Make CALLBACK_URL and secret configurable through the env

README.md

@@ -302,6 +302,26 @@ By default, the HTTP server listens on `0.0.0.0`. To bind to a specific interfac
 -e BIND_ADDRESS=127.0.0.1  \
 ```
 
+**Callback URL** (for remote / containerised Fail2ban instances)
+
+The callback URL is the external address that each Fail2ban instance uses to send ban/unban action calls back to Fail2ban-UI (via `/api/ban` and `/api/unban`). By default it is set to `http://127.0.0.1:<PORT>`, which works when Fail2ban runs on the same host or in the same network namespace. For container setups (bridge networking) or remote Fail2ban servers, override it with an address that is reachable from those instances:
+
+```bash
+-e CALLBACK_URL=http://10.88.0.1:3080 \
+```
+
+> When `CALLBACK_URL` is set, the environment variable always takes priority over the value stored in the database or entered in the UI settings.
+
+**Callback Secret**
+
+The callback secret is a shared token used to authenticate ban/unban callbacks from Fail2ban instances. If not set, Fail2ban-UI auto-generates a secure random secret on first start. You can pin a specific secret via environment variable (e.g. when running multiple replicas or when you need a deterministic value):
+
+```bash
+-e CALLBACK_SECRET=your-secure-shared-secret \
+```
+
+> When `CALLBACK_SECRET` is set, the environment variable always takes priority over the auto-generated or stored value.
+
 **Disable External IP Lookup** (Privacy / air-gapped)
 
 By default, the web UI displays your external IP address by querying external services. For privacy reasons, you can disable this feature using the `DISABLE_EXTERNAL_IP_LOOKUP` environment variable:
@@ -694,13 +714,18 @@ The **Fail2Ban Callback URL** is a critical setting that determines how Fail2Ban
    - The callback URL automatically updates when you change the server port
    - Example: If Fail2Ban UI runs on port `3080`, use `http://127.0.0.1:3080`
 
-2. **Reverse Proxy Setups:**
+2. **Container / Remote Deployments:**
+   - Fail2ban instances running in a different network namespace (e.g. bridge-mode containers) cannot reach `127.0.0.1` of the host. Set `CALLBACK_URL` to an address they can reach, e.g. the Podman/Docker gateway IP: `-e CALLBACK_URL=http://10.88.0.1:3080`
+   - For remote Fail2Ban servers on other hosts, use the LAN IP or DNS name of the Fail2Ban-UI host
+
+3. **Reverse Proxy Setups:**
    - Use your TLS-encrypted endpoint: `https://fail2ban.example.com`
    - Ensure the reverse proxy forwards requests to the correct Fail2Ban UI port
    - The callback URL must be accessible from all Fail2Ban instances (local and remote)
 
-3. **Port Changes:**
+4. **Port Changes:**
    - When you change the Fail2Ban UI port (via `PORT` environment variable or UI settings), the callback URL automatically updates if it's using the default localhost pattern
+   - When `CALLBACK_URL` is set via environment variable, the env var always takes priority over automatic updates
 
 **Privacy Settings**
 

development/ssh_and_local/container-compose.yml

@@ -38,7 +38,8 @@ services:
     environment:
       - PORT=3080
       - BIND_ADDRESS=0.0.0.0
-
+      - CALLBACK_URL=http://10.88.0.1:3080
+      #- CALLBACK_SECRET=**************************************************
     volumes:
       # Required for fail2ban-ui: Stores SQLite database, application settings, and SSH keys of the fail2ban-ui container
       - ./config:/config:Z

docker-compose-allinone.example.yml

@@ -57,6 +57,20 @@ services:
       # When set to false, the footer will not request the latest release from GitHub (e.g. air-gapped or privacy-sensitive environments).
       # - UPDATE_CHECK=false
 
+      # ============================================
+      # Callback Settings (Optional)
+      # ============================================
+      # Optional: External address where Fail2ban instances send ban/unban API calls back to Fail2ban-UI.
+      # Default: http://127.0.0.1:<PORT> (works when Fail2ban runs in the same network namespace).
+      # For container setups with bridge networking or remote Fail2ban servers, set this to an address
+      # reachable from those instances (e.g. the Docker/Podman gateway IP or the host LAN IP).
+      # When set, this env var always takes priority over the value in the UI settings.
+      # - CALLBACK_URL=http://10.88.0.1:3080
+      # Optional: Shared secret used to authenticate ban/unban callbacks from Fail2ban instances.
+      # If not set, a secure random secret is auto-generated on first start.
+      # When set, this env var always takes priority over the auto-generated or stored value.
+      # - CALLBACK_SECRET=your-secure-shared-secret
+
       # ============================================
       # OIDC Authentication (Optional)
       # ============================================

docker-compose.example.yml

@@ -38,6 +38,20 @@ services:
       # When set to false, the footer will not request the latest release from GitHub (e.g. air-gapped or privacy-sensitive environments).
       # - UPDATE_CHECK=false
 
+      # ============================================
+      # Callback Settings (Optional)
+      # ============================================
+      # Optional: External address where Fail2ban instances send ban/unban API calls back to Fail2ban-UI.
+      # Default: http://127.0.0.1:<PORT> (works when Fail2ban runs in the same network namespace).
+      # For container setups with bridge networking or remote Fail2ban servers, set this to an address
+      # reachable from those instances (e.g. the Docker/Podman gateway IP or the host LAN IP).
+      # When set, this env var always takes priority over the value in the UI settings.
+      # - CALLBACK_URL=http://10.88.0.1:3080
+      # Optional: Shared secret used to authenticate ban/unban callbacks from Fail2ban instances.
+      # If not set, a secure random secret is auto-generated on first start.
+      # When set, this env var always takes priority over the auto-generated or stored value.
+      # - CALLBACK_SECRET=your-secure-shared-secret
+
       # ============================================
       # OIDC Authentication (Optional)
       # ============================================

internal/config/settings.go

@@ -623,8 +623,12 @@ func setDefaultsLocked() {
 	} else if currentSettings.Port == 0 {
 		currentSettings.Port = 8080
 	}
-	// Auto-update callback URL if it's empty or still using the old default localhost pattern
-	if currentSettings.CallbackURL == "" {
+	// CALLBACK_URL env var always takes priority (external address where Fail2ban
+	// instances send back ban/unban API calls). If not set, fall back to the
+	// stored value or auto-generate from the port.
+	if cbURL := os.Getenv("CALLBACK_URL"); cbURL != "" {
+		currentSettings.CallbackURL = strings.TrimRight(strings.TrimSpace(cbURL), "/")
+	} else if currentSettings.CallbackURL == "" {
 		currentSettings.CallbackURL = fmt.Sprintf("http://127.0.0.1:%d", currentSettings.Port)
 	} else {
 		// If callback URL matches the old default pattern, update it to match the current port
@@ -633,8 +637,11 @@ func setDefaultsLocked() {
 			currentSettings.CallbackURL = fmt.Sprintf("http://127.0.0.1:%d", currentSettings.Port)
 		}
 	}
-	// Generate callback secret if not set (only generate once, never regenerate)
-	if currentSettings.CallbackSecret == "" {
+	// CALLBACK_SECRET env var always takes priority.
+	// If not set, keep stored value or generate a new one (only once).
+	if cbSecret := os.Getenv("CALLBACK_SECRET"); cbSecret != "" {
+		currentSettings.CallbackSecret = strings.TrimSpace(cbSecret)
+	} else if currentSettings.CallbackSecret == "" {
 		currentSettings.CallbackSecret = generateCallbackSecret()
 	}
 	if currentSettings.AlertCountries == nil {