Avoid getting banned by Drupal flood protection when using Varnish

Varnish bunny

Drupal has a flood protection feature, which bans a user after a number of failed login attempts:

"Drupal 7 prevents brute force attacks on accounts. It blocks login by a user that has more than 5 failed login attempts (within six hours) or an IP address that has more than 50 failed login attempts (within one hour)."

From Login blocked after 5 failed login attempts

If you use Varnish in front of Drupal, you need to define this in settings.php, otherwise all visits will be coming from as far as the server is concerned. This also means that everyone gets banned, if a single visitor triggers Drupal's flood protection. To avoid this, insert the following in your settings.php, and restart Varnish and Apache:

// reverse proxy support to make sure the real ip gets logged by Drupal
$conf['reverse_proxy'] = TRUE;
$conf['reverse_proxy_addresses'] = array('');
$conf['reverse_proxy_header'] = 'HTTP_X_FORWARDED_FOR';

For more information, see Reverse proxy configuration for Drupal 7 sites.