By using basic auth on you apps there is nothing stopping people from trying to brute force their way in. But by implementing Fail2ban, you can give the user or intruder x amount of retries before getting banned.

Creating the .htpasswd file

exec into your container and create the .htpasswd file

Use this command to create a .htpasswd file. Just drop the docker part if you don’t use that.

docker exec -it letsencrypt htpasswd -c /config/nginx/.htpasswd USER-NAME

New password:
Re-type new password:
Adding password for user yourusername

The outcome would be like this:


If you choose to put the .htaccess in your root folder you can block access to it with this:

location ~ /\. { 
return 404; 


Use the include syntax and create a basicauth.conf file that you include in the block.

include /config/nginx/basicauth.conf;

Here is an example:

# SABNZBD redirect
location /sabnzbd {
return 301 /sabnzbd/;
location /sabnzbd/ {
include /config/nginx/basicauth.conf;
include /config/nginx/proxy.conf;

Note: This will not work if you use server based authentication with Organizr. Read more here

basicauth.conf contents

auth_basic "Restricted";
auth_basic_user_file /config/nginx/.htpasswd;


If you use linuxservers letsencrypt container, Fail2ban should already be pre configured to ban failed http auths.

If not you can add this in your jail.local file.


enabled = true
filter = nginx-http-auth
port = http,https
logpath = /config/log/nginx/error.log
ignoreip =

Note: The ignore IP is so that fail2ban won’t ban your local IP.
Check out if you are wondering what your CIDR notation is. Most often it will be /24 (netmask
To find your netmask run ipconfig /all on windows or ifconfig | grep netmask on linux.

  • The logpath is the path to your nginx error log

You also need to create a file called nginx-http-auth.conf in the filter.d folder in the fail2ban directory.

# fail2ban filter configuration for nginx

failregex = ^ \[error\] \d+#\d+: \*\d+ user "\S+":? (password mismatch|was not found in ".*"), client: <HOST>, server: \S*, request: "\S+ \S+ HTTP/\d+\.\d+", host: "\S+"(, referrer: "\S+")?\s*$

ignoreregex = 

# Based on samples in
# Extensive search of all nginx auth failures not done yet.
# Author: Daniel Black
Fail2ban.log output
2017-11-04 15:14:58,867 fail2ban.filter [308]: INFO [nginx-http-auth] Ignore by ip
2017-11-04 15:14:58,868 fail2ban.filter [308]: INFO [nginx-http-auth] Ignore by ip
2017-11-04 15:52:04,055 fail2ban.filter [308]: INFO [nginx-http-auth] Found - 2017-11-04 15:52:04
2017-11-04 15:52:06,530 fail2ban.filter [308]: INFO [nginx-http-auth] Found - 2017-11-04 15:52:06
2017-11-04 15:52:16,989 fail2ban.filter [308]: INFO [nginx-http-auth] Found - 2017-11-04 15:52:16
2017-11-04 15:52:18,817 fail2ban.filter [308]: INFO [nginx-http-auth] Found - 2017-11-04 15:52:18
2017-11-04 15:52:29,309 fail2ban.filter [308]: INFO [nginx-http-auth] Found - 2017-11-04 15:52:29
2017-11-04 15:52:29,340 fail2ban.actions [308]: NOTICE [nginx-http-auth] Ban


If you managed to ban yourself or a friend banned themself you can do this to unban.

Exec into the container with:

docker exec -it letsencrypt bash

Enter fail2ban interactive mode:

fail2ban-client -i

Check the status of the jail:

status nginx-http-auth


Status for the jail: nginx-http-auth
|- Filter
| |- Currently failed: 0
| |- Total failed: 5
| `- File list: /config/log/nginx/error.log
`- Actions
|- Currently banned: 1
|- Total banned: 1
`- Banned IP list:

unban with:

set nginx-http-auth unbanip

If you already know the IP you want to unban you can just type this:

docker exec -it letsencrypt fail2ban-client set nginx-http-auth unbanip

For Fail2Ban integration with Organizr, check out my post here

For any questions you can find me here: