[BUG] action.d/cloudflare-token unban fails when 'notes' contains spaces (missing URL-encoding) #36
Description
Is there an existing issue for this?
- I have searched the existing issues
Current Behavior
In the Fail2Ban image, the Cloudflare action action.d/cloudflare-token.conf fails to unban when the notes parameter contains a space (it contains by default: Fail2Ban <name>). The unban lookup uses a raw ?notes=<notes> query (no URL-encoding), so Cloudflare returns result: [] and the rule id cannot be found. Effectively it is a permanent ban.
Workaround
Using the notes without whitespaces lets Fail2Ban locate and delete the rule reliably.
Expected Behavior
Cloudflare does not accumulate stale bans.
Steps To Reproduce
- Jail uses
action = cloudflare-token(default notes:Fail2Ban nginx-deny). banip 203.0.113.123succeeds (rule created).unbanip 203.0.113.123logs "id for 203.0.113.123 cannot be found...", ip is removed from jail, but the CF rule remains.
Environment
- OS: Ubuntu 24.04.3
- How docker service was installed: aptCPU architecture
arm64
Docker creation
fail2ban:
image: lscr.io/linuxserver/fail2ban:latest
container_name: fail2ban
hostname: f2b
restart: unless-stopped
environment:
- PUID=1001
- PGID=1001
- TZ=Europe/Warsaw
- VERBOSITY=-vv
volumes:
- /mnt/data/fail2ban:/config
- /mnt/data/fail2ban/custom-cont-init.d:/custom-cont-init.d:ro
- /mnt/data/fail2ban/msmtp:/config/msmtp:ro
- /mnt/data/swag/log/nginx:/remotelogs/nginx:ro
network_mode: bridgeContainer logs
[custom-init] No custom services found, skipping...
[migrations] started
[migrations] no migrations found
───────────────────────────────────────
██╗ ███████╗██╗ ██████╗
██║ ██╔════╝██║██╔═══██╗
██║ ███████╗██║██║ ██║
██║ ╚════██║██║██║ ██║
███████╗███████║██║╚██████╔╝
╚══════╝╚══════╝╚═╝ ╚═════╝
Brought to you by linuxserver.io
───────────────────────────────────────
To support LSIO projects visit:
https://www.linuxserver.io/donate/
───────────────────────────────────────
GID/UID
───────────────────────────────────────
User UID: 1001
User GID: 1001
───────────────────────────────────────
Linuxserver.io version: 1.1.0-r2-ls18
Build-date: 2025-08-15T07:35:59+00:00
───────────────────────────────────────
[custom-init] Files found, executing
[custom-init] 10-msmtp.sh: executing...
**** installing msmtp + whois ****
fetch http://dl-cdn.alpinelinux.org/alpine/v3.21/main/aarch64/APKINDEX.tar.gz
fetch http://dl-cdn.alpinelinux.org/alpine/v3.21/community/aarch64/APKINDEX.tar.gz
OK: 84 MiB in 89 packages
[custom-init] 10-msmtp.sh: exited 0
[ls.io-init] done.
2025-09-07 18:44:00,381 E1F07AC5ED20 INFO Loading configs for fail2ban under /etc/fail2ban
2025-09-07 18:44:00,381 E1F07AC5ED20 DEBUG Reading configs for fail2ban under /etc/fail2ban
2025-09-07 18:44:00,381 E1F07AC5ED20 DEBUG Reading config files: /etc/fail2ban/fail2ban.conf, /etc/fail2ban/fail2ban.local
...
+119697 FE96BE338D20 fail2ban.actions NOTIC [nginx-deny] Unban 203.0.113.123
+119697 FE96BE338D20 fail2ban.actions DEBUG [nginx-deny] action 'cloudflare-token': unban 203.0.113.123
+119710 FE96BE338D20 fail2ban.utils DEBUG fe96bd04e870 -- stdout: 'nginx-deny: id for 203.0.113.123 cannot be found using target ip'
+119710 FE96BE338D20 fail2ban.utils DEBUG fe96bd04e870 -- returned successfully 0
+119711 FE96BE338D20 fail2ban.actions DEBUG [nginx-deny] action 'sendmail-whois-lines': unban 203.0.113.123