Can't login with "Allow Admin" set in Logs, Screened IPs

(Ben) #1

So, when I log in to Discourse under my admin account is shows this:

Can you guys help? I can log in after resting a password.

(Robin Ward) #2

Do you have any IP ranges blacklisted in your admin section?

(Ben) #3

No. I wish that was the problem

(Robin Ward) #4

That specific error should only show up when there is a screened IP address record for your IP. Does it happen for any other users?

(Ben) #5

No. Only me, I have tried with others on my computer, too

(Ben) #6

I’ve also tried to log in from my phone (over cellular), and that doesn’t work.

(Robin Ward) #7

I’m gonna take a look at this. I did change the check for banned IPs on logins recently, however I haven’t heard about it being broken before now.

(Robin Ward) #8

How are you hosting this site? Are you using our docker set up? Is there a proxy in front of it? I am wondering if perhaps the IP address is not being passed through properly.

(Ben) #9

Docker from Digital Ocean. It just stopped working today, no updates (I think, @hunterboerner might have broke it… but It was probably my fault…)

(Kane York) #10

You’re looking for any records that look like this in Screened IPs:

If any are set, then admins can ONLY log in from those IPs.

@hunterboerner, did you set an Allow Admin ip record?

(Ben) #11

It most likely was me :stuck_out_tongue:

I’ll take a look. Thanks!

(Theron Boerner) #12

… Somebody added one in there. I removed it. Do you know why changes to screened ips don’t show up in the admin logs?

(Kane York) #13

This feature was added for Twitter, who wanted an extra layer of security on the forum admins. With that, anyone who compromised a set of admin credentials would need to also compromise one of the admin’s actual computers or network connections, otherwise they wouldn’t be able to complete a SSL handshake.

That said, security at the expense of usability comes at the expense of security. I wouldn’t recommend that anyone use this feature.

(Ben) #14

Makes sense. Anyways thanks! It’s working now. I really think it was me

(Jeff Atwood) #15

One tweak here @neil – this should say

you cannot log in as admin from that IP address

so it is clearer what is actually going on.

I know that would help me a lot in diagnosing this and it has come up with one customer already…

(Ben) #16

Maybe add a way to automatically turn it off from email?