mirror of
https://github.com/MHSanaei/3x-ui.git
synced 2026-06-03 10:59:34 +00:00
28330e60d8
The image bundles fail2ban (enabled by default) to enforce per-client IP limits via iptables, but docker-compose.yml granted no capabilities. The job logs the ban and fail2ban reports it as banned, yet the iptables action fails with "Permission denied (you must be root)" and no rule is inserted, so the client is never actually blocked. Add cap_add NET_ADMIN/NET_RAW to the service and document the docker run flags.
41 lines
1.2 KiB
YAML
41 lines
1.2 KiB
YAML
services:
|
|
3xui:
|
|
build:
|
|
context: .
|
|
dockerfile: ./Dockerfile
|
|
container_name: 3xui_app
|
|
# hostname: yourhostname <- optional
|
|
# The bundled Fail2ban (XUI_ENABLE_FAIL2BAN below) enforces the IP limit
|
|
# with iptables, which needs NET_ADMIN. Without these caps a ban is logged
|
|
# and shown in fail2ban status but never actually applied. NET_RAW covers
|
|
# ip6tables. If you disable Fail2ban, you can drop cap_add.
|
|
cap_add:
|
|
- NET_ADMIN
|
|
- NET_RAW
|
|
volumes:
|
|
- $PWD/db/:/etc/x-ui/
|
|
- $PWD/cert/:/root/cert/
|
|
environment:
|
|
XRAY_VMESS_AEAD_FORCED: "false"
|
|
XUI_ENABLE_FAIL2BAN: "true"
|
|
# To use PostgreSQL instead of the default SQLite, run:
|
|
# docker compose --profile postgres up -d
|
|
# and uncomment the two lines below.
|
|
# XUI_DB_TYPE: "postgres"
|
|
# XUI_DB_DSN: "postgres://xui:xui@postgres:5432/xui?sslmode=disable"
|
|
tty: true
|
|
ports:
|
|
- "2053:2053"
|
|
restart: unless-stopped
|
|
|
|
postgres:
|
|
image: postgres:16-alpine
|
|
container_name: 3xui_postgres
|
|
profiles: ["postgres"]
|
|
environment:
|
|
POSTGRES_USER: xui
|
|
POSTGRES_PASSWORD: xui
|
|
POSTGRES_DB: xui
|
|
volumes:
|
|
- $PWD/pgdata/:/var/lib/postgresql/data
|
|
restart: unless-stopped |