Hi,
I have a fair amount of experience with this, using a TO, with nginx in one (Ubuntu) LXC and guacamole in another (Ubuntu) LXC.
I have previously implemented Duo for 2FA with guacamole (and also CAS, https://apereo.github.io/cas/5.2.x/index.html), but you should know that Google Authenticaor/TOTP is now available & I feel that is the best option, by far, for 2FA.
Regarding IP filters, I think you may be going overboard and introducing unnecessary complexity. The original firewall (port forward) rules you had, I feel, are sufficient… Honest!
FWIW, I usually implement such rules via CLI (172.27.0.100 is the address of my nginx proxy):
uci add firewall redirect
uci set firewall.@redirect[-1].name=Allow-HTTP-Inbound
uci set firewall.@redirect[-1].target=DNAT
uci set firewall.@redirect[-1].src=wan
uci set firewall.@redirect[-1].dest=lan
uci set firewall.@redirect[-1].proto=tcp
uci set firewall.@redirect[-1].src_dport=80
uci set firewall.@redirect[-1].dest_ip=172.27.0.100
uci set firewall.@redirect[-1].dest_port=80
uci add firewall redirect
uci set firewall.@redirect[-1].name=Allow-HTTPS-Inbound
uci set firewall.@redirect[-1].target=DNAT
uci set firewall.@redirect[-1].src=wan
uci set firewall.@redirect[-1].dest=lan
uci set firewall.@redirect[-1].proto=tcp
uci set firewall.@redirect[-1].src_dport=443
uci set firewall.@redirect[-1].dest_ip=172.27.0.100
uci set firewall.@redirect[-1].dest_port=443
uci commit firewall; /etc/init.d/firewall reload
I note UFW doesn’t work in LXC containers, and I feel Fail2Ban i(or even knockd) is not useful here - YMMV.
In any case, I just leave IP-layer security alone on the LXCs & leave that up to the router IP tables (port forward rules, as above).
The other issue is SSL/HTTPS (I assume you’ve got nginx redirecting HTTP/:80 to HTTPS/:443), and there is a lot of material about regarding the creation of ‘secure’ certificates.
FWIW, I use a script similar to the following (although the below example are self-signed certs):
PKI_DIR="/etc/nginx/ssl"
mkdir -p ${PKI_DIR}
chown -R root:root ${PKI_DIR}
chmod -R 600 ${PKI_DIR}
pushd ${PKI_DIR} ## was: cd ${PKI_DIR}
openssl req -nodes -new -newkey rsa:2048 -keyout server.key -out server.csr \
-subj "/C=GB/ST=England/L=London/O=Essential Widgets/OU=IT/CN=www.server.com"
openssl x509 -signkey server.key -req -days 365 -in server.csr -out server.crt \
-extfile <(printf "subjectAltName=DNS:server.me,DNS:vm-server.home,DNS:*.dtdns.net")
cat server.crt server.ca-bundle > server.ca-bundle.crt
openssl dhparam 4096 -out dh4096.pem
openssl dhparam 2048 -out dh2048.pem
ln -s dh2048.pem dhparam.pem
chmod 640 *.*
chmod 644 *.crt *.pem
popd
The above is actually the easy bit…