Handling IP addresses with CDN

Update: I added some logging to the plugin, and I think I found a bug in the Limit Login Attempts Reloaded plugin code.

The function get_address() does a sanity check on the X-Fowarded-For header, verifying that it’s a valid IP address, like this:

filter_var( $_SERVER[‘HTTP_X_FORWARDED_FOR’], FILTER_VALIDATE_IP)

However, the spec for that header is that it can be a comma-separated list, indicating the proxies the request has passed through. This comma-separated format will not pass the FILTER_VALIDATE_IP test. My CDN (fastly) adds the header in the comma-seperated format, so the address blacklisted ends up being the address of the CDN.

• This reply was modified 5 years, 11 months ago by tedmsuperstar.

Hello tedmsuperstar,

We have uploaded a new version of the plugin.

The plugin doesn’t trust any IP addresses other than _SERVER[“REMOTE_ADDR”] anymore. Trusting other IP origins make protection useless b/c they can be easily faked. This new version provides a way of secure IP unlocking for those sites that use a reverse proxy coupled with misconfigurated servers that populate _SERVER[“REMOTE_ADDR”] with wrong IPs which leads to mass blocking of users.

Please try it out.

Sweet! I’ll take a look. I *just finished writing an extension of your plugin that does the same thing, but I’d rather use the core plugin as-is if it works for me. Thanks for getting back to me.

You are welcome tedmsuperstar!

HI again,

I tried this out with fast.ly today. I’m seeing that $_SERVER[“REMOTE_ADDR”] is a camma-sep list, like this:

72.71.100.100, 153.50.22.98

The first is my actual IP address, and the second is the address of the CDN node. This means that by clearing cookies, a user can try several times for each CDN node. My lockout log looks like this:

May 01, 2019 17:43 72.71.100.100, 153.50.22.42 fred (1 lockouts)
May 01, 2019 17:41 72.71.100.100, 153.50.22.28 fred (1 lockouts)
May 01, 2019 17:40 72.71.100.100, 153.50.22.26 fred (1 lockouts)