If service exposed via a URI path, both location and proxy_pass should end with a /. There should also be additional regex locations to capture and redirect static files and other accesses that occurs under root path.
To use Fail2Ban with Cloudflare, has to use Cloudflare plugin to also ban IP on Cloudflare.
Fail2Ban sees Cloudflare’s IP (since it’s a proxy service). Need to configure Nginx real_ip to expose real IP before basic auth, so that Fail2Ban and Cloudflare ban the correct IP source.