Jetpack blocks login, shows CloudFlare IP as problem

I believe this might be related to CloudFlare APO on our WordPress site, although it’s been enabled on our site for about a month and we haven’t had problems until now.

We just started seeing this error when trying to log in:

Jetpack has locked your site’s login page.

Your IP address 172.68.174.90 has been flagged for potential security violations. You can unlock your login by sending yourself a special link via email.

That IP address is CloudFlare’s, not mine. Also, sending that special link to myself and trying to log in again gives the message “An error was encountered when trying to authenticate. Please try again.” on the WordPress login page.

I also tried whitelisting my IP address in wp-config.php, but it doesn’t work either - I guess because Jetpack doesn’t even see my IP, it sees CloudFlare’s?

In WordPress, when looking under Jetpack->Settings->Security->Brute force attack protection, it also shows my IP address as 172.68.174.122, which is another CloudFlare IP, not mine.

So I’m not sure if this an issue with CloudFlare or Jetpack, and how would we go about solving it. We’d rather not disable CloudFlare APO or Jetpack Brute force protection.

When APO is activated both CF-Connecting-IP and X-Forwarded-For headers pass real user IP. I don’t know Jetpack configuration but it should use the value from the header to properly detect users IP.

I tried using PHP’s getallheaders() function in my WordPress backend to show all the request headers, and only CF-Connecting-IP is set. The IP address there is my real IP. However, X-Forwarded-For is not set, and I’m guessing that’s what Jetpack needs to work properly.

Do you know why X-Forwarded-For wouldn’t be set?

If I loop through the $_SERVER variable instead of using getallheaders(), the X-Forwarded-For header is there and it is has my correct IP address.

I guess this means the issue is on Jetpack’s end?

These 3 variables each had the correct IP address:

  • HTTP_CF_CONNECTING_IP
  • HTTP_X_FORWARDED_FOR
  • REMOTE_ADDR

This one was incorrect (CloudFlare IP):

  • HTTP_X_REAL_IP

I’ve added this to the end of my wp-config.php file to change HTTP_X_REAL_IP to the IP address in REMOTE_ADDR:

if (isset($_SERVER['HTTP_X_REAL_IP']) && isset($_SERVER['REMOTE_ADDR']) && $_SERVER['HTTP_X_REAL_IP'] != $_SERVER['REMOTE_ADDR']) {
    $_SERVER['HTTP_X_REAL_IP'] = $_SERVER['REMOTE_ADDR'];
}

This is probably not the right way to fix this problem, but it seems to work. In Jetpack’s “Brute force attack protection” settings, it now shows my IP instead of CloudFlare’s.

1 Like

thanks for the report, we will make a change to set x-real-ip in addition to x-forwarded-for.