Add shared jail feature

README.md

@@ -52,6 +52,17 @@ _only_ be used _concurrently_ with Fail2ban functionality (if you are looking
 for a way to allowlist or denylist IPs without using any of the Fail2ban
 logic, you might want to use a different plugin.)
 
+### Shared Jail
+
+By default, each middleware instance has its own jail. To share a jail across multiple routers using the same middleware name, set `sharedJail` to `true`:
+
+```yml
+testData:
+  sharedJail: true
+```
+
+When enabled, all routers using the same named middleware will share the same jail, allowing bans to propagate across subdomains.
+
 ### Allowlist
 You can allowlist some IP using this:
 ```yml

fail2ban.go

@@ -3,11 +3,14 @@
 
 import (
 	"context"
+	"crypto/md5"
+	"encoding/json"
 	"fmt"
 	"log"
 	"net/http"
 	"os"
 	"strings"
+	"sync"
 
 	"github.com/tomMoulard/fail2ban/pkg/chain"
 	"github.com/tomMoulard/fail2ban/pkg/fail2ban"
@@ -25,6 +28,11 @@
 	log.SetOutput(os.Stdout)
 }
 
+var (
+	globalJails = make(map[string]*fail2ban.Fail2Ban)
+	globalMu    sync.Mutex
+)
+
 // List struct.
 type List struct {
 	IP    []string
@@ -33,9 +41,10 @@
 
 // Config struct.
 type Config struct {
 	Denylist  List        `yaml:"denylist"`
 	Allowlist List        `yaml:"allowlist"`
 	Rules     rules.Rules `yaml:"port"`
+	SharedJail bool       `yaml:"sharedJail"`
 
 	// deprecated
 	Blacklist List `yaml:"blacklist"`
@@ -77,7 +86,7 @@
 
 // New instantiates and returns the required components used to handle a HTTP
 // request.
-func New(_ context.Context, next http.Handler, config *Config, _ string) (http.Handler, error) {
+func New(_ context.Context, next http.Handler, config *Config, name string) (http.Handler, error) {
 	if !config.Rules.Enabled {
 		log.Println("Plugin: FailToBan is disabled")
 
@@ -136,9 +145,29 @@
 		return nil, fmt.Errorf("error when Transforming rules: %w", err)
 	}
 
-	log.Println("Plugin: FailToBan is up and running")
-
-	f2b := fail2ban.New(rules, allowNetIPs)
+	// Get or create jail
+	var f2b *fail2ban.Fail2Ban
+	if config.SharedJail {
+		// Use middleware name and config hash as key for shared jail
+		keyBytes, _ := json.Marshal(config)
+		jailKey := fmt.Sprintf("%s-%x", name, md5.Sum(keyBytes))
+		// Use shared jail based on middleware name
+		globalMu.Lock()
+		var exists bool
+		f2b, exists = globalJails[jailKey]
+		if !exists {
+			f2b = fail2ban.New(rules, allowNetIPs)
+			globalJails[jailKey] = f2b
+			log.Printf("Plugin: FailToBan created new shared jail for middleware %s", jailKey)
+		} else {
+			log.Printf("Plugin: FailToBan using existing shared jail for middleware %s", jailKey)
+		}
+		globalMu.Unlock()
+	} else {
+		// Create individual jail
+		f2b = fail2ban.New(rules, allowNetIPs)
+		log.Printf("Plugin: FailToBan created individual jail for middleware %s", name)
+	}
 
 	c := chain.New(
 		next,

fail2ban_test.go

@@ -120,7 +120,7 @@
 func TestFail2Ban(t *testing.T) {
 	t.Parallel()
 
 	remoteAddr := "10.0.0.0"
 	tests := []struct {
 		name         string
 		url          string
@@ -503,3 +503,89 @@
 		})
 	}
 }
+
+func TestFail2Ban_SuccessiveRequests_SharedJail(t *testing.T) {
+	t.Parallel()
+
+	remoteAddr := "10.0.0.0"
+	tests := []struct {
+		name          string
+		cfg           *Config
+		handlerStatus []int // HTTP code the internal HTTP handler should return
+		expectStatus  []int // HTTP code the downstream client should request after passing through fail2ban
+		expectStatusSecond  int
+	}{
+		{
+			name: "shared jail enabled propagates ban",
+			cfg: &Config{
+				Rules: rules.Rules{
+					Enabled:    true,
+					Bantime:    "300s",
+					Findtime:   "300s",
+					Maxretry:   3,
+					StatusCode: "404",
+				},
+				SharedJail: true,
+			},
+			// the remaining OKs will not reach the client as it is banned
+			handlerStatus: []int{http.StatusNotFound, http.StatusOK, http.StatusNotFound, http.StatusNotFound, http.StatusOK},
+			expectStatus:  []int{http.StatusNotFound, http.StatusOK, http.StatusNotFound, http.StatusTooManyRequests, http.StatusTooManyRequests},
+			expectStatusSecond: http.StatusTooManyRequests,
+		},
+		{
+			name: "shared jail disabled does not propagate ban",
+			cfg: &Config{
+				Rules: rules.Rules{
+					Enabled:    true,
+					Bantime:    "300s",
+					Findtime:   "300s",
+					Maxretry:   3,
+					StatusCode: "404",
+				},
+				SharedJail: false,
+			},
+			handlerStatus: []int{http.StatusNotFound, http.StatusOK, http.StatusNotFound, http.StatusNotFound, http.StatusOK},
+			expectStatus:  []int{http.StatusNotFound, http.StatusOK, http.StatusNotFound, http.StatusTooManyRequests, http.StatusTooManyRequests},
+			expectStatusSecond: http.StatusOK,
+		},
+	}
+
+	for _, test := range tests {
+		t.Run(test.name, func(t *testing.T) {
+			t.Parallel()
+			jailKey := t.Name()
+			globalMu.Lock()
+			delete(globalJails, jailKey)
+			globalMu.Unlock()
+
+			next := http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
+				testno, err := strconv.Atoi(r.Header.Get("Testno"))
+				assert.NoError(t, err)
+
+				w.WriteHeader(testno)
+			})
+
+			handler, err := New(t.Context(), next, test.cfg, jailKey)
+			require.NoError(t, err)
+			handler2, err := New(t.Context(), next, test.cfg, jailKey)
+			require.NoError(t, err)
+
+			req := httptest.NewRequest(http.MethodGet, "/", nil)
+			req.RemoteAddr = remoteAddr + ":1234"
+
+			for i := range test.handlerStatus {
+				rw := httptest.NewRecorder()
+
+				req.Header.Set("Testno", strconv.Itoa(test.handlerStatus[i])) // pass the expected value to the mock handler (fail2ban response code may differ)
+				handler.ServeHTTP(rw, req)
+
+				assert.Equal(t, test.expectStatus[i], rw.Code, "request [%d] code", i)
+			}
+
+			rw := httptest.NewRecorder()
+			req.Header.Set("Testno", strconv.Itoa(http.StatusOK))
+			handler2.ServeHTTP(rw, req)
+			assert.Equal(t, test.expectStatusSecond, rw.Code, "request to handler2 code")
+		})
+	}
+}