CMS Version
CMS v3.0.2
Installation Method
Docker
Operating System
Ubuntu 20.04
Issue
We’re running a setup where the CMS runs on one server. And a separate server is running Apache as a reverse proxy in order to facilitate access to the CMS web interface.
The CMS sits in a private network which is not publicly exposed. The reverse proxy server also has a connection to the private network, and is publicly available on WAN.
We had got the reverse proxy all setup and working with the following config:
ProxyPreserveHost On
RequestHeader set X-Forwarded-Port "443"
RequestHeader set X-Forwarded-Proto "https"
ProxyPass / http://[[IP of CMS]]/
ProxyPassReverse / http://[[IP of CMS]]/
The Apache virtual site is running as https, using Let’s Encrypt.
This was all working fine. Sessions in Xibo CMS were showing the IP addresses of the actual users (not the proxy), so it looks like the forwarded for headers are working.
Suddenly, the web ui would no longer load through the reverse proxy. But would load directly from within the private network. After doing some digging we found it was only not loading for the proxy server. As if Xibo CMS is blocking the private IP address of the proxy server.
We changed the private IP to a new address that had not been used before, and now it is working again.
Can any one offer an insights onto what happened here? I’m assuming that a number of failed logins triggered some kind of Fail2Ban style block, but I can’t find anywhere this might have taken effect?
Of course, I would like it to block IPs if they keep repeatedly failing to login, but ideally that needs to happen using the forwarded for address so that the proxy server itself isn’t blocked.
Is there something I’m missing here?
Thanks!