varnishlog client IP problem via Apache SSL reverse proxy

Guillaume Quintard guillaume at varnish-software.com
Tue Aug 15 13:57:19 CEST 2017 

So, if I understood, that's Apache in front of Varnish, not the other way
around. But let's not get lost on semantics

Varnish fanboy version: drop Apache, and use Hitch (http://hitch-tls.org/)
to handle SSL/TLS. That only works if Apache is only there for SSL
termination and not for other tasks not performed by Varnish (if so, which
ones?)
With it you can just test the server port used (std.port(server.ip) == 443)
to determine you are using https.

Apache clean version: use the PROXY protocol. Not sure Apache is able to do
it, haven't looked. That way, apache can behave like hitch and you don't
lose the client.ip info.

Apache dirty version: used the x-forwarded-for header to tell varnish who
sent the request, then use vmod_std to convert that string to an ip. Ugly,
but works.



-- 
Guillaume Quintard

On Tue, Aug 15, 2017 at 11:39 AM, Admin Beckspaced <admin at beckspaced.com>
wrote:

> Hello there ;)
>
> I'm running varnish in front of my apache on port 80 without any issues so
> far.
>
> Recently I decided to also use varnish for SSL connections
>
> To do so I first do a http to https redirect within varnish VCL
>
> if ( req.http.X-Forwarded-Proto !~ "(?i)https" ) {
>     return (synth(750, ""));
> }
>
> then in vcl_synth()
>
> sub vcl_synth {
>
>             if (resp.status == 750) {
>                 set resp.status = 301;
>                 set resp.http.Location = "https://" + req.http.host +
> req.url;
>                 return(deliver);
>             }
> }
>
> This works fine and all http got redirected to https
>
> Then on port 443 I got apache listening as a reverse proxy with the
> following config:
>
> <VirtualHost *:443>
>
>     ServerName somedomain.com
>     ServerAlias *.somedomain.org
>
>     SSLEngine on
>
>     ... ssl cert stuff here ...
>     ProxyPreserveHost On
>     ProxyPass / http://127.0.0.1:80/
>     ProxyPassReverse / http://127.0.0.1:80/
>     RequestHeader set X-Forwarded-Port "443"
>     RequestHeader set X-Forwarded-Proto "https"
>
> </VirtualHost>
>
> Also this works perfectly fine! Apache does the SSL termination and then
> reverse proxies everything back to varnish on port 80
>
> If I have a look in the apache ssl log:
>
> [15/Aug/2017:02:03:41 +0200] 35.190.201.122 TLSv1.2
> ECDHE-RSA-AES128-GCM-SHA256 "GET /feed/ HTTP/1.1" -
> "http://domain.org/feed/" <http://domain.org/feed/> "Go-http-client/1.1"
> [15/Aug/2017:02:03:41 +0200] 35.190.201.122 TLSv1.2
> ECDHE-RSA-AES128-GCM-SHA256 "GET /feed HTTP/1.1" 10513
> "https://domain.org/feed/" <https://domain.org/feed/> "Go-http-client/1.1"
>
> If I look in the varnishlog I see the following:
>
> domain.org 35.190.201.122 - - [15/Aug/2017:02:03:41 +0200] "GET
> http://domain.org/feed/ HTTP/1.1" 301 0 "-" "Go-http-client/1.1"
> domain.org 127.0.0.1 - - [15/Aug/2017:02:03:41 +0200] "GET
> http://domain.org/feed/ HTTP/1.1" 301 0 "http://domain.org/feed/"
> <http://domain.org/feed/> "Go-http-client/1.1"
> domain.org 127.0.0.1 - - [15/Aug/2017:02:03:41 +0200] "GET
> http://domain.org/feed HTTP/1.1" 200 10513 "https://domain.org/feed/"
> <https://domain.org/feed/> "Go-http-client/1.1"
>
> But in the process of Varnish -> Redirect http to https -> Apache Reverse
> Proxy -> Varnish I loose the client IP address in varnishlog
> It jsut says 127.0.0.1
>
> How can I forward the client IP to varnishlog in this process?
>
> I need to have the client IP in varnishlog as I use those to generate
> statistics about the website.
>
> any help, hints or insights would be awesome ;)
>
> Thanks & greetings
> Becki
>
>
> --
> Beckspaced - Server Administration
> ------------------------------------------------
> Ralf Flederer
> Marienplatz 9
> 97353 Wiesentheid
> Tel.: 09383-9033825
> Mobil: 01577-7258912
> Internet: www.beckspaced.com
> ------------------------------------------------
>
>
> _______________________________________________
> varnish-misc mailing list
> varnish-misc at varnish-cache.org
> https://www.varnish-cache.org/lists/mailman/listinfo/varnish-misc
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://www.varnish-cache.org/lists/pipermail/varnish-misc/attachments/20170815/23da1221/attachment.html>

More information about the varnish-misc mailing list