.service ..."
if [ -x /usr/bin/deb-systemd-invoke ]; then if [ -x /usr/bin/deb-systemd-invoke ]; then
deb-systemd-invoke try-restart ntfy-client.service >/dev/null || true deb-systemd-invoke try-restart ntfy-client.service >/dev/null || true
@ -40,4 +41,5 @@ if [ "$1" = "configure" ] && [ -d /run/systemd/system ]; then
systemctl restart ntfy-client.service >/dev/null || true systemctl restart ntfy-client.service >/dev/null || true
fi fi
fi fi
fi
fi fi

View File

@ -2,7 +2,7 @@
set -e set -e
# Delete the config if package is purged # Delete the config if package is purged
if [ "$1" = "purge" ]; then if [ "$1" = "purge" ] || [ "$1" = "0" ]; then
id ntfy >/dev/null 2>&1 && userdel ntfy id ntfy >/dev/null 2>&1 && userdel ntfy
rm -f /etc/ntfy/server.yml /etc/ntfy/client.yml rm -f /etc/ntfy/server.yml /etc/ntfy/client.yml
rmdir /etc/ntfy || true rmdir /etc/ntfy || true

View File

@ -1,7 +1,7 @@
#!/bin/sh #!/bin/sh
set -e set -e
if [ "$1" = "install" ] || [ "$1" = "upgrade" ]; then if [ "$1" = "install" ] || [ "$1" = "upgrade" ] || [ "$1" -ge 1 ]; then
# Migration of old to new config file name # Migration of old to new config file name
oldconfigfile="/etc/ntfy/config.yml" oldconfigfile="/etc/ntfy/config.yml"
configfile="/etc/ntfy/server.yml" configfile="/etc/ntfy/server.yml"

View File

@ -2,11 +2,13 @@
set -e set -e
# Stop systemd service # Stop systemd service
if [ -d /run/systemd/system ] && [ "$1" = remove ]; then if [ -d /run/systemd/system ]; then
echo "Stopping ntfy.service ..." if [ "$1" = "remove" ] || [ "$1" = "0" ]; then
if [ -x /usr/bin/deb-systemd-invoke ]; then echo "Stopping ntfy.service ..."
deb-systemd-invoke stop 'ntfy.service' >/dev/null || true if [ -x /usr/bin/deb-systemd-invoke ]; then
else deb-systemd-invoke stop 'ntfy.service' >/dev/null || true
systemctl stop ntfy >/dev/null 2>&1 || true else
systemctl stop ntfy >/dev/null 2>&1 || true
fi
fi fi
fi fi