Expose Python web app via Nginx with Basic Auth

  • Achieved with proxy_pass in Nginx config file.
  • If service exposed via a URI path, both location and proxy_pass should end with a /. There should also be additional regex locations to capture and redirect static files and other accesses that occurs under root path.

try_file / location block 1 try_file / location block 2

  • Additional configuration required for proxying websocket applications.

proxy_pass websocket

Fail2Ban and Cloudflare

  • Basic Fail2Ban setup
  • To use Fail2Ban with Cloudflare, has to use Cloudflare plugin to also ban IP on Cloudflare.
  • Fail2Ban sees Cloudflare’s IP (since it’s a proxy service). Need to configure Nginx real_ip to expose real IP before basic auth, so that Fail2Ban and Cloudflare ban the correct IP source.

Cloudflare IP