Openhab behind Nginx reverse proxy + fail2ban

Hi, All
I’m trying to set up openhab behind nginx reverse proxy in conjunction with a fail2ban for user authentication but i meet a problem which i cannot solve

in normal log after wrong authentication there are records like this:
2023-05-03 19:04:06.184 [WARN ] [uth.internal.AbstractAuthPageServlet] - Authentication failed from User not found: User
Where address of the reverse proxy server

at the debug level log i can see information about Real user ip:

tail -1000 /var/log/openhab/openhab.log | grep ^X-


for fail2ban can be useful information about real user ip only
Is the possible to take this information from log files in the regular system work mode?

You need to set up fail2ban to run on the nginx logs. All OH will see is the IP address for NGINX as that’s where the request is coming from from it’s perspective.

does this mean I have to use only basic auth from nginx?

I don’t know. I don’t know much about nginx. But if you want to use fail2ban to block failed login attempts the only way I know to do that is to do so based on the auth logs in the reverse proxy. It’s a really good idea to implement authentication at the reverse proxy anyway.

Unfortunately, I did not succeed in setting up openhab normally behind a reverse proxy with basic authentication. constant re-requests for authorization from nginx and openhab and other artifacts. I had to consider alternative protection options including fail2ban.

openhab> version
basic auth activated

server {
listen 443 ssl;
listen [::]:443 ssl;
server_name my.domain;

ssl_certificate         /etc/letsencrypt/live/my.domain/fullchain.pem;
ssl_certificate_key     /etc/letsencrypt/live/my.domain/privkey.pem;
ssl_trusted_certificate /etc/letsencrypt/live/my.domain/chain.pem;

# Logging
access_log              /var/log/nginx/shaome_access.log;
error_log               /var/log/nginx/shome_error.log warn;

# Cross-Origin Resource Sharing.
add_header 'Access-Control-Allow-Origin' '*' always;
add_header 'Access-Control-Allow_Credentials' 'true' always;
add_header 'Access-Control-Allow-Headers' 'Authorization,Accept,Origin,DNT,X-CustomHeader,Keep-Alive,User-Agent,X-Requested-With,If-Modified-Since,Cache-Control,Content-Type,Content-Range,Range' always;
add_header 'Access-Control-Allow-Methods' 'GET,POST,OPTIONS,PUT,DELETE,PATCH' always;

# openHAB 3 api authentication
add_header Set-Cookie X-OPENHAB-AUTH-HEADER=1;

add_header                      Strict-Transport-Security "max-age=31536000"; 

location / {
    proxy_pass                    ;
    proxy_set_header Host                   $http_host;
    proxy_set_header X-Real-IP              $remote_addr;
    proxy_set_header X-Forwarded-For        $proxy_add_x_forwarded_for;
    proxy_set_header X-Forwarded-Proto      $scheme;
proxy_read_timeout                    3600;
    proxy_set_header Upgrade                $http_upgrade;
    proxy_set_header Connection             "Upgrade";
    proxy_set_header Authorization          "";
    auth_basic                              "Username and Password Required";
    auth_basic_user_file			/etc/nginx/auth.htpasswd;