Fail2ban on apache with reverse proxy

Hello all,
I have bitwarden-rs running for some time now. And my family and me are happy with this.
But I had another look at the wiki for changes and I’m not sure anymore if I have setup fail2ban in the right way.

Could someone have a look at these settings, and advise me?

In /etc/Apache2/sites-available/
#added for bitwarden
RewriteEngine On
RewriteCond %{HTTP:Upgrade} =websocket [NC]
RewriteRule /notifications/hub(.*) ws://localhost:3012/$1 [P,L]
ProxyPass / http://localhost:9011/
SSLProxyEngine on
ProxyPreserveHost On
ProxyRequests Off
RequestHeader set X-Real-IP %{REMOTE_ADDR}s
#till here bitwarden

enabled = true
port = 80,443,8081,9011
filter = bitwarden
#action = iptables-allports[name=bitwarden, chain=FORWARD]
banaction = %(banaction_allports)s
logpath = /bw-data/bitwarden.log
maxretry = 3
bantime = 14400
findtime = 14400

On the wiki I see this:

Note: Docker uses the FORWARD chain instead of the default INPUT chain. Therefore replace the banaction line with the following action when using Docker:
action = iptables-allports[name=bitwarden_rs, chain=FORWARD]

NOTE: Do not use this if you use a reverse proxy before Docker container. If proxy, like apache2 or nginx is used, use the ports of the proxy and do not use chain=FORWARD, only when using Docker without proxy!

Is the banaction line in jail.d okay then? Or should I use: action = iptables-allports[name=bitwarden
without the “chain=FORWARD]” part?

I did some further reading and I think I have to change the banaction line to:
action = iptables-allports[name=bitwarden]
Is this right?
Anyone who is using this same setup? please

I am not but you may consider simply not using it.

Fail2ban relies on an ancient approach where you would limit attempts at an IP basis. The rationale being to

  • limit bruteforce → it is much better to set up 2FA on your accounts (several possibilities) and use long passwords. This way bruteforce will fail
  • limuit DoS → today it does not make sense: once something reached your NIC then it is too late, and you will have a DDoS and not a DoS anyway, and you will not be able to defend.

Fail2ban introduces a level of complexity and you will end up in a situation where a legitimate call is blocked for a reason or another.