Building a Real-Time HTTP Anomaly Detection Engine for Nextcloud with Python, Nginx, and iptables

Fredrick Anyanwu — Wed, 29 Apr 2026 14:24:29 +0000

For this project, I deployed Nextcloud behind Nginx and built a Python daemon that performs real-time anomaly detection on incoming HTTP traffic.

The key requirement was to avoid static assumptions and instead learn “normal” traffic behavior continuously.

Stack and deployment model

VPS: Linux (2 vCPU / 2 GB RAM minimum)
Nextcloud container (provided image)
Nginx reverse proxy
Python detector daemon
Slack Incoming Webhooks
iptables for active mitigation
Live dashboard (Flask) Nginx writes JSON access logs to /var/log/nginx/hng-access.log, stored in a named Docker volume HNG-nginx-logs shared read-only with detector.

Nginx access logs include at minimum:

source_ip

I maintain two 60-second windows:

append timestamp
evict entries older than 60 seconds
compute rate from deque length This is a true rolling window implementation (not a minute bucket counter).

I keep a rolling 30-minute history of per-second counts and recalculate every 60 seconds.

Computed metrics:

mean request count
standard deviation
baseline error rate I also maintain hourly slots and prefer current-hour baseline once that slot has sufficient points. Floor values protect against near-zero baseline behavior.

An anomaly triggers when either condition is true:

if an IP’s error activity significantly exceeds baseline error behavior, per-IP thresholds are tightened automatically.

Per-IP anomaly:

Dashboard refreshes every 3 seconds and exposes:

[timestamp] ACTION ip | condition | rate | baseline | duration

Actions include: BAN, UNBAN, BASELINE, ALERT.

This project demonstrates: