Varnish removes Public IP from X-Forwarded-for

StackOverflow https://stackoverflow.com/questions/15878059

  •  02-04-2022
  •  | 
  •  

Question

I am facing an issue where varnish is not sending Intermediary proxy IP or Public IP in a particular case. Scenario is as below :

  • Some Hotel / Company has squid proxy configured and all traffic for Internet is routed via Squid.

  • User accessing my company's site first hits the Load Balancer then Varnish & then Apache

  • Apache is configured with mod_geoip. The code on my site does the Country redirection based on the IP address.

Problem :

  • When an user (Behind that squid proxy) accessing my company's website behind Load Balancer -> VARNISH -> Apache - Here apache gets only Internal IP (His Private IP) & Load Balancer Internal IP as X-forwarded-for and Hence the IP based redirection FAILS!

In Apache logs (Configured to log X-Forwarded-IP) I see that Users Private IP & then My Load Balancers Private IP.

172.10.5.10, LoadBalancerIP - - [.......]

  • The same user when accesses another site which does NOT have Varnish, hits Load Balancer -> Apache - Here apache gets Users Private IP & Users Public IP as X-forwarded-for and IP based country redirection works fine.

In Apache logs (Configured to log X-Forwarded-IP) I see that Users Private IP and then his Public IP is also logged.

172.10.5.10, PublicIP - - [.......]

My Varnish Config is as below.

       if (req.restarts == 0) {
                   if (req.http.x-forwarded-for) {
                 set req.http.X-Forwarded-For =
                     req.http.X-Forwarded-For + ", " + client.ip;
                   } else {
                 set req.http.X-Forwarded-For = client.ip;
                   }
           }

PS: I've already Google'd all links I could find and every link gives the following Varnish Config

For now to get this issue resolved, I had to bypass varnish and now website traffic is directly hitting Apache but I need to get Varnish back in place to server content from Cache and Speedy delivery.

Will appreciate if someone can guide me to how resolve this issue.

Thanks!

Was it helpful?

Solution

The above mentioned issue has been resolved. Credit goes to Mithrandir @ Varnish IRC Channel. Thanks! Below mentioned changes were required to resolve the issue.

At the start of the default.vcl add :

import std;

Below " if (req.http.x-forwarded-for) " add :

std.collect(req.http.x-forwarded-for);

  • Do varnish configtest & reload. This should start showing the Public IP.

  • Below is the explanation from the documentation of vmod_std :

collect

   Prototype
          collect(HEADER header)

   Return value
          Void

   Description
          Collapses the header, joining the headers into one.

   Example
          std.collect(req.http.cookie); This will collapse several Cookie:
          headers into one, long cookie header.

OTHER TIPS

In Varnish 4 this is not needed anymore, see upgrade info here

Licensed under: CC-BY-SA with attribution
Not affiliated with StackOverflow
scroll top