X-Forwarded-For – “Configured but not valid”, but still working?

  • Resolved toby1kenobi

    (@toby1kenobi)


    6 years, 7 months ago

    Hi there,

    We have Wordfence 7.1.10 (1533058343) running on a site where we are also using Varnish for HTTP caching of non-admin pages. I’ve belatedly set Wordfence to use x-forwarded-for for IP detection (as Varnish is configured to pass IPs that way), but on the plugin’s Diagnostics tab it reports “Configured but not valid”. On the Live Traffic tab it looks like IP addresses are being captured ok.

    I’m wondering if there’s genuinely a problem or not? Any thoughts on why the plugin thinks there’s an issue?

    If it’s any help, here’s the Varnish config for x-forwarded-for and x-real-ip:

    set req.http.X-Actual-IP = regsub(req.http.X-Forwarded-For, "[, ].*$", "");

        # FORWARD THE IP OF THE REQUEST
  if (req.restarts == 0) {
    if (req.http.x-forwarded-for) {
      set req.http.X-Forwarded-For =
      req.http.X-Forwarded-For + ", " + client.ip;
    } else {
      set req.http.X-Forwarded-For = client.ip;
    }
  }

    Thanks – it’s a great plugin.

    Toby

    • This topic was modified 6 years, 7 months ago by toby1kenobi.
Viewing 5 replies - 1 through 5 (of 5 total)

  • Hi @toby1kenobi!

    Thanks for reaching out. That’s an interesting scenario. Is it possibly that x-forwarded-for is not set on the requests that aren’t going via Varnish? If so, I’d recommend you add that so Wordfence can consistently fetch the IP from the same header.

    Let me know what you think.

    Thread Starter toby1kenobi

    (@toby1kenobi)

    Thanks for getting back to me.

    I guess that could be something to do with it – Varnish listens on port 80, Apache on port 443 (and WordPress admin, where I see the message from Wordfence runs over SSL). Apache wasn’t passing a value for X-Forwarded-For value, however I have updated the SSL config to do this, I’ve added this:

            RewriteEngine On
        RewriteRule     .               -                   [E=noxff:%{REMOTE_ADDR}]
        RequestHeader   setIfEmpty      X-Forwarded-For     "%{noxff}e"

    This seems to be outputting X-Forwarded-For values in Apache’s log files at least, Wordfence is still giving me that message though. Weirdly, on its Options page it says

    Detected IP(s): [my IP address]
Your IP with this setting: [my IP address]

    and shows the correct information.

    Thread Starter toby1kenobi

    (@toby1kenobi)

    Ah, maybe it’s fine – the Diagnostics tab seems to think everything’s ok now, but there’s a nagging panel everywhere in the WordPress back end saying, “Your ‘How does Wordfence get IPs’ setting is misconfigured. This site is currently using the X-Forwarded-For…”

    Is that actually misleading, should I just dismiss it?

    Hi @toby1kenobi,
    Yes, as long as you are seeing correct IPs appear both on the Diagnostics page (for your visits) and in Wordfence Live Traffic (for other peoples visits) then it should be fine to dismiss it. I think it’s happening because REMOTE_ADDR is accurately populated only on some of the requests. Wordfence then thinks it should be using REMOTE_ADDR and thus warns you about using X-Forwarded-For. I’ve seen a case like that before so I’ll bounce that by our quality assurance to see if we can improve the logic there.

    You should be good to go though!

    Thread Starter toby1kenobi

    (@toby1kenobi)

    Great, thank you.

Viewing 5 replies - 1 through 5 (of 5 total)
  • The topic ‘X-Forwarded-For – “Configured but not valid”, but still working?’ is closed to new replies.