Setup Fail2Ban for Nextcloud/Apache behind Nginx Reverse Proxy

As title says, I want to get Fail2Ban working on Nextcloud when Nextcloud server is behind an Nginx Reverse Proxy. I believe I have managed to do this successfully, but would really appreciate some advice/recommendations after reading my methods below:

My setup is a firewalled NAT router forwarding 80 & 443 to the Nginx Reverse Proxy PC. This handles the Letsencrypt certs for two services (Nextcloud and Bitwarden) and has “proxy_pass” settings to send https requests to different ports on another PC which has the Nextcloud and Bitwarden servers on. The Nginx Reverse Proxy also has “proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;” so that my Nextcloud server sees the true IP address of the https request and not the IP address of the Proxy Server. The proxy_pass settings use https on the local network to the Nextcloud/Bitwarden server PC using self-signed SSL certs. This setup works really well and I’ve conducted a lot of testing and found no issues.
However, for over a week now, I’ve been researching a way to enable Fail2Ban on the Nextcloud server (behind the reverse proxy server). All of my online research has only found posts on various forums and websites that say that Fail2Ban won’t work behind a reverse proxy. Even with X-Forwarded_For header set for Nextcloud, blocking the real IP address of any failed login IP won’t work if you block it behind the reverse proxy. So it appears that Fail2Ban only works for servers that aren’t behind a reverse proxy.
Knowing this, I was trying to think of a way to use Fail2Ban on the reverse proxy server (instead of on the Nextcloud PC), whilst the Nextcloud log file which highlights the failed logins that Fail2Ban needs, are on the Nextcloud server behind the reverse proxy. I already has smb shared folders on my reverse proxy server for local backups of Nextcloud and Bitwarden and also for access to these backups from a Windows PC. So I added another shared folder on the reverse proxy PC for the Nextcloud log file. I’ve setup fstab on the Nextcloud server PC to mount this shared folder with www-data permissions and I’ve changed the Nextcloud config.php to point the logfile to this mounted share.
What this has created is a Nextcloud log file that exists on the reverse proxy server, but is updated in real time from the Nextcloud server. Fail2Ban is setup to filter this log file and block any IP that is seen to fail to login.
This is currently working very well and blocks any IP that fails to login after ‘x’ attempts from outside of my local network.
My question though, is whether anyone with far more knowledge than myself can highlight any issues, that I haven’t thought about, especially security related. Both the reverse proxy PC and the Nextcloud/Bitwarden PC are behind a NAT router, and each PC has UFW setup to only allow incoming connections on HTTPS, SSH, Samba, etc, so I don’t see any issues. If anyone does manage to get onto my network from outside, then sharing a nextcloud file between two PC’s seems to be the least of my problems.
On a scale of 1-10, with 1 being a complete Linux CLI novice and 10 behind a Linux Guru, I would put myself on a 2, so although I’m learning a lot about Linux and servers, I’m not an expert, so please go easy on the tech talk and keep it simple. All suggestions/comments/recommendations will be very gratefully received.

I have a very similar setup. Reverse proxy on a virtual machine with a cloud provider. At home I have nextcloud running on a separate machine, ssh’ing into the reverse proxy machine with a reverse port mapping to the local nextcloud installation (so no port is exposed on my private firewall and I don’t even need to care for changing IP addresses at home)

I’m currently facing the same issue how to setup fail2ban also for nextcloud. I don’t want to expose the nextcloud logfile to the reverse proxy machine. The other issue I see is: I do not see the IP address of whoever comes via the reverse proxy, but only the IP of the proxy server of course.
(file I’m looking into is nextcloud.log on nextcloud version 23.0.0)
So even with access to the nextcloud logfile, how to allocate the log to the right IP on the other side at all?
Somehow I cannot imagine that there is no solution to it, as I would assume that separate reverse proxy and application server is not so rare.