Drupal and mollom

by John McGeechan

Drupal and mollom - or why users may not be able to register on your site and you would never know it


We currently run drupal on a single code base over multiple domains (via domain module suite). Just recently we had reports that some users could not register on some of the domains as they could not answer the Mollom captcha correctly


Users reported that despite trying many times they kept on failing the mollom captcha check when trying to register even when they knew that the text they entered was correct. This seemed odd,  when we tested the same functionality (but on the main domain), registration was not an issue. Also, we did not have this problem several months previously

On checking the mollom logging in watchdog (all mollom activity is logged), we noticed that the "authorIp"'s were all the same for the failed CAPTCHA's. That was our first clue. As stated earlier, we have just a single code base running multiple domains and for some domains, Mollom verification ran as expected. 


A few months earlier we added a varnish reverse proxy installed on to speed up pages for anon users. Unless you state otherwise, Drupal will use the IP address of the reverse proxy rather than the originating IP. To complicate things further, we set up a seperate proxy for each domain (to nudge SEO via seperate IP's ). This meant that every captcha attempt on the site passed through to the Mollom servers the IP of the proxy, that IP was treated as the source of the request.

Mollom will over time flag IP's that continually fail CAPTCHA checks, so that robots/spammers etc will eventually fail on any captcha call to Mollom. Over time as more robots hit our sites, some but not all of our proxy servers were flagged by Mollom and hence the capture checks failed, due to their origin rather than through an invalid captcha response.

Drupal already has a solution available, simply inform Drupal in settings.php that a reverse proxy is in use and list the proxy(s). In this way the original IP will be passed through to Mollom rather than the IP of the proxy

$conf['reverse_proxy_addresses'] = array('xx.xx.xx.xx','xx.xx.xx.xx');
$conf['reverse_proxy'] = true;