Support » Plugin: Login LockDown » Support reverse proxy

  • Please, use HTTP_X_FORWARDED_FOR when available instead of REMOTE_ADDR.
    When a reverse proxy/balancer is in effect, server variable REMOTE_ADDR contains IP of the local proxy/balancer and HTTP_X_FORWARDED_FOR contains IP of the visitor.

    Otherwise, your plugin with only REMOTE_ADDR is reporting that all visitors come from same IP address on that common scenarios.

Viewing 3 replies - 1 through 3 (of 3 total)
  • Plugin Author mvandemar

    (@mvandemar)

    HTTP_X_FORWARDED_FOR is an HTTP header, so it can be easily spoofed. It doesn’t really make sense, to me anyway, to use it in a security plugin that is designed to block brute force attempts based on the ip address. However, you are not the first person to request this so I will most likely add in the option, with a warning on it reducing the effectiveness of the plugin.

    -Michael

    Oh thanks; this can make me (and others) to try again this plugin.

    A safer way to use HTTP_X_FORWARDED_FOR is to allow administrator to configure what IP in REMOTE_ADDR indicates that traffic is coming from a reverse proxy; in this case, use HTTP_X_FORWARDED_FOR because proxy forces the right value to HTTP header.

Viewing 3 replies - 1 through 3 (of 3 total)
  • The topic ‘Support reverse proxy’ is closed to new replies.