Wordpress | APO | Memberpress | Login Users

Hi all,

I need your help. I’ve been using Cloudflare for a few months. I’m satisfied, but since then my memberpress-users have had problems logging in. Not all and constantly, but a significant part every day and I don’t recognise a pattern.

What could it be? I considered page rules and SSL. So please check my settings:

Briefly about the requirements:

:heavy_check_mark: WordPress
:heavy_check_mark: Memberpress plugin
:heavy_check_mark: Cloudflare Plugin: APO on

My Cloudflare settings:

  1. Login | Kochbücher & ihre besten Rezepte
    Security deactivated, Cache-Level: Bypass, Performance deactivated
  2. Anmelden ‹ Valentinas | Best of Cookbooks — WordPress
    Security deactivated, Cache-Level: Bypass, Performance deactivated
  3. https://valentinas-kochbuch.de/wp-admin*
    Security deactivated, Cache-Level: Bypass, Performance deactivated

    11.valentinas-kochbuch.de/*
    Cache-Level: Standard, Edge-Cache-TTL: 7 days, Origin Cache Control: on

SSL/TLS: Full

Thank you in advance!

Katharina

Hi Katharina, do you restore the real visitors IPs with Nginx or Apache?
If not, that mostly is the problem. What webserver do you use? Nginx or Apache?

Best regards

Hi, I use a Apache Webserver.

May you explain whats happening? And how can I solve it?

Thank you!

First, this article should explain how to restore original IPs behind Cloudflare: https://support.cloudflare.com/hc/de/articles/200170786

What is happening is this:
Your visitors are calling your page and are getting proxied through Cloudflare to your server. Now Cloudflare receives your visitors IP and your server receives Cloudflares IP. But Cloudflare does have a bunch of IPs, which can rotate. They even can rotate between requests.

So to let your server know the real IP of your visitor, so it can identify him you need to restore the original IP of your visitors.

I use Nginx where I have predefined scripts which do this for me recurringly, but if you follow the tutorial in the above link you can make it work for Apache aswell :slight_smile:

This applies to everything session based.

Thank you very much. Now I understand better what is happening there.

A question: I use Wordfence as a security plugin. In the settings I have the following setting:

How does Wordfence get IPs:
:heavy_check_mark: Use the Cloudflare “CF-Connecting-IP” HTTP header to get a visitor IP. Only use if you’re using Cloudflare.

Could that be relevant to the problem?

Thank you in advance.
Katharina

Yes, this can affect it. Qouting the Dev: Automatic Platform Optimization Enabled & I No Longer See Visitor IP? - #43 by yevgen

So both, CF-Connecting-IP and X-Forwarded-For should contain the real IP and therefore should work when using APO.

1 Like

Thank you for your quick answer. So concerning wordfence my settings are already correct. :relaxed:

I will now test if the SSL-setting “full” vs “full (strict)”. I had read here that this helps, but only in relation to “flexible” >“full (strict)” and for admins.

Then I check your solution: restoring original IPs. I’ll let you know. It takes a little time somebody else will do that for me.

:raising_hand_woman: If you have a further idea, please let me know.

The only recommended setting is “Full (Strict)” since it guarantees the integrity of all SSL certs in the chain. Flexible is a snitch since it seems secure to the outside but is unencrypted in the second chain (Cloudflare to Origin)

Without any details about the setup and logs for the time when people are suddenly logged out I sadly cant help any further.

Grüße :slight_smile:

Dank Dir. Grüße zurück!

1 Like

I just us asked my provider (Domainfactory) if I can make the apache-change for restoring as described unfortunaltey the customer service wrote this:

“For security reasons, this module is not available on our servers, we apologize. It also cannot be installed later. The background is that this module can be used to disguise or fake the sender of a request on the server. However, a number of our security routines are based on the fact that this is not possible.”

Hm. Do you know another way to solve the restoring?

If you are using CF-Connecting-IP or X-Forwarded-For any additional restoration with the webserver actually is not required, I anyway do it like this. We first should find out why this really happens, since if you use CF-Connecting-IP or X-Forwarded-For (and it works) it maybe is not related to the original IP. Logs or any additional info would be welcome.

If it always happens within the same time since login, it’s possible that the session expired due to any session expiration setting?

Could be a lot of reasons. To really debug this more info is required.

You can check your PHP settings by creating a php file called “info.php” with this content:

<?php
  phpinfo();
?>

then call this file and see if there are any session settings that let all cookies/sessions expire after a certain time.

After you are done, safe the output of this file and delete the file, do not forget this, since this can expose sensible information.

I am pretty sure that it is connected with Cloudflare because the problem first started by using Cloudflare.
To prevent a logout I use the following plugin since a longtime: WordPress Persistent Login.

I don’t not understand the differende between: CF-Connecting-IP or X-Forwarded-For. Could it make a difference?

X-Forwarded-For is more globaly, while CF-Connecting-IP is Cloudflare exclusive, but the value they contain (the real IP) should be the same. So you can use one or the other, should not make a difference.

I can not comment on thirt party plugins/apps. Also I don’t know this plugin.

Like I said, to go further we would need more info. Everything else would be a wild guess.

Hi all,

I think i’m in a similar situation,

I have started using Cloudflare with APO enabled (with the wordpress plugin enabled) - this was working great in terms of speed but would not appear to respect logged in users. It would alternate between appearing like the user was logged in and then logged out on different pages. When i disable APO, this appears to dissapear. I cannot find any settings / understand why is this happening.

I presumed that logged in users were bypassed with APO? Is this not the case?

I was wondering if you had any advice to fix this please?

I am using:

  • WordPress
  • Restrict content pro
  • Cloudflare with apo on

Thanks for the advice :slight_smile:

Thank you @sam.sowens

Hello, I tested it but it doesn’t help me. I don’t have any advice as to why users do not have to log in again and again or have to delete their browser data in order for the login to work. Security? Cache? No idea.

Another problem is that the page on which the user logs in does not reload and the user continues to see the page from the cache. This mainly applies to Safari mobile.

Best

This topic was automatically closed 15 days after the last reply. New replies are no longer allowed.