webserver-config/install/nginx-cloudflare-fail2ban.sh

#!/bin/bash

# Check if script is run as root
if [ "$EUID" -ne 0 ]; then 
    echo "Please run as root or with sudo"
    exit 1
fi

# Create banned IPs file
echo "Creating banned IPs file..."
touch /etc/nginx/conf.d/banned_ips.conf
chown www-data:www-data /etc/nginx/conf.d/banned_ips.conf

# Create NGINX configuration for fail2ban check
echo "Creating NGINX configuration..."
tee /etc/nginx/conf.d/10-fail2ban-check.conf << 'CONFFILE'
map $http_cf_connecting_ip $is_banned {
    default 0;
    include /etc/nginx/conf.d/banned_ips.conf;
}
CONFFILE

# Create fail2ban action
tee /etc/fail2ban/action.d/nginx-banned-ips.conf << 'ACTIONFILE'
[Definition]
actionstart = 
actionstop = 
actioncheck = 
actionban = grep -q '^<ip> 1;$' /etc/nginx/conf.d/banned_ips.conf || echo '<ip> 1;' >> /etc/nginx/conf.d/banned_ips.conf && nginx -s reload
actionunban = sed -i '/^<ip> 1;$/d' /etc/nginx/conf.d/banned_ips.conf && nginx -s reload
ACTIONFILE

# Clean up existing duplicates
sort -u /etc/nginx/conf.d/banned_ips.conf > /etc/nginx/conf.d/banned_ips.conf.tmp && \
mv /etc/nginx/conf.d/banned_ips.conf.tmp /etc/nginx/conf.d/banned_ips.conf

# Test NGINX configuration
echo "Testing NGINX configuration..."
nginx -t

echo "Installation complete!"
echo "Now add 'nginx-banned-ips' to the action line in your existing fail2ban jail configurations"