Brute force lock account rather than IP

Discussion in 'Feature Requests' started by David Fagan, May 17, 2018.

  1. David Fagan

    David Fagan New Member

    Joined:
    Apr 12, 2018
    Messages:
    5
    Likes Received:
    0
    I suspect this won't get a lot of support from the user base, but is perhaps easy enough to implement...

    We have placed our LiquidFiles server behind a reverse proxy. I'm not a big fan, but the security team insists. The issue is that the LiquidFiles server never sees the real external IP. Only the IP of the reverse proxy. If we enable Brute Force lockouts, any lockout will lockout the IP of the reverse proxy which will lockout everyone. I know, my problem.

    Anyway, if possible I'd love to see the ability to lockout a user account rather than an IP address.
     
  2. Johan

    Johan Administrator
    Staff Member

    Joined:
    Dec 1, 2015
    Messages:
    40
    Likes Received:
    1
    It's better to configure the reverse proxy to send the X-Forwarded-For header (which they usually do on default) and configure LiquidFiles to trust the X-Forwarded-For header from the reverse proxy: https://man.liquidfiles.com/system/reverse_proxy.html. That way LiquidFiles will know what the real ip of the client is and Brute Force Detection, GeoIP lookup and other things will work as expected.
     
  3. David Fagan

    David Fagan New Member

    Joined:
    Apr 12, 2018
    Messages:
    5
    Likes Received:
    0
    You've thought of everything! Thanks. I'll work with the security team to get this configured.
     

Share This Page