Announcement

Collapse
No announcement yet.

Random logouts

Collapse
X
 
  • Filter
  • Time
  • Show
Clear All
new posts

  • Random logouts

    Hi !

    Recent vb4 -> vb5 upgrade.
    Experiencing forced logout moments after login. Both on the user and admin side.
    In the admin control panel I can log in and get the left meny (iframe) but the main content iframe will show the login dialog at the same time.
    1. vBulletin Version - vBulletin 5.6.1 Patch level 1
    2. PHP Version - 7.2.30-1+ubuntu16.04.1+deb.sury.org+1
    3. MySQL Version - 5.7.11-0ubuntu6
    4. Any Addons installed.
    5. Does the issue occur in a default style? Yes
    6. Does the issue occur using the English language provided? Yes
    7. Error message on the screen. - Login dialog shown
    8. Browser and Browser version used. - Google Chrome 81.0.4044.138
    9. Did you clear the browser cache and did the error continue? Yes, cleared all cookies
    10. A list of steps that can be used to recreate the issue. - see above
    11. Output of the error with vBulletin in Debug Mode.
    12. If the issue is an Invalid Server (500 server error) response, the web server and PHP logs that correspond with its timestamp.
    If relevant, the site is using CloudFlare for DNS/HTTPS

    Any ideas?

  • #2
    Are you using CloudFlare for Performance Caching? If so, you need to make sure that vBulletin is configured to handle it properly. This is done in the /core/includes/config.php file by uncommenting the CloudFlare lines.

    Find this code:

    PHP Code:
    //Default proxy settings for common proxy providers.  Uncommenting this will override any previous proxy
    //configuration (and thus only one of them can be used).
    /*
    //default configuration for Cloudflare proxy.
    $config['Misc']['proxyiplist'] = '103.21.*, 103.22.*, 103.31.*, 104.16.*, 108.162.*, 131.0.*, ' . 
        '141.101.*, 162.158.*, 172.64.*, 173.245.*, 188.114.*, 190.93.*, 197.234.*, 198.41.*, ' . 
        '2400:cb00:*, 2405:b500:*, 2606:4700:*, 2803:f800:*, 2c0f:f248:*, 2a06:98c0:*';

    $config['Misc']['proxyipheader'] = 'HTTP_CF_CONNECTING_IP';
    */ 
    Remove the /* and */ from the code block.
    Translations provided by Google.

    Wayne Luke
    The Rabid Badger - a vBulletin Cloud demonstration site.
    vBulletin 5 API

    Comment


    • #3
      The code above does not match what CloudFlare publishes. For example, CloudFlare publishes 103.21.244.0/22 and the pattern above matches 103.21.0.0/16. There are 1024 valid addresses in the range 103.21.244.0/22 (103.21.244.0 to 103.21.247.255). The pattern in the code above '103.21.*' matches 65536 addresses, 64,512 of which should not be treated as CloudFlare edge locations.

      Is this necessary for Amazon CloudFront also? The IP addresses used by CloudFront change regularly (a few times a year) as Amazon brings on new edge locations and adjusts its IP address space. Does this file have to be updated everytime Amazon adjusts it's IP space?

      Amazon CloudFront has 98 different ranges (Amazon has over 100 edge locations around the globe. Which IP connects to vBulletin depends on where the end user is sitting). The following command returns the list of current CloudFront IP ranges.
      Code:
      curl -s 'https://ip-ranges.amazonaws.com/ip-ranges.json' | jq -r '.prefixes[] | select(.service=="CLOUDFRONT") | .ip_prefix'
      A string match in PHP over a list of 98 IP ranges against the source IP address of each and every web request would not be scalable. There needs to be a better way.

      CloudFront sets a user agent "Amazon CloudFront" on each request it proxies. It also has a number of standard HTTP headers like these:
      Code:
      via: 1.1 48c70f7a0c91fc5e8cb64d6c71ad9827.cloudfront.net (CloudFront)
      x-amz-cf-pop: IAD89-C2
      Likewise CloudFlare sets a standard header CF-Cache-Status. Could vBulletin use those headers instead of IP range pattern matching hardcoded in a config file?

      A better answer is probably to put these restrictions in the httpd.conf file. The Apache 2.4 mod_authz_host can take CIDR ranges and block/redirect requests that come from the wrong ranges. Apache can even set an environment variable/header based on matching a CIDR range with SetEnvIf. It might be more effective to have the web server do these bits and have vBulletin just leverage that environment variable rather than try to do string pattern matching.

      Comment


      • #4
        vBulletin does not understand the CIDR notation. As of the time the change was made, we listed the IP Addresses that Cloudflare provided. If they have changed their available addresses, then the code will need to be changed to fit. This is one of the reason's why it is in the config.php file. It is up to the customer to make sure that their server configuration conforms with the requirements of the services the are using.

        95% of our customers do not have access to the httpd.conf file. They are running on shared hosting providers. If you can take advantage of the httpd.conf file, then you should.
        Translations provided by Google.

        Wayne Luke
        The Rabid Badger - a vBulletin Cloud demonstration site.
        vBulletin 5 API

        Comment

        Related Topics

        Collapse

        Working...
        X