Support » Plugin: Jetpack by WordPress.com » Jetpack and trusted proxies

  • Resolved edo888

    (@edo888)


    Hi,

    I’m contacting to check if there is a way to define proxy IPs as trusted instead of just whitelisting IPs. In other words some functionality http://nginx.org/en/docs/http/ngx_http_realip_module.html nginx realip module offers:

    
    set_real_ip_from  192.168.2.1;
    set_real_ip_from  192.168.2.2;
    ...
    real_ip_header X-Real-IP;
    

    We are a translation proxy and our customers are having issues when our proxy IPs are getting blocked, because of high volume traffic and failed login attempts on translated pages. All the login attempts are proxied through our translation proxy to the original website and jetpack is using the connecting IP (proxy IP) instead of the real visitor IP address. Obviously white-listing entire proxy IPs is not a good idea, so is it possible to have a list of IPs which will be trusted and jetpack will use the real visitor IP address sent by the proxy to determine if the request should be blocked or it can go forward?

    Thanks! 🙂
    Edvard Ananyan,
    CEO GTranslate Inc.
    https://gtranslate.io

    • This topic was modified 1 month, 3 weeks ago by edo888.
Viewing 3 replies - 1 through 3 (of 3 total)
  • Plugin Support KokkieH

    (@kokkieh)

    Hello Edvard,

    From what you’re describing, Protect might not be the best security option for your setup, and it might be better to rather disable Protect and use a different security plugin instead that can be configured in the way you need it to work.

    Something that might work is if you can forward visitors’ real IPs through the REMOTE_ADDR server header. Then we can configured Protect on our end to look for that header instead. But it’s not guaranteed to work in all cases, and if you later change your server configuration you’ll need to contact us again to change things on our end as well.

    Hi,

    Thanks for your response!

    I’m not using Jetpack, our clients do, so we need to find a solution which can work for them when they use our proxy and Protect together.

    We are sending X-Real-IP and X-GT-ClientIP headers which are equivalent and contain the real visitor IP address. I doubt that if I send REMOTE_ADDR header the server on the end will take it into account. As I know it is a predefined variable in $_SERVER global var and is being set by the server internally.

    Trusting the headers we send blindly will be a security issue, since anyone can fake it, that’s why I’m asking to see if you are willing to support trusted proxy IPs feature, which basically says trust the headers sent from this IPs.

    Thanks! 🙂

    Plugin Contributor James Huff

    (@macmanx)

    Volunteer Moderator

    We will take REMOTE_ADDR into account, but if you run into trouble, let us know the URL of the affected sites and we can whitelist whichever header is being used by the visitor’s IP.

Viewing 3 replies - 1 through 3 (of 3 total)
  • You must be logged in to reply to this topic.