Overview
Version
Report Server Version | App Version |
11.0 | V11.0 |
Application Scenario
If SMS verification is not enabled, the number of login failures is not limited. Attackers can log in to the platform through brute force attacks (by traversal methods), posing great threats to the platform's security.
Therefore, the login anti-brute force function is important and necessary to be added.
Function Description
Enable Login Lock to prevent brute force attacks.
Example
Login Lock Enabling
Log in to the decision-making platform as the admin, choose System Management > System Setting > Login, and enable Login Lock, as shown in the following figure.
Error Time Limit
For example, if you set Error Time Limit to If Password Error Reaches 5 Time(s), Lock Login for 60 Minute(s), the account to be logged in will be locked after 5 incorrect password attempts in 60 minutes.
1. The following figure shows the effect on PC.
2. The following figure shows the effect on the DataAnalyst app.
Note:
Lock Object can be set to Account or IP.
1. Account: In the locked status, a common account remains locked when devices are switched. After Lock Admin Account is enabled, the admin account is locked and remains locked when devices are switched.
2. IP: In the locked status, all accounts on the current device and current server are locked. These accounts can log in to the platform when devices are switched.
Unlocking
1. Unlocking can be achieved automatically and manually.
If a user account is locked, the account can be automatically unlocked after the set lock time (such as 60 minutes). You can also manually unlock the account by clicking the unlock icon, as shown in the following figure.
2. Alternatively, the locked status can be removed by the user clicking Forgot Password on the login page to reset the password.
3. The locked status can also be removed by the admin disabling the Login Lock function.
Notes
Platform Login Failure for All Users
Problem:
The Nginx reverse proxy is used in the project and Lock Object is set to IP. In this case, if the number of incorrect password attempts exceeds the set one, the account to be logged in is locked, and all users are unable to log in to the decision-making platform.
Cause:
With the Nginx reverse proxy used, the login request first goes to the reverse proxy. Then the request is forwarded to the FineReport project by the proxy.
Therefore, the IP address of the server (where Nginx is located) is obtained and locked by the project, causing all subsequent users to be unable to log in.
Solution:
Add request headers in Nginx to carry the user's real IP address. Then the FineReport project can obtain the user's real IP address.
1. Single-Layer Nginx Proxy
Edit the nginx.conf file and add the following code in the location module, as shown in the following figure.
proxy_set_header X-Forwarded-For $remote_addr;
2. Multi-Layer Nginx Proxy
On the Nginx proxy server that can be directly accessed by the client, edit the nginx.conf file and add the following code in the location module, as shown in the following figure.
proxy_set_header X-Forwarded-For $remote_addr;
On the inner-layer Nginx proxy server, edit the nginx.conf file and add the following code in the location module, as shown in the following figure.
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
