Firewall configuration ---> Lists --> My current IP is always 127.0.0.2 but the real problem is that this address is attribuited to each and every attacker on the Log of the Firewall.
Result: when someone attack my website nobody can access to back/frontend and it results blocked for the number of seconds specified into the dynamic list settings.
More, I can't modify any voice in the LIST settings (Dynamic list y/n - time of blocking) because I've ERROR 406 on saving.
I changed the method to determine offensive IP avoiding proxies; now is more secure. In cases like yours you can change this behaviour from Configuration -> Global Configuration -> Tuning tab -> Avoid proxies.
Regarding to the 406 error, I have never seen that http error code... 406 happens when the server cannot respond with the accept-header specified in the request. In your case it seems application/json for the response may not be acceptable to the server. Can you ask to your hosting provider about this?
I had this problems after upgrading from 2.8.20, in that version I had no problem at all.
Regarding your suggestions, I set the "avoid proxies" check to NO, but my current IP shown is always 127.0.0.2, that's wrong! So I think the problem is not solved.
About the 406 Error (Error in http request) version 2.8.20 gave me no error at all! It worked fine.
Thank you for your fastness in supporting my problems.
It's really odd the firewall returns that IP; it belongs to the loopback and for some reason it's returned by your server on every query. The odd thing is that it's also send in http headers... Is your site behind a proxy/cdn?
I have always sent the info of firewall Configuration into json format, so I have not changed anything. Maybe there is a server directive or an htacess setting avoiding this kind of traffic. What I mean is that 406 is a server response; I can't do nothing to avoid this.