I have spent way to much time to get vBulletin forum software working behind a load balancer and thought I would share some experiences for anyone brave enough to try the same.
vBulletin works fine behind a load balancer out of the box, but things like banning users/ip's with failed login attempts does not and that is essentially what I was trying to fix. If 5 different people have failed login attempts on a vBulletin support forum that is behind a load balancer it will cause a denial of service for all other users as they will all get a message saying: You have used up your failed login quota! Please wait 15 minutes before trying again. That is because each login attempt is logged with the load balancers ip address which has replaced to originating address with its own in order for return traffic to pass through it again. The load balancer in this case is a SSL termination point in the network which is why we need to return traffic through it.
To start with I was reluctant to edit the source code as that creates an internal support issue at the company where I contracted. Any customizations has to be documented and you don't know whether people always read documentation. They do but only after breaking something and then reading the documentation to find out why it is broken but I digress.
vBulletin in our scenario were behind a shared F5 load balancer which has been setup to add a custom http header instead of the normal HTTP_X_FORWARDED_FOR header. I was hoping the fix would be as simple as adding the HTTP_X_FORWARDED_FOR header to the vBulletin vip which would mean no software changes would be required. This in turn means future upgrades of the software is simple but alas that was not the case.
I have tried some suggestion from vBulletin support none of which I could get to work for my scenario. I do not rule out that I might have done something stupid in following vBulletin support's advice...
In the vBulletin home directory, typically forums you will find a directory called includes and in there there is a file called class_core.php which is the file that needs to be edited.
One suggestion was to change the line:
define('IPADDRESS', $registry->ipaddress);
to
define('IPADDRESS', $this->fetch_alt_ip());
but a failed login attempt logged this against the load balancers ip address and not my desktop.
I also tried to add the following line to my config.php file:
$_SERVER['REMOTE_ADDR'] = $_SERVER['HTTP_X_FORWARDED_FOR'];
but I got the same result as above.
what finally did do the trick for me was to change the following function as follows which I got from http://www.vbulletin.org/forum/archive/index.php/t-149401.html:
from
function fetch_ip()
{
return $_SERVER['REMOTE_ADDR'];
}
to
function fetch_ip()
{
return (getenv(HTTP_X_FORWARDED_FOR))
? getenv(HTTP_X_FORWARDED_FOR)
: getenv(REMOTE_ADDR);
}
When I have a failed login attempt now it gets logged against the actual originating machine's ip address instead of the load balancers ip address.
I have found phpinfo to be very handy in debugging and finding out what env variables and http headers are set in apache. Just create a info.php with the phpinfo function in.
The table against which failed login attempts are logged is strikes in the vBulleting database.
If this was helpfull to anyone I would love to hear from you or if you have something to add or think I am talking rubish then make yourself heard as well.
Add Comment