Nginx Reverse Proxy fail2ban shows the offender as coming from the reverse proxy, definitely dont want to ban that ip.

Question

Nginx Reverse Proxy fail2ban shows the offender as coming from the reverse proxy, definitely dont want to ban that ip.

Closed this issue 4 years ago · 1 comments

Nginx Reverse Proxy fail2ban shows the offender as coming from the reverse proxy, definitely don't want to ban your reverse proxy and cut off ALL traffic to your site.

I have all my headers in place on the reverse proxy:

# example HTTPS
server {
    listen 443 ssl http2;
    server_name www.example.com example.com;

    ssl_certificate /etc/letsencrypt/live/example.com/fullchain.pem;
    ssl_certificate_key /etc/letsencrypt/live/example.com/privkey.pem;
    root /var/www/example/;
    index index.html;
    location / {
        proxy_set_header Host $http_host;
        proxy_set_header X-Real-IP $remote_addr;
        proxy_set_header X-Forwarded-Host $host:$server_port;
        proxy_set_header X-Forwarded-Server $host;
        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
        proxy_set_header X-Forwarded-Proto https;
        proxy_pass http://10.18.20.2:44777;
    }
}

The solution that the other fail2ban package uses is working for me. I did originally try yours first.

This one allows you to define the IP of your proxy, and if defined it will use the X-Forwarded-For header:
https://docs.wp-fail2ban.com/en/4.2/defines/constants/WP_FAIL2BAN_PROXIES.html#wp-fail2ban-proxies

I was able to see in your code, that you say I just need to configure wp-config.php, I am wondering which values you think would actually solve this issue and be able to use your plugin behind a reverse proxy.

In my wp-config.php I have added these lines:

$_SERVER['HTTPS'] = 'on';
$_SERVER['HTTP_HOST'] = 'www.example.com';
define('WP_HOME','https://www.example.com');
define('WP_SITEURL','https://www.example.com');
define('WP_FAIL2BAN_PROXIES','10.18.10.1');

section of your code:

/**
 * Returns the remote IP address of the current visitor.
 *
 * We use `REMOTE_ADDR` here directly. If you are behind a proxy, you
 * should ensure that it is properly set, such as in wp-config.php, for
 * your environment.
 *
 * @see https://core.trac.wordpress.org/ticket/9235
 *
 * @since 0.1.0
 *
 * @return string The remote IP address.
 */
private static function get_remote_ip() {
  if ( empty( self::$ip ) ) {
    self::$ip = preg_replace( '/[^0-9a-fA-F:., ]/', '', $_SERVER['REMOTE_ADDR'] );
  }
  return self::$ip;
}

Answer 1 · 2020-06-08T05:46:47.000Z

You will need to add something to your wp-config.php to fix this. I've updated that comment, and added an additional FAQ (https://wordpress.org/plugins/wp-fail2ban-redux/#%0Ahow%20do%20you%20i%20use%20this%20plugin%20if%20my%20site%20is%20behind%20a%20proxy%2C%20like%20cloudflare%3F%0A). The proxy constant in WP Fail2Ban is handy, but, ultimately, it only effects the plugin. I chose not to add that, because the real fix is to fix it for your whole site. If you're behind a reverse proxy, like Cloudflare, and you only fix the issue for WP Fail2Ban Redux, then everything else on your site that uses IP addresses will be wrong.