Not only does your proxy server's logging work today, it lets you integrate fail2ban. Blocking those hammering on your server's front door is a good idea regardless, all this other justification aside.

Fossil only logs in very specific contexts. If it were to log every single http request it would be much more subject to locking errors. Consider that each visit may include essentially any number of other requests for additional resources like CSS, JS, and the favicon.

Thanks for the information, Warren and Stephan. Unfortunately my reverse proxy only seems to log the IP address, method, and which backend it went to, but not the full URL. (OpenBSD's relayd, which only has minimal HTTP support but does a lot of other kinds of relaying of network connections.)

Maybe I'll switch to running fossil via CGI, or to a fancier reverse proxy.

Does fail2ban gain me anything if I only have one account with a password not vulnerable to brute force attacks? I have never bothered with it, for ssh or anything else.

It's far more efficient to block known-bad IPs at the firewall level than to let them get clear down through to user space, through the proxy server, and out into CGI-land before the decision, "This is bad," gets made once again. Temporarily banning a malefactor for several minutes keeps that load off the system for a relative eternity in computer time, by which point the bad guy might well give up and go try to find less hostile hunting grounds.

If nothing else, it effectively stretches your password length. A password that might take a year to brute force now takes eons.

Thanks for pointing that out. As far as I know load is not a problem for my tiny website, but I should probably start monitoring that just in case :-)

Oops, it turns out OpenBSD's relayd can log more information. In case it's helpful to anyone else: see for example https://doc.huc.fr.eu.org/en/web/httpd/relayd-log/