View Issue Details

This bug affects 1 person(s).
 6
IDProjectCategoryView StatusLast Update
08813Bug reportsAuthenticationpublic2014-03-17 13:14
Reporterjleimgruber Assigned Tomdekker  
PrioritynormalSeverityminor 
Status closedResolutionfixed 
Product Version2.05+ 
Summary08813: Failed Login Attempt locks out all users when behind nginx proxy - doesn't use sIPAddress.
Description

I just migrated my LimeSurvey site and it is running with Apache2 behind nginx reverse proxy. nginx terminates the https SSL and uses plain http to Apache2/limesurvey.

I setup nginx with the proxy_set_header lines:
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;

Digging around it looks like there is a function, getIPAddress() in limesurvey/application/helpers/common_helper.php that pays attention to the X-Forwarded-For header:

$sIPAddress = $_SERVER['HTTP_X_FORWARDED_FOR'];

However, the code that looks for FailedLoginAttempts, limesurvey/application/models/FailedLoginAttempt.php, uses this other getUserHostAddress stuff:

substr(Yii:app()->request->getUserHostAdress(),0,40)

getUserHostAddress()
$_SERVER'[REMOTE_ADDR']

To stop my users from all being locked out when one person gets locked out I tweaked: maxLoginAttempt / timeOutTime

Am I doing something wrong, or should FailedLoginAttempts be using getIPAddress()???

Thanks!

TagsNo tags attached.
Bug heat6
Complete LimeSurvey version number (& build)6a37d0c117b472bf83b7c449926c
I will donate to the project if issue is resolvedNo
Browser
Database type & versionmysql Ver 14.14 Distrib 5.5.22, for debian-linux-gnu (x86_64) using readline 6.2
Server OS (if known)Ubuntu 12.04 LTS Linux Kernel 3.12.6-x86_64-SMP-linode inside LXC container w/ Docker version 0.7.6, build bc3b2ec
Webserver software & version (if known)Apache/2.2.22 (Ubuntu)
PHP VersionPHP Version 5.3.10-1ubuntu3

Users monitoring this issue

There are no users monitoring this issue.

Activities

mdekker

mdekker

2014-03-06 12:36

reporter   ~29114

Fix committed to master branch: http://bugs.limesurvey.org/plugin.php?page=Source/view&id=13981

jleimgruber

jleimgruber

2014-03-10 22:54

reporter   ~29172

Thanks, I really appreciate the super fast response!

I tested it on my local machine machine the day you pushed, but I am waiting for maintenance window to roll it out.

I'll report back as soon as everything is clear (likely this weekend).

c_schmitz

c_schmitz

2014-03-17 13:14

administrator   ~29273

2.05+ Build 140317 released

Related Changesets

LimeSurvey: master cd2b4f38

2014-03-06 11:36:20

mdekker

Details Diff
Fixed 08813: Failed Login Attempt locks out all users when behind nginx proxy - doesn't use sIPAddress
dev: It makes sense to use the same IP lookup everywhere in the application
Affected Issues
08813
mod - application/core/LSUserIdentity.php Diff File
mod - application/extensions/LimeDebug/LimeDebug.php Diff File
mod - application/models/FailedLoginAttempt.php Diff File

Issue History

Date Modified Username Field Change
2014-03-06 00:24 jleimgruber New Issue
2014-03-06 12:19 mdekker Assigned To => mdekker
2014-03-06 12:19 mdekker Status new => assigned
2014-03-06 12:36 mdekker Changeset attached => LimeSurvey master cd2b4f38
2014-03-06 12:36 mdekker Note Added: 29114
2014-03-06 12:36 mdekker Resolution open => fixed
2014-03-06 12:37 mdekker Status assigned => resolved
2014-03-10 22:54 jleimgruber Note Added: 29172
2014-03-17 13:14 c_schmitz Note Added: 29273
2014-03-17 13:14 c_schmitz Status resolved => closed