Thanks for the tip. Using that, I searched and found this.
Now my traefik.yml changes are:
http:
redirections:
entryPoint:
to: websecure
scheme: https
middlewares:
- my-cloudflarewarp
- crowdsec-bouncer@file
forwardedHeaders:
trustedIPs:
- 127.0.0.1/32
- 172.20.0.0/24
- 173.245.48.0/20
- 103.21.244.0/22
- 103.22.200.0/22
- 103.31.4.0/22
- 141.101.64.0/18
- 108.162.192.0/18
- 190.93.240.0/20
- 188.114.96.0/20
- 197.234.240.0/22
- 198.41.128.0/17
- 162.158.0.0/15
- 104.16.0.0/13
- 104.24.0.0/14
- 172.64.0.0/13
- 131.0.72.0/22
- '2400:cb00::/32'
- '2606:4700::/32'
- '2803:f800::/32'
- '2405:b500::/32'
- '2405:8100::/32'
- '2a06:98c0::/29'
- '2c0f:f248::/32'
websecure:
address: :443
http:
tls:
certresolver: cf_production
middlewares:
- my-cloudflarewarp
- crowdsec-bouncer@file
http3:
advertisedPort: 443
forwardedHeaders:
trustedIPs:
- 127.0.0.1/32
- 172.20.0.0/24
- 173.245.48.0/20
- 103.21.244.0/22
- 103.22.200.0/22
- 103.31.4.0/22
- 141.101.64.0/18
- 108.162.192.0/18
- 190.93.240.0/20
- 188.114.96.0/20
- 197.234.240.0/22
- 198.41.128.0/17
- 162.158.0.0/15
- 104.16.0.0/13
- 104.24.0.0/14
- 172.64.0.0/13
- 131.0.72.0/22
- '2400:cb00::/32'
- '2606:4700::/32'
- '2803:f800::/32'
- '2405:b500::/32'
- '2405:8100::/32'
- '2a06:98c0::/29'
- '2c0f:f248::/32'
proxyProtocol:
trustedIPs:
- 127.0.0.1/32
- 172.20.0.0/24
- 173.245.48.0/20
- 103.21.244.0/22
- 103.22.200.0/22
- 103.31.4.0/22
- 141.101.64.0/18
- 108.162.192.0/18
- 190.93.240.0/20
- 188.114.96.0/20
- 197.234.240.0/22
- 198.41.128.0/17
- 162.158.0.0/15
- 104.16.0.0/13
- 104.24.0.0/14
- 172.64.0.0/13
- 131.0.72.0/22
- '2400:cb00::/32'
- '2606:4700::/32'
- '2803:f800::/32'
- '2405:b500::/32'
- '2405:8100::/32'
- '2a06:98c0::/29'
- '2c0f:f248::/32'
And the access.log file shows true public IP addresses.
Sadly, all of this was for not as Fail2Ban still wasn't working. I tweaked a bit there but, as you can see, ended up going with CrowdSec, although I'd still like an additional layer of brute force protection. Need to do some further research on CrowdSec I guess.