Support » Plugin: Limit Login Attempts Reloaded » Handling IP addresses with CDN

  • Resolved tedmsuperstar

    (@tedmsuperstar)


    I’ve installed the plugin on a site that’s behind a CDN. The CDN is passing an X-Forwarded-for header, and I see that there is code to handle that in the plugin as an option. However, it’s not working correctly — it’s blocking attempts from the CDN ie, for all users, during a lockout. Is handling of CDNs/proxies via X-Forwarded-for implemented? In stepping through the code I don’t see how the option gets activated (it does look like the header is read when the login happens).

    • This topic was modified 4 months, 3 weeks ago by  tedmsuperstar.
    • This topic was modified 4 months, 3 weeks ago by  tedmsuperstar.
Viewing 5 replies - 1 through 5 (of 5 total)
  • Update: I added some logging to the plugin, and I think I found a bug in the Limit Login Attempts Reloaded plugin code.

    The function get_address() does a sanity check on the X-Fowarded-For header, verifying that it’s a valid IP address, like this:

    filter_var( $_SERVER[‘HTTP_X_FORWARDED_FOR’], FILTER_VALIDATE_IP)

    However, the spec for that header is that it can be a comma-separated list, indicating the proxies the request has passed through. This comma-separated format will not pass the FILTER_VALIDATE_IP test. My CDN (fastly) adds the header in the comma-seperated format, so the address blacklisted ends up being the address of the CDN.

    • This reply was modified 4 months, 3 weeks ago by  tedmsuperstar.
    Plugin Author 2by2host

    (@wpchefgadget)

    Hello tedmsuperstar,

    We have uploaded a new version of the plugin.

    The plugin doesn’t trust any IP addresses other than _SERVER[“REMOTE_ADDR”] anymore. Trusting other IP origins make protection useless b/c they can be easily faked. This new version provides a way of secure IP unlocking for those sites that use a reverse proxy coupled with misconfigurated servers that populate _SERVER[“REMOTE_ADDR”] with wrong IPs which leads to mass blocking of users.

    Please try it out.

    Sweet! I’ll take a look. I *just finished writing an extension of your plugin that does the same thing, but I’d rather use the core plugin as-is if it works for me. Thanks for getting back to me.

    Plugin Author 2by2host

    (@wpchefgadget)

    You are welcome tedmsuperstar!

    HI again,

    I tried this out with fast.ly today. I’m seeing that $_SERVER[“REMOTE_ADDR”] is a camma-sep list, like this:

    72.71.100.100, 153.50.22.98

    The first is my actual IP address, and the second is the address of the CDN node. This means that by clearing cookies, a user can try several times for each CDN node. My lockout log looks like this:

    May 01, 2019 17:43 72.71.100.100, 153.50.22.42 fred (1 lockouts)
    May 01, 2019 17:41 72.71.100.100, 153.50.22.28 fred (1 lockouts)
    May 01, 2019 17:40 72.71.100.100, 153.50.22.26 fred (1 lockouts)

Viewing 5 replies - 1 through 5 (of 5 total)
  • You must be logged in to reply to this topic.