NextCloud behind Reverse Proxy with SSL-Passthrough. Do I have any options for brute force protection?

Hey all,

I’m hosting NextCloud at home for privacy reasons and for some unknown reason, many upstream ISPs are blocking all incoming connections to my home IP. I’ve set up an Nginx reverse proxy on a VPS to work around this and I’m using SSL passthrough to avoid terminating SSL on on the VPS. It’s working well but I’m also very concerned with security and this setup makes all brute-force protections that I know of (fail2ban, built-in NextCloud BF protection) impossible because they rely on the source IP to throttle repeated login attempts. In this setup, the source IP is always the VPS (unless it’s coming from my home network).

Does anyone have any suggestions for how to implement some sort of brute force protection with the above setup? I’m trying to balance security and convenience since I’m hosting this for my family, and I’m trying to stay secure without forcing them all to use 2fa and 20 character complex passwords. I’m also open to suggestions for how to alter the setup to allow NextCloud to see the real source IP while still bypassing the strange blocking issues with upstream ISPs.