Thanks, simos.
I use iptables for port-forwarding to the HAProxy container, so I followed the option 1 suggestion. However, I use apache, so I used mod_rpaf. But . . . although all of this was very educational (thank you for that), I learned that all we needed to do was add the following to the Wordpress wp-config.php file:
define(‘WP_FAIL2BAN_PROXIES’,’<IPv6_address_redacted>’);
replacing <IPv6_address_redacted> with the haproxy’s IPv6 address. Now the fail2ban Wordpress plugin populates /var/log/auth.log with IPv4 addresses of the source, and blocking can ensue.
Thanks again.
John