X-Forwarded-For where?

James Pearson james at ifixit.com
Wed Sep 3 21:26:00 CEST 2014 

Excerpts from Hernán Marsili's message of 2014-09-02 18:25:23 -0700:
> Hi,I need to obtain the real ip the the client, not the ip of the CDN
> service.
> 
> I found example with this on the vcl_recv. Others with similar code o the
> vcl_miss and similar code on vcl_deliver.r
> 
> remove req.http.X-Forwarded-For;
> set req.http.X-Forwarded-For = req.http.rlnclientipaddr;
> 
> I try them all, all of them work. But, which is the most efficient way? :)

vcl_recv, vcl_miss, and vcl_deliver are called in different circumstances, so
you want the one that is correct, not the most efficient.

You probably shouldn't munge X-Forwarded-For like that, as you're discarding
useful information.  If the rlnclientipaddr header contains what you want, then
why don't you just access that directly in your application?

Here's what we are using, called from vcl_recv:

sub parse_x_forwarded_for {
   set req.http.ClientIp = client.ip;

   # When coming from the ssl terminator, set ClientIp to something useful.
   if (client.ip == "127.0.0.1") {
      # Parse out the actual client IP from X-Forwarded-For.  It's useful to have
      # this information without doing string-matching each time.
      if (req.http.X-Forwarded-For ~ ",") {
         set req.http.ClientIp = regsub(req.http.X-Forwarded-For,
          "^.*?([^,\s]+)$", "\1");
      } else if (req.http.X-Forwarded-For) {
         set req.http.ClientIp = req.http.X-Forwarded-For;
      }

      # Set X-Forwarded-For cause that's what a proxy is supposed to do.
      if (req.restarts == 0) {
         if (req.http.X-Forwarded-For) {
            set req.http.X-Forwarded-For =
             req.http.X-Forwarded-For + ", " + client.ip;
         } else {
            set req.http.X-Forwarded-For = client.ip;
         }
      }
   }
}

We were using vmod_ipcast to actually set client.ip (so we could use it with
ACLs), but ran into a problem (
https://github.com/lkarsten/libvmod-ipcast/issues/4 ) and haven't had a chance
yet to test the fix.

HTH.
 - P
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 819 bytes
Desc: not available
URL: <https://www.varnish-cache.org/lists/pipermail/varnish-misc/attachments/20140903/580fb2d1/attachment.pgp>

More information about the varnish-misc mailing list