Fail2ban config can get fairly involved in my experience. I’m probably not doing it the right way, as I wrote a bunch of web server ban rules — anyone trying to access wpadmin gets banned, for instance (I don’t use WordPress, and if I did, it wouldn’t be accessible from my public facing reverse proxy).

I just skimmed my nginx logs and looked for anything funky and put that in a ban rule, basically.

This suggests nginx options to use re: hostname. Unsure of your nginx config…

https://forum.syncthing.net/t/web-gui-over-nginx-proxy-only/13767

403 Forbidden doesn’t necessarily mean a bad login attempt. Are you sure that’s the error? My troubleshooting steps would be to access directly (no nginx), and look at the logs for a successful login. Then, look try to login with nginx, and look at those logs (both access.log and error.log on nginx, and any/all logs from syncthing). Find out where the two cases diverge and go from there.

Does syncthing have a domain name specified? If it doesn’t know its domain name it may work from IP directly but not via reverse proxy. Just a hunch.

I’d definitely take a look at the syncthing logs…

Can you post the syncthing logs, as well as the nginx logs?

I assume you’ve seen this: https://stackoverflow.com/questions/48626459/refused-to-execute-script-because-strict-mime-type-checking-is-enabled

Can you post your nginx config? Is it just this one with different variables? https://docs.syncthing.net/users/reverseproxy.html

As others have said, it’s a bit outdated. Being slow is one thing, but having limited software support can be very frustrating.

If possible I would try for a raspberry pi instead, as those have very strong ecosystems (yes, there are problems, but still — it’s a big community). A 5 with 8GB would be ideal, but something lower spec (even a 3) would probably still be more capable.

I think parent is hosting on their own physical hardware, just using a VPS for a public IP. I do the same (I use WireGuard instead, but similar idea). The VPS is doing the same thing as Cloud flare in your setup. I’m a proponent of this setup because the only reliance is on a totally generic VPS, of which there are many providers.

Not sure how reverse proxy is avoided this way — do you enter port numbers for your services when you access them, or have one service per machine?

I have a few publicly accessible services, and a bunch of private services, but everything is reverse proxy’d — I find it very convenient, as for example I can go to https://wap.mydomain.net for my access point admin page, or photos.mydomain.net for my Immich instance. I have a reverse proxy on my VPS for public services, and another one on my lan for private services; WireGuard between VPS, LAN, and my personal devices. Possibly have huge security holes of course…

If you want to rule out most everything software, you can use dd and nc to benchmark file transfers with minimal overhead. iperf also your friend of course :)

Does the raspberry pi have a wifi adapter, and is it unused for your project?

If so, you can use your pi as an access point — no need for cables, you just connect your laptop to the pi’s SSID.

Downside is that now your laptop doesn’t have Internet access, which may be a deal breaker (unless you can plug your pi into a router and get access through it). You could just get a cheap USB wifi dongle for your laptop and use one interface for Internet, one for pi.

Hostapd is probably how you would go about this of you’re interested ( https://learn.adafruit.com/setting-up-a-raspberry-pi-as-a-wifi-access-point/install-software )