IPFW Fail2ban behind a proxy


I have an HAproxy running on a pfsense router pointing to an nginx webserver in FreeBSD jail. I want fail2ban running on the FreeBSD server to block remote clients reaching to the webserver.

I came across this blog post http://centos.tips/fail2ban-behind-a-proxyload-balancer/ on how to use iptables to do packet introspection and block the remote client. The key command is this
actionban = iptables -I fail2ban-<name> 1 -p tcp --dport 80 -m string --algo bm --string 'X-Forwarded-For: <ip>' -j DROP

What would be the equivalent command in ipfw to do this?

Enable the realip module in nginx. And enable the forwardfor option in HAProxy.That way your logs will show the original client IP addresses, not the proxy's address. Then fail2ban can filter like normal.
It is a bit more complicated here. Unfortunately 'forwardfor' only works when HAProxy is used for http/SSL offloading. For 'tcp' mode one need to use 'send-proxy' option. And in nginx.conf I specify 'listen 443 ssl proxy_protocol;' to understand HAproxy. The client ip can then be grabbed by specifying 'real_ip_header proxy_protocol;' in nginx.conf.

So I was hoping that ipfw can be used to inspect the 'proxy headers' like the iptables is being used to inspect 'X-Forwarded-For' in the example above.
Why not use HAProxy to offload SSL too? Since version 1.5 HAProxy can do this. Before that you had to do some stunnel tricks but that's not necessary any more, you simply add a listener on port 443 and let HAProxy do the rest. The traffic between HAProxy and the backends will then be 'regular' HTTP (making it a lot easier to use IDS/IPS too).
Going back to my OP i guess it is not possible mimick the iptables command with ipfw?

Since pfsense doesnt support Letsencrypt natively where my HAproxy is, I couldn't do SSL offloading there. And I don't think manually copying certificates every three months is an option.
I think it will be better to move the proxy server from the router to a jail.