Change client.ip based on x-forwaded-for headers?

Robert Egglestone r.egglestone at auckland.ac.nz
Tue Aug 6 00:13:29 CEST 2013 

Hi Stephen,

The configuration from here can do that:
http://zcentric.com/tag/header/


C{
#include <netinet/in.h>
#include <string.h>
#include <sys/socket.h>
#include <arpa/inet.h>
}C

acl vpn {
  "192.168.0.0"/16;
}

sub vcl_recv {

C{
//
// This is a hack from Igor Gariev (gariev hotmail com):
// Copy IP address from "X-Forwarded-For" header
// into Varnish's client_ip structure.
// This works with Varnish 3.0.1; test with other versions
//
// Trusted "X-Forwarded-For" header is a must!
// No commas are allowed. If your load balancer something other
// than a single IP, then use a regsub() to fix it.
//
struct sockaddr_storage *client_ip_ss = VRT_r_client_ip(sp);
struct sockaddr_in *client_ip_si = (struct sockaddr_in *) client_ip_ss;
struct in_addr *client_ip_ia = &(client_ip_si->sin_addr);
char *xff_ip = VRT_GetHdr(sp, HDR_REQ, "\020X-Forwarded-For:");

if (xff_ip != NULL) {
// Copy the ip address into the struct's sin_addr.
inet_pton(AF_INET, xff_ip, client_ip_ia);
}
}C

  if (client.ip ~ vpn) {
    # do something here
  }

  return(pass);
}


Kind regards,
Robert Egglestone | Application Engineering Team Lead | The University of Auckland
r.egglestone at auckland.ac.nz | ext: 84624 | m: +64 21 240 8992 | Level 2, 58 Symonds St, Auckland, NZ

On 6/08/2013, at 9:05 AM, Stephen Wood <smwood4 at gmail.com> wrote:

> Is there a way to change client.ip?
> 
> For example, I would like to set up an ACL to block certain IPs, but since the instances are behind a load balancer the only thing I have to work with is the x-forwarded-for header. I've tried something like this:
> 
> sub vcl_recv {
>   if (req.http.X-Forwarded-For) {
>     set client.ip = req.http.X-Forwarded-For;
>   }
> }
> 
> But of course that kind of thing doesn't compile.
> 
> Can someone please advise me on this issue or the broader question about implementing ACLs via x-forwarded-for headers for those of us stuck behind another load balancer?
> _______________________________________________
> varnish-misc mailing list
> varnish-misc at varnish-cache.org
> https://www.varnish-cache.org/lists/mailman/listinfo/varnish-misc

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://www.varnish-cache.org/lists/pipermail/varnish-misc/attachments/20130805/24d2ca31/attachment.html>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 4690 bytes
Desc: not available
URL: <https://www.varnish-cache.org/lists/pipermail/varnish-misc/attachments/20130805/24d2ca31/attachment.bin>

More information about the varnish-misc mailing list