varnishlog client IP problem via Apache SSL reverse proxy

Andrei lagged at gmail.com
Wed Aug 16 08:19:41 CEST 2017 

+1 for SSL with Hitch/HAProxy. The setup described with the Apache
runaround will more than likely tank as soon as large traffic spikes appear

On Tue, Aug 15, 2017 at 3:04 PM, Jan Hugo Prins | BetterBe <
jprins at betterbe.com> wrote:

> I would not do it like that.
> Better is to use something like Hitch or HaProxy (my preference) and put
> that in front of Varnish.
> Then HaProxy / Hitch can terminate all SSL traffic, and HaProxy can also
> do your redirect to SSL if needed.
> Then in Varnish you use the Apache server as a backend and let it only
> serve what it needs to serve.
> Use the ProxyProtocol to send the client information from HaProxy to
> Vernish.
> In Varnish you need to put the client IP into the X-Forwarded-For header.
> In Apache you can then use this header to have the real client IP address.
>
> This way you have the real client IP information on all layers.
>
> Jan Hugo Prins
>
>
>
>
> On 08/15/2017 11:39 AM, Admin Beckspaced wrote:
>
> Hello there ;)
>
> I'm running varnish in front of my apache on port 80 without any issues so
> far.
>
> Recently I decided to also use varnish for SSL connections
>
> To do so I first do a http to https redirect within varnish VCL
>
> if ( req.http.X-Forwarded-Proto !~ "(?i)https" ) {
>     return (synth(750, ""));
> }
>
> then in vcl_synth()
>
> sub vcl_synth {
>
>             if (resp.status == 750) {
>                 set resp.status = 301;
>                 set resp.http.Location = "https://" + req.http.host +
> req.url;
>                 return(deliver);
>             }
> }
>
> This works fine and all http got redirected to https
>
> Then on port 443 I got apache listening as a reverse proxy with the
> following config:
>
> <VirtualHost *:443>
>
>     ServerName somedomain.com
>     ServerAlias *.somedomain.org
>
>     SSLEngine on
>
>     ... ssl cert stuff here ...
>     ProxyPreserveHost On
>     ProxyPass / http://127.0.0.1:80/
>     ProxyPassReverse / http://127.0.0.1:80/
>     RequestHeader set X-Forwarded-Port "443"
>     RequestHeader set X-Forwarded-Proto "https"
>
> </VirtualHost>
>
> Also this works perfectly fine! Apache does the SSL termination and then
> reverse proxies everything back to varnish on port 80
>
> If I have a look in the apache ssl log:
>
> [15/Aug/2017:02:03:41 +0200] 35.190.201.122 TLSv1.2
> ECDHE-RSA-AES128-GCM-SHA256 "GET /feed/ HTTP/1.1" -
> "http://domain.org/feed/" <http://domain.org/feed/> "Go-http-client/1.1"
> [15/Aug/2017:02:03:41 +0200] 35.190.201.122 TLSv1.2
> ECDHE-RSA-AES128-GCM-SHA256 "GET /feed HTTP/1.1" 10513
> "https://domain.org/feed/" <https://domain.org/feed/> "Go-http-client/1.1"
>
> If I look in the varnishlog I see the following:
>
> domain.org 35.190.201.122 - - [15/Aug/2017:02:03:41 +0200] "GET
> http://domain.org/feed/ HTTP/1.1" 301 0 "-" "Go-http-client/1.1"
> domain.org 127.0.0.1 - - [15/Aug/2017:02:03:41 +0200] "GET
> http://domain.org/feed/ HTTP/1.1" 301 0 "http://domain.org/feed/"
> <http://domain.org/feed/> "Go-http-client/1.1"
> domain.org 127.0.0.1 - - [15/Aug/2017:02:03:41 +0200] "GET
> http://domain.org/feed HTTP/1.1" 200 10513 "https://domain.org/feed/"
> <https://domain.org/feed/> "Go-http-client/1.1"
>
> But in the process of Varnish -> Redirect http to https -> Apache Reverse
> Proxy -> Varnish I loose the client IP address in varnishlog
> It jsut says 127.0.0.1
>
> How can I forward the client IP to varnishlog in this process?
>
> I need to have the client IP in varnishlog as I use those to generate
> statistics about the website.
>
> any help, hints or insights would be awesome ;)
>
> Thanks & greetings
> Becki
>
>
> --
> Beckspaced - Server Administration
> ------------------------------------------------
> Ralf Flederer
> Marienplatz 9
> 97353 Wiesentheid
> Tel.: 09383-9033825
> Mobil: 01577-7258912
> Internet: www.beckspaced.com
> ------------------------------------------------
>
>
>
> _______________________________________________
> varnish-misc mailing listvarnish-misc at varnish-cache.orghttps://www.varnish-cache.org/lists/mailman/listinfo/varnish-misc
>
>
> --
> Kind regards
>
> Jan Hugo Prins
> *DevOps Engineer*
> <https://betterbe.com>
> Auke Vleerstraat 140 E
> 7547 AN Enschede
> CC no. 08097527
> <https://www.kvk.nl/orderstraat/product-kiezen/?kvknummer=080975270000>
> *T* +31 (0) 53 48 00 694 <+31534800694>
> *E* jprins at betterbe.com
> *M* +31 (0)6 263 58 951 <+31%20%280%296%20263%2058%20951> www.betterbe.com
> BetterBe accepts no liability for the content of this email, or for the
> consequences of any actions taken on the basis
> of the information provided, unless that information is subsequently
> confirmed in writing. If you are not the intended
> recipient you are notified that disclosing, copying, distributing or
> taking any action in reliance on the contents of this
> information is strictly prohibited.
>
> _______________________________________________
> varnish-misc mailing list
> varnish-misc at varnish-cache.org
> https://www.varnish-cache.org/lists/mailman/listinfo/varnish-misc
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://www.varnish-cache.org/lists/pipermail/varnish-misc/attachments/20170816/a096aace/attachment-0001.html>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: abjappggihcebokc.png
Type: image/png
Size: 13988 bytes
Desc: not available
URL: <https://www.varnish-cache.org/lists/pipermail/varnish-misc/attachments/20170816/a096aace/attachment-0001.png>

More information about the varnish-misc mailing list