varnishlog client IP problem via Apache SSL reverse proxy

Admin Beckspaced admin at beckspaced.com
Tue Aug 15 11:39:09 CEST 2017 

Hello there ;)

I'm running varnish in front of my apache on port 80 without any issues 
so far.

Recently I decided to also use varnish for SSL connections

To do so I first do a http to https redirect within varnish VCL

if ( req.http.X-Forwarded-Proto !~ "(?i)https" ) {
     return (synth(750, ""));
}

then in vcl_synth()

sub vcl_synth {

             if (resp.status == 750) {
                 set resp.status = 301;
                 set resp.http.Location = "https://" + req.http.host + 
req.url;
                 return(deliver);
             }
}

This works fine and all http got redirected to https

Then on port 443 I got apache listening as a reverse proxy with the 
following config:

<VirtualHost *:443>

     ServerName somedomain.com
     ServerAlias *.somedomain.org

     SSLEngine on

     ... ssl cert stuff here ...

     ProxyPreserveHost On
     ProxyPass / http://127.0.0.1:80/
     ProxyPassReverse / http://127.0.0.1:80/
     RequestHeader set X-Forwarded-Port "443"
     RequestHeader set X-Forwarded-Proto "https"

</VirtualHost>

Also this works perfectly fine! Apache does the SSL termination and then 
reverse proxies everything back to varnish on port 80

If I have a look in the apache ssl log:

[15/Aug/2017:02:03:41 +0200] 35.190.201.122 TLSv1.2 
ECDHE-RSA-AES128-GCM-SHA256 "GET /feed/ HTTP/1.1" - 
"http://domain.org/feed/" "Go-http-client/1.1"
[15/Aug/2017:02:03:41 +0200] 35.190.201.122 TLSv1.2 
ECDHE-RSA-AES128-GCM-SHA256 "GET /feed HTTP/1.1" 10513 
"https://domain.org/feed/" "Go-http-client/1.1"

If I look in the varnishlog I see the following:

domain.org 35.190.201.122 - - [15/Aug/2017:02:03:41 +0200] "GET 
http://domain.org/feed/ HTTP/1.1" 301 0 "-" "Go-http-client/1.1"
domain.org 127.0.0.1 - - [15/Aug/2017:02:03:41 +0200] "GET 
http://domain.org/feed/ HTTP/1.1" 301 0 "http://domain.org/feed/" 
"Go-http-client/1.1"
domain.org 127.0.0.1 - - [15/Aug/2017:02:03:41 +0200] "GET 
http://domain.org/feed HTTP/1.1" 200 10513 "https://domain.org/feed/" 
"Go-http-client/1.1"

But in the process of Varnish -> Redirect http to https -> Apache 
Reverse Proxy -> Varnish I loose the client IP address in varnishlog
It jsut says 127.0.0.1

How can I forward the client IP to varnishlog in this process?

I need to have the client IP in varnishlog as I use those to generate 
statistics about the website.

any help, hints or insights would be awesome ;)

Thanks & greetings
Becki


-- 
Beckspaced - Server Administration
------------------------------------------------
Ralf Flederer
Marienplatz 9
97353 Wiesentheid
Tel.: 09383-9033825
Mobil: 01577-7258912
Internet: www.beckspaced.com
------------------------------------------------

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://www.varnish-cache.org/lists/pipermail/varnish-misc/attachments/20170815/3b2bee16/attachment.html>

More information about the varnish-misc mailing list