I have setup my router to port forward traffic from a specific port to a server acting as a reverse proxy. The server is based on CentOS 7 with Apache 2.4.6. One of my backend servers is also CentOS based and is running an ownCloud instance.
My goal is to block public IPs -using fail2ban- which have multiple bad password attempts (brute force). For this to happen, I have made sure to passthrough public IPs -using X-Forwarded-For- from the reverse proxy to the ownCloud server. I can also see from the fail2ban status, that indeed public IPs with multiple bad password attempts are blocked.
But... Since the traffic is passing from the reverse proxy (and not directly from the outside world), public IPs, even if blocked on ownCloud server, will continue to have access to the ownCloud server.
Is there any way to block such public IPs in the above setup? If I am not mistaken, this is possible in NGINX reverse proxies by adding a "set_real_ip_from rev.proxy.ip.add.", but I have not found anything related for apache.
My proxy's configuration, in case it is needed
ServerName my.domain.com
SSLEngine On
SSLCipherSuite EECDH+AESGCM:EDH+AESGCM:AES256+EECDH:AES256+EDH
SSLProtocol -All +TLSv1.2
SSLHonorCipherOrder On
SSLProxyEngine On
SSLProxyVerify none
SSLProxyCheckPeerCN off
SSLProxyCheckPeerName off
SSLProxyCheckPeerExpire off
ProxyRequests Off
ProxyPreserveHost On
SSLCertificateFile /etc/letsencrypt/live/my.domain.com/cert.pem
SSLCertificateKeyFile /etc/letsencrypt/live/my.domain.com/privkey.pem
SSLCertificateChainFile /etc/letsencrypt/live/my.domain.com/chain.pem
Header always set Strict-Transport-Security "max-age=15552000; includeSubdomains;"
Header always set X-Frame-Options DENY
Header set X-Content-Type-Options "nosniff"
ProxyPass https://backend.ip/
ProxyPassReverse https://backend.ip/
