I have a couple of theories about what might be going on with the CAPTCHAs. Specifically, before, our setup looked like:
Internet -> phpBB forumNow it looks like:
Internet -> nginx reverse proxy -> phpBB forumThe problem is that the phpBB software no longer sees Internet IP addresses, but now only sees the internal IP address of the nginx proxy. Usually, this should just work transparently, because nginx sets an
X-Forwarded-For header with the
real IP address, which phpBB is supposed to look at. But for whatever reason, I think phpBB normally ignores this. So this means that phpBB thinks that all users of the site come from the same IP address, which it probably why it's accusing random people of too many failed logins—all failed logins seem to come from nginx.
When I have a moment, I need to Google this issue and fix either
our phpBB install or possible our
nginx reverse proxy configuration to get X-Forwarded-For working again. Unfortunately, it's crunch time at work, and I'm pretty busy right now.
If somebody technical has some time to look into this, or even send a pull request, I'd be massively grateful. If not, I'll try to get to it as soon as I can.