Update 13/7/2015: If you’re doing this for your Drupal 7 site, you should probably also read this blog post about updating your varnish and Apache / nginx configuration for proper logging the real ip address of visitors.
A common mistake I see a lot of times by developers that have a varnish server (or other type of content cache) in front of their Drupal 7 site, is that they forget to add these lines to their settings.php:
// reverse proxy support to make sure the real ip gets logged by Drupal $conf['reverse_proxy'] = TRUE; $conf['reverse_proxy_addresses'] = array('127.0.0.1'); $conf['reverse_proxy_header'] = 'HTTP_X_FORWARDED_FOR';
The default.settings.php does contain a very clear comment about why and when to use it:
/** * Reverse Proxy Configuration: * * Reverse proxy servers are often used to enhance the performance * of heavily visited sites and may also provide other site caching, * security, or encryption benefits. In an environment where Drupal * is behind a reverse proxy, the real IP address of the client should * be determined such that the correct client IP address is available * to Drupal's logging, statistics, and access management systems. In * the most simple scenario, the proxy server will add an * X-Forwarded-For header to the request that contains the client IP * address. However, HTTP headers are vulnerable to spoofing, where a * malicious client could bypass restrictions by setting the * X-Forwarded-For header directly. Therefore, Drupal's proxy * configuration requires the IP addresses of all remote proxies to be * specified in $conf['reverse_proxy_addresses'] to work correctly. * * Enable this setting to get Drupal to determine the client IP from * the X-Forwarded-For header (or $conf['reverse_proxy_header'] if set). * If you are unsure about this setting, do not have a reverse proxy, * or Drupal operates in a shared hosting environment, this setting * should remain commented out. * * In order for this setting to be used you must specify every possible * reverse proxy IP address in $conf['reverse_proxy_addresses']. * If a complete list of reverse proxies is not available in your * environment (for example, if you use a CDN) you may set the * $_SERVER['REMOTE_ADDR'] variable directly in settings.php. * Be aware, however, that it is likely that this would allow IP * address spoofing unless more advanced precautions are taken. */ # $conf['reverse_proxy'] = TRUE;
If you don’t configure this header when you have varnish, all your Drupal request will have 127.0.0.1 (= the ip adddress of the varnish server) as the source ip address for connection attempts. You can easily see this in the webserver and watchdog logs.
This might not seem a big deal, but Drupal also has something called ‘flood protection’. This protection bans users by ip address if they have made too many failed logins in a period of time (the default is 50 failed logins over 1 hour).
And what do you think happens when all your users come from the same ip and the flood protection gets triggered? Yup, everyone gets banned.