Varnish configuration

  • Resolved cellulosa

    (@cellulosa)


    9 years ago

    Hi younghacker,

    thank you for your great work. I’m having issue configuring WP fail2ban. I’m on CentOS/Apache 2.4.6 and Varnish on the front-end (port 80).

    I have copied iptables-HTTP.conf and apache-wp-login.conf into the relevant folders, and added the new section into jail.conf as described in the readme in your repo.

    I think there’s something missing though, because it never seems to lock me out after many failed login attempts.

    Is it because of Varnish? Any hint on how to solve this?

    Thank you very much

    https://www.ads-software.com/plugins/wp-fail2ban/

Viewing 7 replies - 1 through 7 (of 7 total)
  • Daniel K

    (@anewmind)

    Hello cellulosa,

    I have had a similar issue. You are correct that Varnish will conflict with Fail2ban. I am not a Fail2ban expert, and so what follows is only my personal findings. I did a bit of research on my own, but if anybody knows a better method, or can correct some of what I posted here, please do so.

    When you use Varnish, or any other caching service, the IP address that is actually connecting to Apache is that of the server itself, which is what is reported in the script as $_SERVER[‘REMOTE_ADDR’]. Currently, Fail2ban using that variable to determine the HOST, which it reports to your log.

    The plugin should be logging to /var/log/messages. You can watch that file on your server to see what gets logged there when you fail to log in. Most likely, it will be your server’s IP address, which is likely blocked in the firewall.

    The fix for this is two parts. First, you will need some way to report the original IP address. This is done in Varnish. For my configuration, I use this in my .vcl file: 

    set req.http.X-Real-IP = client.ip;

    I put that in the vlc_recv section. This creates an HTTP header named X-Real-IP, which is sent in the request to contain the real IP. This is a common convention, and is also used by Nginx as well as many Varnish installations. It is not uncommon to set the Apache logs to use this header for their logging.

    Once that is done, you will have to modify your file wp-content/plugins/wp-fail2ban/wp-fail2ban.php. Because it was a quick solution, I added these lines, directly above the line that says “return $_SERVER[‘REMOTE_ADDR’];”:

    if (array_key_exists('HTTP_X_REAL_IP',$_SERVER)) {
                return $_SERVER['HTTP_X_REAL_IP'];
        }

    Once I did that, I was seeing my IP address correctly listed in /var/log/messages. My firewall software does the rest for me.

    I hope this helps somebody. Additionally, I’m hoping that the plugin developers read this post. Unless I am missing some very simple method to do this which is already built in, I would like to request that this functionality is built into the plugin. Although mine was quick and dirty, it shouldn’t be too complicated to modify the full remote_addr() function to check for this header.

    Thread Starter cellulosa

    (@cellulosa)

    Hi anewmind,

    thank you very much for sharing with us your solution! I’ve implemented it and now I can see the correct IP address in /var/log/messages.

    Mar 22 10:12:13 droplet wordpress(www.website.com)[32588]: Authentication failure for asd from my.ipa.ddr.ess

    I’ve implemented younghacker’s recommended fail2ban config (https://github.com/younghacker/wp-fail2ban/tree/master/fail2ban) and everything seems working in the sense that my ip is getting blocked if I check with fail2ban-client status apache-wp-login:

    Status for the jail: apache-wp-login
|- Filter
|  |- Currently failed:	0
|  |- Total failed:	13
|  \- File list:	/var/log/messages
\- Actions
   |- Currently banned:	1
   |- Total banned:	2
   \- Banned IP list:	my.ipa.ddr.ess

    Still, I am not locked out from WordPress. Any idea of where the issue could be?

    Plugin Author invisnet

    (@invisnet)

    The standard for this is to get Varnish to set X-Forwarded-For, and then tell WPf2b which IPs to accept that header from by setting WP_FAIL2BAN_PROXIES.

    Thread Starter cellulosa

    (@cellulosa)

    Ok, so I have set the following in /etc/varnish/default.vcl in the sub vcl_recv block:

    if (req.restarts == 0) {
    # set or append the client.ip to X-Forwarded-For header
    if (req.http.X-Forwarded-For) {
        set req.http.X-Forwarded-For = req.http.X-Forwarded-For + ", " + client.ip;
    } else {
        set req.http.X-Forwarded-For = client.ip;
    }
}

    And then:

    sub vcl_pipe {

    set bereq.http.connection = "close";
    return (pipe);
}

    Source: https://www.harecoded.com/determining-the-real-client-ip-with-varnish-w-x-forwarded-for-2177289

    Now, should WP_FAIL2BAN_PROXIES be set to my public IP address?

    Thread Starter cellulosa

    (@cellulosa)

    Ok the above worked. I had to put my server ip in WP_FAIL2BAN_PROXIES and now I can see /var/log/messages populating correctly:

    Apr 19 14:51:07 droplet wordpress(website.com)[2292]: Authentication attempt for unknown user asd from my.ip.add.ress

    However, now it is not loggin the failues, as fail2ban-client status apache-wp-login does not change in terms of numbers. Is it related to https://www.ads-software.com/support/topic/not-logging-wp-login-failures-300?replies=1 ?

    Thread Starter cellulosa

    (@cellulosa)

    Latest update:

    I realised I had to add the LOG_AUTHPRIV configuration, because that’s what my server uses for sshd. My wp-config.php now looks like this:

    /** WPfail2ban */
define('WP_FAIL2BAN_PROXIES','my.ser.ver.ip');
define('WP_FAIL2BAN_AUTH_LOG',LOG_AUTHPRIV);

    Varnish is configured as written in my previous post.

    fail2ban is configured following younghacker’s setup, but with logpath = /var/log/secure

    Now if I tail -f /var/log/secure I can see my ip getting logged in correctly for Authentication failure, and if I fail2ban-client status apache-wp-login I also see my ip in the Banned IP list.

    Still, I am not kicked out from trying to login to WP. Any idea of what else am I missing?

    Thread Starter cellulosa

    (@cellulosa)

    Sorted! I rolled back to the simple setup, thus only with a single /etc/fail2ban/filters.d/wordpress.conf (instead of this as I mentioned above) in which I merged together wordpress-soft.conf and wordpress-hard.conf, like so:

    # Fail2Ban configuration file
#
# Author: Charles Lecklider
#

[INCLUDES]

# Read common prefixes. If any customizations available -- read them from
# common.local
before = common.conf

[Definition]

_daemon = (?:wordpress|wp)

# Option:  failregex
# Notes.:  regex to match the password failures messages in the logfile. The
#          host must be matched by a group named "host". The tag "<HOST>" can
#          be used for standard IP/hostname matching and is only an alias for
#          (?:::f{4,6}:)?(?P<host>[\w\-.^_]+)
# Values:  TEXT
#
failregex = ^%(__prefix_line)sAuthentication attempt for unknown user .* from <HOST>$
            ^%(__prefix_line)sBlocked authentication attempt for .* from <HOST>$
            ^%(__prefix_line)sBlocked user enumeration attempt from <HOST>$
            ^%(__prefix_line)sPingback error .* generated from <HOST>$
            ^%(__prefix_line)sAuthentication failure for .* from <HOST>$
            ^%(__prefix_line)sXML-RPC authentication failure from <HOST>$

# Option:  ignoreregex
# Notes.:  regex to ignore. If this regex matches, the line is ignored.
# Values:  TEXT
#
ignoreregex =

    And than configured /etc/fail2ban/jail.conf like so:

    [wordpress]
enabled = true
port = http,https
filter = wordpress
logpath = /var/log/secure

    To which I simply added:

    action = iptables-allports

    now it works!

    Credit here: https://www.drupal.org/node/772238

Viewing 7 replies - 1 through 7 (of 7 total)
  • The topic ‘Varnish configuration’ is closed to new replies.