I forgot to update my fail2ban config for nginx. I just moved to nginx from apache.
Today, I got a lot of cals from a single IP.

IP tried to access login pages with post and get methods
IP tried to use nginx as a proxy (GET http:/...)
IP searched images, js, css folders
IP tried to inject -d url_allow_fopen =1 and something similar.

Most of the calls ended with 404.

http {
    limit_req_zone  $binary_remote_addr  zone=app:10m   rate=5r/s; 
    ... 
    server {
         ... 
        location / {
            limit_req   zone=app burst=50;
        }

I got approximately 50 requests from that ip for a second. So i updated my nginx like the above. Will it avoid too many connections per second now?

I have updated my fail2ban jail.local to support nginx.

I am confused with the nginx-noscript.conf

[Definition]
failregex = ^<HOST> -.*GET.*(\.php|\.asp|\.exe|\.pl|\.cgi|\scgi)
ignoreregex =

I am serving php with nginx. I checked apache's noscript.conf and which has .php extension on it too. I tested this above settings before restarting fail2ban and got thousands of ips matched. I removed php and nothing matched.

Do i need .php| in nginx-noscript.conf?

Using mod_security and fail2ban together bring any problem?
When i was searching today, i came to know mod_security is available for nginx too. So i am planning to use it too.