Daniel K

Forum Replies Created

Viewing 1 replies (of 1 total)
  • Daniel K

    (@anewmind)

    Hello cellulosa,

    I have had a similar issue. You are correct that Varnish will conflict with Fail2ban. I am not a Fail2ban expert, and so what follows is only my personal findings. I did a bit of research on my own, but if anybody knows a better method, or can correct some of what I posted here, please do so.

    When you use Varnish, or any other caching service, the IP address that is actually connecting to Apache is that of the server itself, which is what is reported in the script as $_SERVER[‘REMOTE_ADDR’]. Currently, Fail2ban using that variable to determine the HOST, which it reports to your log.

    The plugin should be logging to /var/log/messages. You can watch that file on your server to see what gets logged there when you fail to log in. Most likely, it will be your server’s IP address, which is likely blocked in the firewall.

    The fix for this is two parts. First, you will need some way to report the original IP address. This is done in Varnish. For my configuration, I use this in my .vcl file: 

    set req.http.X-Real-IP = client.ip;

    I put that in the vlc_recv section. This creates an HTTP header named X-Real-IP, which is sent in the request to contain the real IP. This is a common convention, and is also used by Nginx as well as many Varnish installations. It is not uncommon to set the Apache logs to use this header for their logging.

    Once that is done, you will have to modify your file wp-content/plugins/wp-fail2ban/wp-fail2ban.php. Because it was a quick solution, I added these lines, directly above the line that says “return $_SERVER[‘REMOTE_ADDR’];”:

    if (array_key_exists('HTTP_X_REAL_IP',$_SERVER)) {
                return $_SERVER['HTTP_X_REAL_IP'];
        }

    Once I did that, I was seeing my IP address correctly listed in /var/log/messages. My firewall software does the rest for me.

    I hope this helps somebody. Additionally, I’m hoping that the plugin developers read this post. Unless I am missing some very simple method to do this which is already built in, I would like to request that this functionality is built into the plugin. Although mine was quick and dirty, it shouldn’t be too complicated to modify the full remote_addr() function to check for this header.

Viewing 1 replies (of 1 total)