As title says, I want to get Fail2Ban working on Nextcloud when Nextcloud server is behind an Nginx Reverse Proxy. I believe I have managed to do this successfully, but would really appreciate some advice/recommendations after reading my methods below:
My setup is a firewalled NAT router forwarding 80 & 443 to the Nginx Reverse Proxy PC. This handles the Letsencrypt certs for two services (Nextcloud and Bitwarden) and has âproxy_passâ settings to send https requests to different ports on another PC which has the Nextcloud and Bitwarden servers on. The Nginx Reverse Proxy also has âproxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;â so that my Nextcloud server sees the true IP address of the https request and not the IP address of the Proxy Server. The proxy_pass settings use https on the local network to the Nextcloud/Bitwarden server PC using self-signed SSL certs. This setup works really well and Iâve conducted a lot of testing and found no issues.
However, for over a week now, Iâve been researching a way to enable Fail2Ban on the Nextcloud server (behind the reverse proxy server). All of my online research has only found posts on various forums and websites that say that Fail2Ban wonât work behind a reverse proxy. Even with X-Forwarded_For header set for Nextcloud, blocking the real IP address of any failed login IP wonât work if you block it behind the reverse proxy. So it appears that Fail2Ban only works for servers that arenât behind a reverse proxy.
Knowing this, I was trying to think of a way to use Fail2Ban on the reverse proxy server (instead of on the Nextcloud PC), whilst the Nextcloud log file which highlights the failed logins that Fail2Ban needs, are on the Nextcloud server behind the reverse proxy. I already has smb shared folders on my reverse proxy server for local backups of Nextcloud and Bitwarden and also for access to these backups from a Windows PC. So I added another shared folder on the reverse proxy PC for the Nextcloud log file. Iâve setup fstab on the Nextcloud server PC to mount this shared folder with www-data permissions and Iâve changed the Nextcloud config.php to point the logfile to this mounted share.
What this has created is a Nextcloud log file that exists on the reverse proxy server, but is updated in real time from the Nextcloud server. Fail2Ban is setup to filter this log file and block any IP that is seen to fail to login.
This is currently working very well and blocks any IP that fails to login after âxâ attempts from outside of my local network.
My question though, is whether anyone with far more knowledge than myself can highlight any issues, that I havenât thought about, especially security related. Both the reverse proxy PC and the Nextcloud/Bitwarden PC are behind a NAT router, and each PC has UFW setup to only allow incoming connections on HTTPS, SSH, Samba, etc, so I donât see any issues. If anyone does manage to get onto my network from outside, then sharing a nextcloud file between two PCâs seems to be the least of my problems.
On a scale of 1-10, with 1 being a complete Linux CLI novice and 10 behind a Linux Guru, I would put myself on a 2, so although Iâm learning a lot about Linux and servers, Iâm not an expert, so please go easy on the tech talk and keep it simple. All suggestions/comments/recommendations will be very gratefully received.