0d29ff67-9bc6-4d66-a4cb-b34692ba9f46 Skip to content
evan.guru

Securing Self-Hosted Services: Reverse Proxy, Fail2Ban & Geo-IP Blocking (2025)

Exposing self-hosted applications (like Nextcloud, Gitea, Home Assistant, etc.) to the internet offers convenience but also opens potential security risks. Implementing layers of security is crucial. This guide provides a secure self-hosted applications guide focusing on three key tools: Reverse Proxies, Fail2Ban, and Geo-IP Blocking.

Why These Layers Matter

  • Reverse Proxy: Acts as a gateway, handling incoming traffic, managing SSL certificates, and hiding your internal services’ direct IP addresses/ports.
  • Fail2Ban: Monitors log files for malicious activity (like repeated failed logins) and automatically blocks offending IP addresses at the firewall level.
  • Geo-IP Blocking: Restricts access to your services based on the geographic location of the visitor’s IP address, blocking traffic from regions you don’t expect legitimate users from.

Layer 1: The Reverse Proxy (Example: Nginx Proxy Manager)

A reverse proxy is fundamental for hardening web server security when self-hosting. Nginx Proxy Manager (NPM) is a popular choice due to its easy-to-use web interface built on top of the powerful Nginx web server, often run in Docker.

Key Benefits of using NPM:

  • SSL Certificate Management: Easily obtain and automatically renew Let’s Encrypt SSL certificates for your domains, ensuring HTTPS encryption.
  • Simplified Host Configuration: Manage multiple services running on different ports behind a single public IP address and standard ports (80/443).
  • Access Control: Implement basic HTTP authentication or IP-based access lists.
  • Hides Internal Structure: Clients only interact with the proxy, not directly with your backend services.
  • Load Balancing (Basic): Can distribute traffic across multiple instances of a service (though less common in basic homelab setups).

Setting up Nginx Proxy Manager (Docker Compose Example):

version: '3.8'
services:
  app:
    image: 'jc21/nginx-proxy-manager:latest'
    container_name: nginx-proxy-manager
    restart: unless-stopped
    ports:
      # Public HTTP Port:
      - '80:8080'
      # Public HTTPS Port:
      - '443:4443'
      # Admin Web Port:
      - '8181:81' # Map to a different host port like 8181
    volumes:
      - ./data:/data
      - ./letsencrypt:/etc/letsencrypt

Basic NPM Workflow:

  1. Access the NPM web UI (e.g., http://<your-docker-host-ip>:8181).
  2. Log in (default: admin@example.com / changeme). Change the default credentials immediately!
  3. Go to Hosts -> Proxy Hosts -> Add Proxy Host.
  4. Enter your Domain Names (e.g., nextcloud.yourdomain.com).
  5. Set Scheme to http or https depending on your backend service.
  6. Enter the Forward Hostname / IP (e.g., the internal IP of your Nextcloud server or Docker container name).
  7. Enter the Forward Port (e.g., 80 or 443 for Nextcloud).
  8. Go to the SSL tab, select Request a new SSL Certificate with Let’s Encrypt, enable Force SSL, and agree to the ToS.
  9. Save.

This nginx proxy manager tutorial provides a basic setup. Explore advanced features like Access Lists and Custom Nginx Configurations for further hardening.

Alternatives: Traefik (another popular Docker-aware reverse proxy), Caddy (known for automatic HTTPS), HAProxy, or manual Nginx/Apache configuration.

Layer 2: Fail2Ban (Intrusion Prevention)

Fail2Ban scans log files (e.g., SSH, web server logs, application logs) for patterns matching failed login attempts or other suspicious activity. When a threshold is reached from a specific IP, Fail2Ban updates firewall rules (like iptables or nftables) to block that IP for a configured duration.

Setting up Fail2Ban (Docker Example - often alongside NPM or on the host):

Running Fail2Ban effectively in Docker requires careful consideration of log access and network interaction. A common pattern is to run Fail2Ban in a container with privileged access or specific capabilities to modify the host’s firewall, and volume mount relevant log files from other containers or the host.

# Example: Running Fail2Ban container (simplified concept)
services:
  fail2ban:
    image: crazymax/fail2ban:latest
    container_name: fail2ban
    network_mode: 'host' # Easier firewall interaction, less secure
    cap_add:
      - NET_ADMIN
      - NET_RAW # Necessary capabilities if not using host network
    volumes:
      - ./data:/data
      - /var/log:/var/log:ro # Mount host logs or specific container logs
      # Example: Mount NPM access logs
      - /path/to/npm/data/logs:/npm-logs:ro
    restart: always

Key Fail2Ban Configuration (jail.local):

  • Create a jail.local file (don’t edit jail.conf directly).
  • Define [DEFAULT] settings (e.g., bantime, findtime, maxretry).
  • Enable and configure specific jails for services you run:
    • [sshd] for SSH access.
    • [nginx-http-auth] if using NPM’s basic auth.
    • [nextcloud] (requires custom filter definition matching Nextcloud’s log format for failed logins).
    • Custom jails for other self-hosted apps (Gitea, etc.).

Benefits:

  • Automatically blocks brute-force attacks.
  • Reduces server load from malicious scanners.
  • Provides alerts on repeated attack attempts.

Setting up fail2ban docker requires understanding log paths and potentially creating custom filters for your specific applications.

Layer 3: Geo-IP Blocking

If your self-hosted services are only intended for users in specific countries, blocking traffic from other regions can significantly reduce your attack surface.

Methods:

  1. Reverse Proxy Level (Nginx/NPM): Nginx can use the ngx_http_geoip_module (or geoip2 for newer versions) with MaxMind GeoIP/GeoLite2 databases to block requests based on country codes. This often requires adding custom Nginx configuration snippets within NPM or manually editing Nginx configs.

    Example Nginx Snippet (Conceptual - requires GeoIP module & DB setup):

    # Requires geoip module and database configured
    geoip_country /path/to/GeoLite2-Country.mmdb;
    

    map $geoip_country_code $allowed_country {
        default no;
        US yes;
        CA yes;
        GB yes;
        # Add other allowed country codes
    }
    

    if ($allowed_country = no) {
        return 444; # Or 403 Forbidden
    }

    You would add this to the Custom Nginx Configuration section in NPM’s host settings.

  2. Firewall Level (iptables/nftables): Use tools like xtables-addons (for iptables) or nftables native geoip support, combined with IP-to-country databases, to block traffic at the firewall before it even reaches the reverse proxy.

  3. Cloudflare (or similar CDN/WAF): If using Cloudflare in front of your services (even the free tier), their Web Application Firewall (WAF) offers easy-to-configure Geo-IP blocking rules. This is often the simplest method if you’re already using Cloudflare.

Benefits:

  • Drastically reduces probes and attacks from irrelevant geographical regions.
  • Can improve performance by filtering unnecessary traffic.

Considerations:

  • Requires maintaining an up-to-date GeoIP database (MaxMind GeoLite2 is free but requires registration).
  • VPN users might be blocked if their VPN endpoint is in a restricted country.

Implementing block countries nginx geoip adds a significant barrier against automated attacks from common sources.

Cloudflare Tunnel vs. Reverse Proxy

Cloudflare Tunnels offer an alternative approach. Instead of opening ports on your firewall and using a reverse proxy, a lightweight daemon (cloudflared) on your host creates a secure, outbound-only connection to Cloudflare’s edge. Cloudflare then proxies traffic to your service through this tunnel.

Pros:

  • No open inbound ports required on your firewall (major security advantage).
  • DDoS protection and WAF features from Cloudflare.
  • Simplified setup for basic use cases.

Cons:

  • Relies on Cloudflare’s infrastructure (third-party dependency).
  • Configuration can be less flexible than a self-hosted reverse proxy for complex setups.
  • Data passes through Cloudflare (privacy consideration for some).

Verdict: For maximum security with minimal firewall exposure, Cloudflare Tunnels are an excellent option. For maximum control and flexibility within your own infrastructure, a self-hosted reverse proxy like NPM is preferred. You can even combine them (use NPM internally and expose it via a Cloudflare Tunnel).

Other Essential Security Practices

  • Regular Updates: Keep your OS, Docker, NPM, Fail2Ban, applications, and GeoIP databases up to date.
  • Strong Authentication: Use strong, unique passwords for all services and enable Two-Factor Authentication (2FA) wherever possible.
  • Firewall Rules: Implement strict firewall rules on your host machine and router, only allowing necessary traffic (e.g., only allow ports 80/443 inbound to the reverse proxy).
  • Minimize Exposure: Don’t expose services unnecessarily. Use VPNs (like WireGuard or Tailscale) for access when possible instead of opening ports.
  • Backups: Regularly back up your application data and configurations.
DigitalOcean VPS Hosting

DigitalOcean VPS Hosting

www.digitalocean.com

Cloud provider with simple security settings that make it easy to secure your hosted services

CrowdSec Security Tool

CrowdSec Security Tool

www.crowdsec.net

Community-driven security tool that detects and blocks attacks using collaborative defense

Conclusion

Securing your self-hosted services requires a multi-layered approach. Combining a reverse proxy security best practices setup (like Nginx Proxy Manager) with intrusion prevention (Fail2Ban) and traffic filtering (Geo-IP blocking) creates a robust defense against common automated attacks. Remember to supplement these tools with fundamental security hygiene like regular updates, strong authentication, and proper firewall configuration to complete your self-hosted security checklist.