Aramaech Posted July 24, 2018 Posted July 24, 2018 Where you have the option:Trust IP addresses provided by proxies? I would suggest making 2 independent options here. Essentially:Trust IP addresses provided by proxies on main site? Trust IP addresses provided by proxies on admin cp? The reason being that Cloudflare, a very popular and free CDN, does not play nice with IPB's caching. And I suspect it's not alone. When Cloudflare is enabled, and the admin is in Invision's admin cp, the admin will be logged out every time they try to save a setting or run a search, and given the error that their IP does not match the current IP of the session. The main Invision site itself is fine, as far as members and normal users go, they will not have an issue. Only the admin cp behaves this way. As it turns out, Cloudflare's trouble shooting section has an article about the issue with Invision Power Service, and the suggested fix is to toggle "Trust IP addresses provided by proxies?" to ON. Granted that this is forum software, and forums are the kind of site people will use proxies to ban-evade on, turning this option on is obviously not optimal. This leaves the admin with 2 options. 1) "Pause" Cloudflare every time they want to do anything in the admin cp 2) Set Trust IP addresses provided by Proxies to ON, and risk potential ban-evasions. Now, seeing as the main site is not effected by Cloudflare's proxy security, only the admin cp is, the admin is left wishing there was a way to trust proxied IP's in the admin cp only. This would allow them to continue using Cloudflare to speed up their site and add an extra layer of security, without having to disable it every time they want to use the admin cp. So there you have it. My suggestion is to make that toggle 2 fold, one for the main site and one for the admin cp, thereby allowing Cloudflare (and whatever other protective services may use comparable techniques) to function without compromising IPB's proxy deflection.
Mark Posted July 24, 2018 Posted July 24, 2018 You can disable IP checking for the ACP, but if you're using cloudflare you'll probably want that setting enabled anyways.
bfarber Posted July 24, 2018 Posted July 24, 2018 Yes, the problem if you don't turn that setting on is that every single user's IP address will be logged as Cloudflare generally, because that's the system actually making the request (but it passes along the actual end user's IP address as any other proxy would). In short, take the advice and enable the setting. You may not be noticing issues on the front end, but chances are session handling is not actually working the way it should because the user's real IP address can't be tracked.
Aramaech Posted July 24, 2018 Author Posted July 24, 2018 Understood, I'll enable the setting. One quick question tho, IP bans / location tracking will still be effective given that everyone's IP's are proxied?
Rhett Posted July 24, 2018 Posted July 24, 2018 5 hours ago, RobotMonkeyHæd said: Understood, I'll enable the setting. One quick question tho, IP bans / location tracking will still be effective given that everyone's IP's are proxied? If you enable the setting as you should, it will pass the proper IP to our software as normal and work as it should. If you didn't have this enabled prior, all of your users will have incorrect IP's (all cloudflare IP's)
Aramaech Posted July 26, 2018 Author Posted July 26, 2018 Cloudflare was a pretty recent addition to the site. But there's a block of time during which Cloudflare was running, and the setting was ticked to off. (about a month) Does that mean anyone banned during that block of time will now have a new IP, rendering the IP ban ineffective?
Jim M Posted July 26, 2018 Posted July 26, 2018 3 hours ago, RobotMonkeyHæd said: Cloudflare was a pretty recent addition to the site. But there's a block of time during which Cloudflare was running, and the setting was ticked to off. (about a month) Does that mean anyone banned during that block of time will now have a new IP, rendering the IP ban ineffective? With this setting off, Cloudflare's IP would be bound to the user so yes, the wrong IP would be banned in this case. However, if you banned the user's account they will still be banned and cannot log in. IP bans themselves only have a limited effectiveness as it is relatively easy to obtain a new IP so I would never suggest to treat an IP ban as an end-all solution.
bfarber Posted July 26, 2018 Posted July 26, 2018 Yes, ultimately I wouldn't rely on an IP address ban. They can be evaded fairly easily.
Aramaech Posted July 26, 2018 Author Posted July 26, 2018 Ok, understood. I have to say tho, you guys are the single most helpful, knowledgable, on point and generally awesome support team I've encountered over the years.
Recommended Posts
Archived
This topic is now archived and is closed to further replies.