Patch to support nginx reverse proxy

  • Resolved dbrosemer

    (@dbrosemer)


    3 years, 1 month ago

    Hi, team. I run WordPress behind an nginx reverse proxy and login-lockdown blocks the proxy’s IP. I’d suggest this patch. Can it be incorporated?

    Thanks!

    --- wp-content/plugins/login-lockdown/libs/utility.php.orig
+++ wp-content/plugins/login-lockdown/libs/utility.php
@@ -129,7 +129,9 @@
   {
     $ip = '';

-    if (!empty($_SERVER['REMOTE_ADDR'])) {
+    if(isset($_SERVER['HTTP_X_FORWARDED_FOR']) && !empty($_SERVER['HTTP_X_FORWARDED_FOR'])) {
+        $ip = $_SERVER['HTTP_X_FORWARDED_FOR'];
+    } elseif (!empty($_SERVER['REMOTE_ADDR'])) {
       $ip = $_SERVER['REMOTE_ADDR'];
     }
Viewing 1 replies (of 1 total)
  • Plugin Author Alexandru Tapuleasa

    (@talextech)

    3 years, 1 month ago

    Hi,

    HTTP_X_FORWARDED_FOR is just a header that anyone can just set to whatever they want when making the request. So anyone trying to bruteforce your login can just randomly set a different IP on each request.

    You need to properly configure nginx to send the real IP to apache. You can search online for “nginx apache mod_remoteip” to get more info. Or if you have a managed server just ask your host to do it for you 🙂

Viewing 1 replies (of 1 total)

The topic ‘Patch to support nginx reverse proxy’ is closed to new replies.