WordPress.org

Ready to get started?Download WordPress

Forums

Limit Login Attempts
Bugfix for Multiple Proxies (1 post)

  1. sabat
    Member
    Posted 1 year ago #

    I happen to be running WP on Heroku with Cloudflare as the CDN. Given Heroku's architecture, you end up with what appears to be two proxies and not just one.

    I noticed that Limit Login Attempts didn't recognize the format for multiple IPs in the HTTP_X_FORWARDED_FOR header: you get a comma-delimited list rather than just a single IP.

    That obviously won't work, so I've put in a small function to make sure that the first IP in that HTTP_X_FORWARDED_FOR list is used as the actual client IP (because it is). See below.

    function first_ip_address($address_list) {
            $addresses = explode(',', $address_list);
            return $addresses[0];
    }
    
    /* Get correct remote address */
    function limit_login_get_address($type_name = '') {
            $type = $type_name;
            if (empty($type)) {
                    $type = limit_login_option('client_type');
            }
    
            if (isset($_SERVER[$type])) {
                    return first_ip_address($_SERVER[$type]);
            }
    
            /*
             * Not found. Did we get proxy type from option?
             * If so, try to fall back to direct address.
             */
            if ( empty($type_name) && $type == LIMIT_LOGIN_PROXY_ADDR
                     && isset($_SERVER[LIMIT_LOGIN_DIRECT_ADDR])) {
    
                    /*
                     * NOTE: Even though we fall back to direct address -- meaning you
                     * can get a mostly working plugin when set to PROXY mode while in
                     * fact directly connected to Internet it is not safe!
                     *
                     * Client can itself send HTTP_X_FORWARDED_FOR header fooling us
                     * regarding which IP should be banned.
                     */
    
                    return first_ip_address($_SERVER[LIMIT_LOGIN_DIRECT_ADDR]);
            }
    
            return '';
    }

    http://wordpress.org/extend/plugins/limit-login-attempts/

Topic Closed

This topic has been closed to new replies.

About this Plugin

About this Topic