08813: Failed Login Attempt locks out all users when behind nginx proxy - doesn't use sIPAddress.

This bug affects 1 person(s).

ID	Project	Category	View Status	Date Submitted	Last Update

08813	Bug reports	Authentication	public	2014-03-06 00:24	2014-03-17 13:14

Reporter	jleimgruber	Assigned To	mdekker
Priority	normal	Severity	minor
Status	closed	Resolution	fixed
Product Version	2.05+

Summary	08813: Failed Login Attempt locks out all users when behind nginx proxy - doesn't use sIPAddress.
Description	I just migrated my LimeSurvey site and it is running with Apache2 behind nginx reverse proxy. nginx terminates the https SSL and uses plain http to Apache2/limesurvey. I setup nginx with the proxy_set_header lines: proxy_set_header Host $host; proxy_set_header X-Real-IP $remote_addr; proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; Digging around it looks like there is a function, getIPAddress() in limesurvey/application/helpers/common_helper.php that pays attention to the X-Forwarded-For header: $sIPAddress = $_SERVER['HTTP_X_FORWARDED_FOR']; However, the code that looks for FailedLoginAttempts, limesurvey/application/models/FailedLoginAttempt.php, uses this other getUserHostAddress stuff: substr(Yii:app()->request->getUserHostAdress(),0,40) getUserHostAddress() $_SERVER'[REMOTE_ADDR'] To stop my users from all being locked out when one person gets locked out I tweaked: maxLoginAttempt / timeOutTime Am I doing something wrong, or should FailedLoginAttempts be using getIPAddress()??? Thanks!
Tags	No tags attached.

Bug heat	6
Complete LimeSurvey version number (& build)	6a37d0c117b472bf83b7c449926c
I will donate to the project if issue is resolved	No
Browser
Database type & version	mysql Ver 14.14 Distrib 5.5.22, for debian-linux-gnu (x86_64) using readline 6.2
Server OS (if known)	Ubuntu 12.04 LTS Linux Kernel 3.12.6-x86_64-SMP-linode inside LXC container w/ Docker version 0.7.6, build bc3b2ec
Webserver software & version (if known)	Apache/2.2.22 (Ubuntu)
PHP Version	PHP Version 5.3.10-1ubuntu3

User List	There are no users monitoring this issue.

mdekker 2014-03-06 12:36 reporter ~29114	Fix committed to master branch: http://bugs.limesurvey.org/plugin.php?page=Source/view&id=13981

jleimgruber 2014-03-10 22:54 reporter ~29172	Thanks, I really appreciate the super fast response! I tested it on my local machine machine the day you pushed, but I am waiting for maintenance window to roll it out. I'll report back as soon as everything is clear (likely this weekend).

c_schmitz 2014-03-17 13:14 administrator ~29273	2.05+ Build 140317 released

LimeSurvey: master cd2b4f38 2014-03-06 12:36 mdekker Details Diff	Fixed 08813: Failed Login Attempt locks out all users when behind nginx proxy - doesn't use sIPAddress dev: It makes sense to use the same IP lookup everywhere in the application	Affected Issues 08813
	mod - application/core/LSUserIdentity.php	Diff File
	mod - application/extensions/LimeDebug/LimeDebug.php	Diff File
	mod - application/models/FailedLoginAttempt.php	Diff File

Date Modified	Username	Field	Change
2014-03-06 00:24	jleimgruber	New Issue
2014-03-06 12:19	mdekker	Assigned To	=> mdekker
2014-03-06 12:19	mdekker	Status	new => assigned
2014-03-06 12:36	mdekker	Changeset attached	=> LimeSurvey master cd2b4f38
2014-03-06 12:36	mdekker	Note Added: 29114
2014-03-06 12:36	mdekker	Resolution	open => fixed
2014-03-06 12:37	mdekker	Status	assigned => resolved
2014-03-10 22:54	jleimgruber	Note Added: 29172
2014-03-17 13:14	c_schmitz	Note Added: 29273
2014-03-17 13:14	c_schmitz	Status	resolved => closed

View Issue Details

Users monitoring this issue

Activities

Related Changesets

Issue History