We’ll be running a 9.2.x Site which is accessible only for logged in users. Most of them (a few hundred) will access the site from behind 5 proxies.
When some users provide the wrong password when trying to log in, Concrete will block further login attempts for all users, right? So no one can login in that period of time.
Are there other things coming up when so many users are behind a few proxy Servers/IPs?
Can I somehow whitelist these 5 proxy servers? Is the “Trusted proxies” page in the dashboard for this situation? I didn’t find much documentation on this… What’s trusted proxies for?
What would be a proper solution if trusted proxies isn’t right?
When a Concrete website is “behind” a proxy, Concrete by default sees that the users come from the IP of the proxy, not from their actual IPs.
In order to let Concrete know the correct visitors’ IPs, proxies send special headers to Concrete.
In order to avoid security issues, you have to tell Concrete which are the proxies that can be trusted (and the dashboard page you are referring to should provide enough details to help you with this configuration).
Thanks for the clarification @mlocati . I saw you provided the dashboard page. I really appreciate your work for Concrete!
BTW: to prevent a proxy or IP to get blocked for minutes so no other user from that proxy/IP can login, you have to set the IP in the Allowlisted IP addresses dashboard page. Seems to work for me.
@core77 if you configured correctly Concrete at the page
/dashboard/system/permissions/trusted_proxies, Concrete will never use the IP of the proxy, only the IPs of the actual visitors.
So, adding the proxy IPs to the allow list (
dashboard/system/permissions/denylist) shouldn’t be necessary.
In any case, you can check the IPs that are blocked (or are going to blocked) in the
IpAccessControlEvents database table (where
iaceCategory is the ID of the record in the
IpAccessControlCategories database table).