Support » Plugin: Jetpack by WordPress.com » Jetpack locked login page with incorrect X-Forwarded-To

Viewing 8 replies - 1 through 8 (of 8 total)
  • Plugin Contributor James Huff

    (@macmanx)

    Volunteer Moderator

    We can fix that on our end. What is the URL of the site?

    https://apologetics315.com

    Thanks, James! So, you will be changing where JetPack gets the client IP? I have BlueHost working on fixing the HTTP header, too.

    Plugin Contributor James Huff

    (@macmanx)

    Volunteer Moderator

    Interesting, this does look like something Bluehost will need to fix. These are the headers we’re getting:

    [HTTP_X_FORWARDED_FOR] => 162.144.179.14
    [REMOTE_ADDR] => 162.144.179.14

    So, something seems to be amiss with your server, and unfortunately we won’t be able to fix this on our end. Normally we just tell our system to trust a different header, like REMOTE_ADDR, but with both being sent as the server IP, that won’t do you much good.

    Yikes! Maybe BlueHost was messing around with REMOTE_ADDR during your test because I’m still getting my local IP for REMOTE_ADDR and 162.144.179.14 for HTTP_X_FORWARDED_FOR. Checked with both a little .php test script and using the “Debug Info” plugin.

    Plugin Contributor James Huff

    (@macmanx)

    Volunteer Moderator

    That very well could be, I’m also seeing different IPs in there now. 🙂

    Ok, I’ve set our end to only look at REMOTE_ADDR now, and that change should take 5 minutes or less to go through.

    Of course, once Bluehost gets that fixed on their end, you’ll start to be blocked as the server IP again. When that happens, just let us know and we’ll switch it back.

    Great, thanks so much, James! 🙂

    Also, I notice that I accidentally wrote “X-Forwarded-To” instead of “X-Forwarded-For” in the title.

    consultkevin

    (@consultkevin)

    We are still having this problem. After further analysis, it seems that:

    (1) You only whitelisted my IP. When I go to the login page from other IPs, login is locked and it is still incorrectly reporting the server’s IP as the source of the login attempt.

    (2) Furthermore, WordPress/JetPack is the one setting php’s $_SERVER[‘REMOTE_ADDR’] to be the same as the incorrect $_SERVER[‘HTTP_X_FORWARDED_FOR’]. Those are not the same in the original environment provided by BlueHost, so that is a bug on the WordPress/JetPack side. Maybe a result of your “fix”.

    In order to compensate for BlueHost’s error and JetPack’s preference, I hacked wp-config.php to unset BlueHost’s incorrect HTTP_X_FORWARDED_FOR environment variable and in $_SERVER, so JetPack isn’t confused:

    wp-config.php:
    ————
    // 6/4/2019 11:25:25 AM [Kevin]
    // unset HTTP_X_FORWARDED_FOR because BlueHost incorrectly sets it to the SERVER’s IP rather than the client’s IP, and JetPack preferentially uses HTTP_X_FORWARDED_FOR instead of REMOTE_ADDR to block login hammering.
    // – so JetPack ends up blocking ALL logins because all logins look like they are coming from the server.
    putenv(‘HTTP_X_FORWARDED_FOR’);
    // $_SERVER was already set from the env, so we have to unset that, too:
    unset($_SERVER[‘HTTP_X_FORWARDED_FOR’]);
    // might have to unset in $_ENV, too, but php.ini isn’t loading that for me.
    ————

    It would be even better if I could unset this upstream in .htaccess (or Apache itself), but that isn’t working for me for some reason, probably due to BlueHost’s Apache’s permissions:

    .htaccess:
    ————
    # if we have mod_env and server permissions, we might be able to unset it in .htaccess:
    UnSetEnv HTTP_X_FORWARDED_FOR
    ————

    Plugin Contributor James Huff

    (@macmanx)

    Volunteer Moderator

    Thanks, that would definitely work to get around the issue.

    Once Bluehost has correct the issue on their end, it should no longer be necessary.

Viewing 8 replies - 1 through 8 (of 8 total)
  • The topic ‘Jetpack locked login page with incorrect X-Forwarded-To’ is closed to new replies.