varnishlog client IP problem via Apache SSL reverse proxy

Jan Hugo Prins | BetterBe jprins at betterbe.com
Tue Aug 15 22:04:23 CEST 2017 

I would not do it like that.
Better is to use something like Hitch or HaProxy (my preference) and put
that in front of Varnish.
Then HaProxy / Hitch can terminate all SSL traffic, and HaProxy can also
do your redirect to SSL if needed.
Then in Varnish you use the Apache server as a backend and let it only
serve what it needs to serve.
Use the ProxyProtocol to send the client information from HaProxy to
Vernish.
In Varnish you need to put the client IP into the X-Forwarded-For header.
In Apache you can then use this header to have the real client IP address.

This way you have the real client IP information on all layers.

Jan Hugo Prins



On 08/15/2017 11:39 AM, Admin Beckspaced wrote:
>
> Hello there ;)
>
> I'm running varnish in front of my apache on port 80 without any
> issues so far.
>
> Recently I decided to also use varnish for SSL connections
>
> To do so I first do a http to https redirect within varnish VCL
>
> if ( req.http.X-Forwarded-Proto !~ "(?i)https" ) {
>     return (synth(750, ""));
> }
>
> then in vcl_synth()
>
> sub vcl_synth {
>
>             if (resp.status == 750) {
>                 set resp.status = 301;
>                 set resp.http.Location = "https://" + req.http.host +
> req.url;
>                 return(deliver);
>             }
> }
>
> This works fine and all http got redirected to https
>
> Then on port 443 I got apache listening as a reverse proxy with the
> following config:
>
> <VirtualHost *:443>
>
>     ServerName somedomain.com
>     ServerAlias *.somedomain.org
>
>     SSLEngine on
>
>     ... ssl cert stuff here ...
>
>     ProxyPreserveHost On
>     ProxyPass / http://127.0.0.1:80/
>     ProxyPassReverse / http://127.0.0.1:80/
>     RequestHeader set X-Forwarded-Port "443"
>     RequestHeader set X-Forwarded-Proto "https"
>
> </VirtualHost>
>
> Also this works perfectly fine! Apache does the SSL termination and
> then reverse proxies everything back to varnish on port 80
>
> If I have a look in the apache ssl log:
>
> [15/Aug/2017:02:03:41 +0200] 35.190.201.122 TLSv1.2
> ECDHE-RSA-AES128-GCM-SHA256 "GET /feed/ HTTP/1.1" -
> "http://domain.org/feed/" "Go-http-client/1.1"
> [15/Aug/2017:02:03:41 +0200] 35.190.201.122 TLSv1.2
> ECDHE-RSA-AES128-GCM-SHA256 "GET /feed HTTP/1.1" 10513
> "https://domain.org/feed/" "Go-http-client/1.1"
>
> If I look in the varnishlog I see the following:
>
> domain.org 35.190.201.122 - - [15/Aug/2017:02:03:41 +0200] "GET
> http://domain.org/feed/ HTTP/1.1" 301 0 "-" "Go-http-client/1.1"
> domain.org 127.0.0.1 - - [15/Aug/2017:02:03:41 +0200] "GET
> http://domain.org/feed/ HTTP/1.1" 301 0 "http://domain.org/feed/"
> "Go-http-client/1.1"
> domain.org 127.0.0.1 - - [15/Aug/2017:02:03:41 +0200] "GET
> http://domain.org/feed HTTP/1.1" 200 10513 "https://domain.org/feed/"
> "Go-http-client/1.1"
>
> But in the process of Varnish -> Redirect http to https -> Apache
> Reverse Proxy -> Varnish I loose the client IP address in varnishlog
> It jsut says 127.0.0.1
>
> How can I forward the client IP to varnishlog in this process?
>
> I need to have the client IP in varnishlog as I use those to generate
> statistics about the website.
>
> any help, hints or insights would be awesome ;)
>
> Thanks & greetings
> Becki
>
>
> -- 
> Beckspaced - Server Administration
> ------------------------------------------------
> Ralf Flederer
> Marienplatz 9
> 97353 Wiesentheid
> Tel.: 09383-9033825
> Mobil: 01577-7258912
> Internet: www.beckspaced.com
> ------------------------------------------------
>
>
> _______________________________________________
> varnish-misc mailing list
> varnish-misc at varnish-cache.org
> https://www.varnish-cache.org/lists/mailman/listinfo/varnish-misc

-- 
Kind regards

Jan Hugo Prins
/DevOps Engineer/
<https://betterbe.com>
Auke Vleerstraat 140 E
7547 AN Enschede
CC no. 08097527
<https://www.kvk.nl/orderstraat/product-kiezen/?kvknummer=080975270000>
*T* +31 (0) 53 48 00 694 <tel:+31534800694>
*E* jprins at betterbe.com <mailto:jprins at betterbe.com>
*M* +31 (0)6 263 58 951 <tel:+31%20%280%296%20263%2058%20951>
www.betterbe.com <https://www.betterbe.com>
BetterBe accepts no liability for the content of this email, or for the
consequences of any actions taken on the basis
of the information provided, unless that information is subsequently
confirmed in writing. If you are not the intended
recipient you are notified that disclosing, copying, distributing or
taking any action in reliance on the contents of this
information is strictly prohibited.

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://www.varnish-cache.org/lists/pipermail/varnish-misc/attachments/20170815/2ad54f2a/attachment-0001.html>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: abjappggihcebokc.png
Type: image/png
Size: 13988 bytes
Desc: not available
URL: <https://www.varnish-cache.org/lists/pipermail/varnish-misc/attachments/20170815/2ad54f2a/attachment-0001.png>

More information about the varnish-misc mailing list