15 minute block due to ... what?

[uwcfx]

Hi,

We currently have vBulletin running in a multi server server and we're having some issues at the moment I'll try to describe.

We got two server, lets call them server1 and server2.
Server1 runs Nginx and ourdomain but also proxies ourdomain.com/forum down to server2 which runs a regular Apache with vBulletin installed.

We've had to do some changes to make vBulletin behave like we want for example change the X-Real-IP header to Remote Host as well as X-Forwarded-For.
This makes us see the actual clients IP address in the access logs on Server2.

But, we're still seeing that if one of our users try to log in to our admin panel and types the wrong password too many times _all_ users gets blocked out and it tells us to wait 15 minutes . Our current workaround is just to truncate the strikes table but that's obviously quite ugly.

So my question is, what does vBulletin use to decide from which IP address a client actually comes from? I tried dumping the $_SERVER variable and the only thing I can see in there that shows Server1 is a GEO_IP variable.

Thoughts?

Best regards,
Lars

[snakes1100]

As one particular part of your question was a bit confusing, can you clarify a bit more on what you mean here?

Quote:

We've had to do some changes to make vBulletin behave like we want for example change the X-Real-IP header to Remote Host as well as X-Forwarded-For.
This makes us see the actual clients IP address in the access logs on Server2.

As i run numerous simular setups with nginx doing a lb, i do it a little differently, in most cases, when the servers are on a gigabit switch or close enough for nic to nic.

Server 1:
Nginx Front End - Proxy LBs to both servers
Apache backend (mod_rpaf installed)
All files kept on server 1 for site(s)
NFS

Server 2:
Nginx Front End
Apache backend (mod_rpaf installed)
No Site Files.

mod_rpaf would resolve all IPs to the actual client IP in the access logs of apache.

In two cases of the above setup for the owner that wants Stats for the site, the apache logs files are merged together daily via cat & cron.

As rsync is faster, in the above cases i dont have to worry about any cron issues, file problems, date stamp etc, but i do rsync in a few cases as well using smaller drives, as there is no space requirements.

[uwcfx]

Hi, we do have mod_rpaf installed and in the access logs I do see the actual clients IP address, but still if one of our moderators manages to "block" his account, all our accounts gets blocked. So somehow vBulletin is taking our Nginx (Server1) IP address and puts it in the strikes table blocking every moderator and admin. Do you understand what I mean?

[nhawk]

vB uses these server variables to establish which IP is used for a member...

This is used first...

Code:

$_SERVER['REMOTE_ADDR']

If any of these are set, then the IP used is changed to the set value...

Code:

$_SERVER['HTTP_X_FORWARDED_FOR']

$_SERVER['HTTP_CLIENT_IP']

$_SERVER['HTTP_FROM']

Then if a proxy list is defined in config.php, the IP can be changed again to the proxy IP.

[uwcfx]

Quote:

Originally Posted by nhawk

vB uses these server variables to establish which IP is used for a member...

This is used first...

Code:

$_SERVER['REMOTE_ADDR']

If any of these are set, then the IP used is changed to the set value...

Code:

$_SERVER['HTTP_X_FORWARDED_FOR']

$_SERVER['HTTP_CLIENT_IP']

$_SERVER['HTTP_FROM']

Then if a proxy list is defined in config.php, the IP can be changed again to the proxy IP.

Hi, here's what I have set up as test now.

Code:

<?php
var_dump($_SERVER['REMOTE_ADDR']);
var_dump($_SERVER['HTTP_X_FORWARDED_FOR']);
var_dump($_SERVER['HTTP_CLIENT_IP']);
var_dump($_SERVER['HTTP_FROM']);
?>

And here's the output.

Code:

string(13) "1.2.3.4" string(13) "1.2.3.4" NULL NULL

Where 1.2.3.4 is my actual home routers address which I've confirmed multiple times.

Here's the relevant part in config.php, all commented out which I presume is default.

Code:

/* Enter your known [trusted] proxy servers here. You can list multiple trusted IPs separated by a comma.*/
//$config['Misc']['proxyiplist'] = '127.0.0.1, 192.168.1.6';

/* If the real IP is passed in a http header variable other than HTTP_X_FORWARDED_FOR, then you can set the name here; */
//$config['Misc']['proxyipheader'] = 'HTTP_X_FORWARDED_FOR';

... yet still if someone manage to block their account, all accounts gets blocked and the Server1 gets listed in the automated e-mail to our forumadministrator e-mail address, for example:

Code:

Dear USER,

Someone has tried to log into your account on Mayzus Forum with an incorrect password at least 5 times. This person has been prevented from attempting to login to your account for the next 15 minutes.

The person trying to log into your account had the following IP address: 4.3.2.1 (Server1)

All the best

Thank you.

[uwcfx]

Hi,

I'm no fan of bumping threads but I do would really appreciate if someone could have another glance at this.

Forgive me if I'm wrong, but these are the official support forums for paying customers, right?

Thanks

[kh99]

Looking at the code for vb4, it looks like the ip address and an "alt_ip" are determined. The ipaddress is always from REMOTE_ADDR if there is no proxy configured. The alt_ip is from one of the fields mentioned above. So I think unless you configure a proxy in config.php, it's going to use REMOTE_ADDR for blocking due to strikes. However, from what I've read above, I don't understand what's happening either.

Maybe you can temporarily modify the code in functions_login.php and in verify_strike_status() and exec_strike_user(), put in code to log all info to a file and include the $_SERVER fields as well as the IPADDRESS and ALT_IP, then maybe you can figure out why it's happening.

Quote:

Originally Posted by uwcfx

Forgive me if I'm wrong, but these are the official support forums for paying customers, right?

No, this is the site for modifications, and it's supposed to be a community. It depends on people helping each other out, so unfortunately you aren't guaranteed to get an answer to a question (but we try). You can post at vbulletin.com (and it might be a good idea because not everyone from there participates here), but I think unless you have ticket support and you put in a ticket, you're not guaranteed an answer there either.

[uwcfx]

Quote:

Originally Posted by kh99

Looking at the code for vb4, it looks like the ip address and an "alt_ip" are determined. The ipaddress is always from REMOTE_ADDR if there is no proxy configured. The alt_ip is from one of the fields mentioned above. So I think unless you configure a proxy in config.php, it's going to use REMOTE_ADDR for blocking due to strikes. However, from what I've read above, I don't understand what's happening either.

Maybe you can temporarily modify the code in functions_login.php and in verify_strike_status() and exec_strike_user(), put in code to log all info to a file and include the $_SERVER fields as well as the IPADDRESS and ALT_IP, then maybe you can figure out why it's happening.





No, this is the site for modifications, and it's supposed to be a community. It depends on people helping each other out, so unfortunately you aren't guaranteed to get an answer to a question (but we try). You can post at vbulletin.com (and it might be a good idea because not everyone from there participates here), but I think unless you have ticket support and you put in a ticket, you're not guaranteed an answer there either.

Thank you very much for your reply, I'll see if I can do some modification and figure out what's happening, and I'm indeed sorry for the confusion about the support forum - I'll make sure to post in the right place next time.

Thanks.

[kh99]

Quote:

Originally Posted by uwcfx

... and I'm indeed sorry for the confusion about the support forum - I'll make sure to post in the right place next time.

You didn't really post in the wrong place - it's OK to ask questions here that aren't about modifications. It's just that this isn't the main support site.