Fail2ban not notifying cloudflare servers, not sure why

Hello!

I’m trying to put my dev server with http passwords behind a zero trust tunnel. I’d like erroneous logins caught by fail2ban also bans on the Cloudflare side, fail2ban works locally - but Cloudflare isn’t updated somehow

  1. In /etc/fail2ban/jail.local, under [apache] I’ve added
action = cloudflare
    iptables-allports
  1. In /etc/fail2ban/action.d/Cloudflare.conf I copied the file from https://github.com/fail2ban/fail2ban/blob/master/config/action.d/cloudflare.conf and added my ‘cftoken’ and ‘cfuser’ on the bottom

  2. I forwarded the real IP from Cloudflare to apache by adding the header RemoteIPHeader CF-Connecting-IP in /etc/apache2/sites-available/000-default.conf.

The banning works, if i do some failed attempts, In /var/log/fail2ban.log I get:

fail2ban.actions [2854]: NOTICE [apache] Ban xxx.xxx.xxx.xxx

And it’s the real IP, and it’s banned - but only locally. The site keeps being available through zero tunnel. And if I look at the Security > WAF page there are no new IP Rules there.

I’m missing something - but I don’t know what. Any input is much appreciated.

Just looking at the config, did you fill in the cftoken, and user at the end of the config?