[Plugin: Limit Login Attempts] Problem when using Varnish (5 posts)

  1. emandell
    Posted 2 years ago #

    I think I'm doing something wrong on my settings when I'm running my WordPress behind Varnish.

    I have my settings as 'From behind a reverse proxy' but it doesnt seem to be working as I'd expect.

    For example -

    1. I deliberately locked out my (non-existent) admin account from my office pc, I then tried to login using my ipad on wifi with my real id and it was also locked out - implying that the (localhost/Varnish) address was locked out and not the real ip iof my office pc.
    2. About 50% of the time that I look at it, the settings page is telling me that 'It appears the site is reached directly (from your IP:' and 'Current setting appears to be invalid'

    Any ideas? am I missing the point?


  2. Pothi Kalimuthu
    Posted 2 years ago #

    What web server do you use? Does your web server recognize forwarded ip? (on Apache, mod_rpaf should have been installed, enabled, and configured correctly)

    Does Varnish correctly forward the visitor's IP via X-Forwarded-For header?

    Currently, something is wrong in the setup in such a way, any IP is recognized only as localhost. So, if someone else tried to log in to your site and locked out, then you are locked out as well, because this plugin doesn't have a way to differentiate the IP addresses. There is nothing wrong with this plugin, though.

  3. emandell
    Posted 2 years ago #


    Sorry about not replying earlier, I dont want to appear like I dont appreciate your response (I do)

    I'm using nginx, I thought that Varnish was correctly getting the X-Forwarded-for header stuff but maybe I was wrong.

    I've since changed it as apparently its not just the vcl_recv that needs to be changed, but I havent had a chance yet to test it (but the log files look ok)

  4. pjk
    Posted 2 years ago #

    emandell would be very interested in how you fixed this. I am having the same issue with Varnish + nginx

  5. emandell
    Posted 2 years ago #

    nope, the fix didnt work

    my log files are showing the correct ip address but Limit Login Attempts is always showing local host

Topic Closed

This topic has been closed to new replies.

About this Topic