Remote expose python web service with Nginx, BasicAuth, Cloudflare and Fail2Ban

Author： snowsr
发布时间：December 15, 2023
263 views
No comments
1644 words
Categories： Tech Notes Experience Log

Expose Python web app via Nginx with Basic Auth

Achieved with proxy_pass in Nginx config file.
If service exposed via a URI path, both location and proxy_pass should end with a /. There should also be additional regex locations to capture and redirect static files and other accesses that occurs under root path.
try_file / location block 1
try_file / location block 2
Additional configuration required for proxying websocket applications.
proxy_pass websocket
Basic web authentication (should be used with SSL at least)

Fail2Ban and Cloudflare

Basic Fail2Ban setup
To use Fail2Ban with Cloudflare, has to use Cloudflare plugin to also ban IP on Cloudflare.
Fail2Ban sees Cloudflare's IP (since it's a proxy service). Need to configure Nginx real_ip to expose real IP before basic auth, so that Fail2Ban and Cloudflare ban the correct IP source.

Cloudflare IP

Last modification：December 15, 2023

If you think my article is useful to you, please feel free to appreciate

Remote expose python web service with Nginx, BasicAuth, Cloudflare and Fail2Ban

snowsr • 2023 年 12 月 15 日

<h2>Expose Python web app via Nginx with Basic Auth</h2><ul><li>Achieved with <code>proxy_pass</code> in Nginx config file.</li><li>If service exposed via a URI path, both <code>location</code> and <code>proxy_pass</code> should end with a <code>/</code>. There should also be additional regex locations to capture and redirect static files and other accesses that occurs under root path.<blockquote><a class="no-external-link" href="https://stackoverflow.com/questions/56552229/nginx-to-serve-static-files-and-also-proxy-to-backend-server" target="_blank">try_file / location block 1</a> <a class="no-external-link" href="https://stackoverflow.com/questions/869001/how-to-serve-all-existing-static-files-directly-with-nginx-but-proxy-the-rest-t" target="_blank">try_file / location block 2</a></blockquote></li><li>Additional configuration required for proxying websocket applications.<blockquote><a class="no-external-link" href="https://mpolinowski.github.io/docs/Development/Javascript/2021-09-09--websocket-NGINX/2021-09-09/" target="_blank">proxy_pass websocket</a></blockquote></li><li><a class="no-external-link" href="https://docs.nginx.com/nginx/admin-guide/security-controls/configuring-http-basic-authentication/" target="_blank">Basic web authentication</a> (should be used with SSL at least)</li></ul><h2>Fail2Ban and Cloudflare</h2><ul><li><a class="no-external-link" href="https://www.digitalocean.com/community/tutorials/how-to-protect-an-nginx-server-with-fail2ban-on-ubuntu-20-04" target="_blank">Basic Fail2Ban setup</a></li><li>To use Fail2Ban with Cloudflare, has to use <a class="no-external-link" href="https://niksec.com/using-fail2ban-with-cloudflare/" target="_blank">Cloudflare plugin</a> to also ban IP on Cloudflare.</li><li>Fail2Ban sees Cloudflare's IP (since it's a proxy service). Need to <a class="no-external-link" href="https://stackoverflow.com/questions/43689588/how-to-set-up-realip-module-in-nginx" target="_blank">configure Nginx real_ip </a> to expose real IP before basic auth, so that Fail2Ban and Cloudflare ban the correct IP source.</li></ul><blockquote><a class="no-external-link" href="https://www.cloudflare.com/ips/" target="_blank">Cloudflare IP</a></blockquote>

Expose Python web app via Nginx with Basic Auth

Fail2Ban and Cloudflare