The issue I am having is not caused by OC, but it is related to the security of my server.
Regarding the setup, I have a CentOS 7 server running OC 10 with HTTPS and fail2ban installed. I also have another server acting with CentOS 7 server acting as a (Apache) reverse proxy (once again with HTTPS). On my reverse proxy, I have enabled IP forwarding, so that the client's public IP is visible to the OC server.
If I don't forward the client's public IP, in case of bad password attempts fail2ban will ban the proxy's local IP (as expected), leading to a general "black out", since no one from the outside world will be able to access the OC server.
Here's the tricky part. Even though fail2ban detects the public IP, after a few bad password attempts -and even though the public IP will seem as banned- for some reason it will continue to have access to the OC server so the client will be able to try as many password as he desires...
If I bypass the reverse proxy and port forward the traffic to my OC server, then fail2ban will successfully block any IP that makes several bad password attempts. But if the traffic is routed through the reverse proxy, then fail2ban will not operate as it should.
To sum things up, even though the reverse proxy is forwarding the client's public IP and even though fail2ban detects it, for some reason the IP ban does not work.
Any suggestions on the above?