Varnish Proxy protocol and CloudFlare.

Jan Hugo Prins | BetterBe jprins at betterbe.com
Sat Apr 8 17:14:55 CEST 2017


Hi,

I have the following test setup running at the moment:

Cloudflare  ->  HaProxy  -->  Varnish  ->  Haproxy  ->  Backend application.
|-------------------------------------------------| 
|---------------------------------|
                 CDN                                                    API

Between the first HaProxy, Varnish and the second HaProxy I use the
proxy protocol to make sure that the requests that enter my environment
using the CDN are restricted using the same IP whitelist rules as they
would when accessing directly using the API. To get the external IP into
the request information and the proxy protocol I have the following
configuration in my first haproxy config:

  acl FROM_CLOUDFLARE req.hdr(CF-Connecting-IP) -m found
  http-request set-src hdr(CF-Connecting-IP) if FROM_CLOUDFLARE
 
Normal users connect to the API from the outside world and we use IP
whitelists to allow certain people access to this API.
I'm trying to setup an CDN in front of my application and to build this
I use CloudFlare, HaProxy (SSL Termination and some minimal rewrites)
and Varnish (to offload requests from my backend application)

This all works fine so far, but today I noticed that access using the
CDN is not restricted enough and I found out that it looks like the
connection between Varnish and my API is not using the proxy protocol,
or at least the information that should be available from the
CF-Connecting-IP is not visible in the HaProxy on the API backend. The
result is that all requests that enter the environment using the CDN
seem to be coming from the Varnish hosts instead of the external world.

My backend configuration in Varnish config looks like this:

import directors;    # load the directors

backend blsproxy01 {
    .host = "95.130.232.181";
    .port = "81";
    .proxy_header = 2;
    .probe = {
            .request =
                    "GET /haproxy_test HTTP/1.1"
                    "Host: leaseservices.eu"
                    "Connection: close";
        }
}

backend blsproxy02 {
    .host = "95.130.232.182";
    .port = "81";
    .proxy_header = 2;
    .probe = {
            .request =
                    "GET /haproxy_test HTTP/1.1"
                    "Host: leaseservices.eu"
                    "Connection: close";
        }
}


backend blsproxy03 {
    .host = "95.130.232.183";
    .port = "81";
    .proxy_header = 2;
    .probe = {
            .request =
                    "GET /haproxy_test HTTP/1.1"
                    "Host: leaseservices.eu"
                    "Connection: close";
        }
}

sub vcl_init {
    # new blsproxy = directors.round_robin();
    new blsproxy = directors.random();
    blsproxy.add_backend(blsproxy01,10);
    blsproxy.add_backend(blsproxy02,10);
    blsproxy.add_backend(blsproxy03,10);
}

I upgraded to Varnish 5.1 a little while back and I think the problem
might have started at that time, but I'm not sure at the moment. It's
all a test setup, so this was only noticed because I was doing some
tests from my home where my home should not be able to request any CDN
content at the moment.

 

-- 
Kind regards

Jan Hugo Prins
/DevOps Engineer/
<https://betterbe.com>
Auke Vleerstraat 140 E
7547 AN Enschede
CC no. 08097527
<https://www.kvk.nl/orderstraat/product-kiezen/?kvknummer=080975270000>
*T* +31 (0) 53 48 00 694 <tel:+31534800694>
*E* jprins at betterbe.com <mailto:jprins at betterbe.com>
*M* +31 (0)6 263 58 951 <tel:+31%20%280%296%20263%2058%20951>
www.betterbe.com <https://www.betterbe.com>
BetterBe accepts no liability for the content of this email, or for the
consequences of any actions taken on the basis
of the information provided, unless that information is subsequently
confirmed in writing. If you are not the intended
recipient you are notified that disclosing, copying, distributing or
taking any action in reliance on the contents of this
information is strictly prohibited.

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://www.varnish-cache.org/lists/pipermail/varnish-misc/attachments/20170408/13a84165/attachment-0001.html>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: daldffnbnbhodlci.png
Type: image/png
Size: 13988 bytes
Desc: not available
URL: <https://www.varnish-cache.org/lists/pipermail/varnish-misc/attachments/20170408/13a84165/attachment-0001.png>


More information about the varnish-misc mailing list