x-forwarded-for problems since 2.1

[Cosimo Streppone]

On Tue, 13 Apr 2010 08:42:58 +0200, Poul-Henning Kamp <phk at phk.freebsd.dk>  
wrote:

> In 2.1 we have moved X-F-F processing to the default VCL, you need
> to make sure you do not hit that code if you want to do you own
> X-F-F processing.

Good to know this before upgrading :)

> PS: I wonder if we should change the default.vcl to not touch an
> existing X-F-F header by default ?  Input from the list ?

One of the aspects of Varnish that I like the most
is that it tries to be as transparent as possible, so:

1) No XFF is no XFF comes from the "client"
2) XFF untouched if client sends one.

At that point, it would be nice to have some functions to
"massage" the X-Forwarded-For header before it hits the backends.
This could be useful if Varnish runs behind BigIP, for example
for transparent SSL processing.

We're probably going to try something like this in the near future.
I might have time to experiment with this.

Another solution we're thinking about is nginx listening on <public_ip>:443
and using localhost:6081 (local varnish instance) as "backend".

-- 
Cosimo