Varnish Proxy protocol and CloudFlare.
Jan Hugo Prins | BetterBe
jprins at betterbe.com
Sat Apr 8 18:00:31 CEST 2017
Ok. When using strictly IPv4 my setup works just fine.
Looks like this is an IPv6 only problem.
Jan Hugo
On 04/08/2017 05:14 PM, Jan Hugo Prins | BetterBe wrote:
> Hi,
>
> I have the following test setup running at the moment:
>
> Cloudflare -> HaProxy --> Varnish -> Haproxy -> Backend
> application.
> |-------------------------------------------------|
> |---------------------------------|
>
> CDN API
>
> Between the first HaProxy, Varnish and the second HaProxy I use the
> proxy protocol to make sure that the requests that enter my
> environment using the CDN are restricted using the same IP whitelist
> rules as they would when accessing directly using the API. To get the
> external IP into the request information and the proxy protocol I have
> the following configuration in my first haproxy config:
>
> acl FROM_CLOUDFLARE req.hdr(CF-Connecting-IP) -m found
> http-request set-src hdr(CF-Connecting-IP) if FROM_CLOUDFLARE
>
> Normal users connect to the API from the outside world and we use IP
> whitelists to allow certain people access to this API.
> I'm trying to setup an CDN in front of my application and to build
> this I use CloudFlare, HaProxy (SSL Termination and some minimal
> rewrites) and Varnish (to offload requests from my backend application)
>
> This all works fine so far, but today I noticed that access using the
> CDN is not restricted enough and I found out that it looks like the
> connection between Varnish and my API is not using the proxy protocol,
> or at least the information that should be available from the
> CF-Connecting-IP is not visible in the HaProxy on the API backend. The
> result is that all requests that enter the environment using the CDN
> seem to be coming from the Varnish hosts instead of the external world.
>
> My backend configuration in Varnish config looks like this:
>
> import directors; # load the directors
>
> backend blsproxy01 {
> .host = "95.130.232.181";
> .port = "81";
> .proxy_header = 2;
> .probe = {
> .request =
> "GET /haproxy_test HTTP/1.1"
> "Host: leaseservices.eu"
> "Connection: close";
> }
> }
>
> backend blsproxy02 {
> .host = "95.130.232.182";
> .port = "81";
> .proxy_header = 2;
> .probe = {
> .request =
> "GET /haproxy_test HTTP/1.1"
> "Host: leaseservices.eu"
> "Connection: close";
> }
> }
>
>
> backend blsproxy03 {
> .host = "95.130.232.183";
> .port = "81";
> .proxy_header = 2;
> .probe = {
> .request =
> "GET /haproxy_test HTTP/1.1"
> "Host: leaseservices.eu"
> "Connection: close";
> }
> }
>
> sub vcl_init {
> # new blsproxy = directors.round_robin();
> new blsproxy = directors.random();
> blsproxy.add_backend(blsproxy01,10);
> blsproxy.add_backend(blsproxy02,10);
> blsproxy.add_backend(blsproxy03,10);
> }
>
> I upgraded to Varnish 5.1 a little while back and I think the problem
> might have started at that time, but I'm not sure at the moment. It's
> all a test setup, so this was only noticed because I was doing some
> tests from my home where my home should not be able to request any CDN
> content at the moment.
>
>
>
> --
> Kind regards
>
> Jan Hugo Prins
> /DevOps Engineer/
> <https://betterbe.com>
> Auke Vleerstraat 140 E
> 7547 AN Enschede
> CC no. 08097527
> <https://www.kvk.nl/orderstraat/product-kiezen/?kvknummer=080975270000>
> *T* +31 (0) 53 48 00 694 <tel:+31534800694>
> *E* jprins at betterbe.com <mailto:jprins at betterbe.com>
> *M* +31 (0)6 263 58 951 <tel:+31%20%280%296%20263%2058%20951>
> www.betterbe.com <https://www.betterbe.com>
> BetterBe accepts no liability for the content of this email, or for
> the consequences of any actions taken on the basis
> of the information provided, unless that information is subsequently
> confirmed in writing. If you are not the intended
> recipient you are notified that disclosing, copying, distributing or
> taking any action in reliance on the contents of this
> information is strictly prohibited.
>
>
>
> _______________________________________________
> varnish-misc mailing list
> varnish-misc at varnish-cache.org
> https://www.varnish-cache.org/lists/mailman/listinfo/varnish-misc
--
Kind regards
Jan Hugo Prins
/DevOps Engineer/
<https://betterbe.com>
Auke Vleerstraat 140 E
7547 AN Enschede
CC no. 08097527
<https://www.kvk.nl/orderstraat/product-kiezen/?kvknummer=080975270000>
*T* +31 (0) 53 48 00 694 <tel:+31534800694>
*E* jprins at betterbe.com <mailto:jprins at betterbe.com>
*M* +31 (0)6 263 58 951 <tel:+31%20%280%296%20263%2058%20951>
www.betterbe.com <https://www.betterbe.com>
BetterBe accepts no liability for the content of this email, or for the
consequences of any actions taken on the basis
of the information provided, unless that information is subsequently
confirmed in writing. If you are not the intended
recipient you are notified that disclosing, copying, distributing or
taking any action in reliance on the contents of this
information is strictly prohibited.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://www.varnish-cache.org/lists/pipermail/varnish-misc/attachments/20170408/95b16258/attachment-0001.html>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: image/png
Size: 13988 bytes
Desc: not available
URL: <https://www.varnish-cache.org/lists/pipermail/varnish-misc/attachments/20170408/95b16258/attachment-0002.png>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: jllmnmplkkgafcje.png
Type: image/png
Size: 13988 bytes
Desc: not available
URL: <https://www.varnish-cache.org/lists/pipermail/varnish-misc/attachments/20170408/95b16258/attachment-0003.png>
More information about the varnish-misc
mailing list