varnishlog client IP problem via Apache SSL reverse proxy

Jan Hugo Prins | BetterBe jprins at
Wed Aug 16 11:34:13 CEST 2017

I think the choice between HaProxy and Hitch is probably one where you
have to look at what you need or might need in the future and what you
already know.
My decision to use HaProxy was based on several criteria:
- We already use HaProxy at other locations so I was familiar with the
product and it's configuration.
- Using Hitch would mean that I would need to maintain another part of
- I wanted to be able to make traffic routing decisions before the
request hits Varnish. Send requests to different backend etc.
- I wanted to do some rewrites before the traffic hits Varnish.

Based on those criteria I decided to put HaProxy in front of Varnish.
Your criteria will very likely be different.

Jan Hugo Prins

On 08/16/2017 08:56 AM, Admin Beckspaced wrote:
> Thanks a lot for your suggestion for using HaProxy ;)
> My thinking was just: why install another bit of software when apache
> is able to do the SSL termination.
> But like Andrei said, if traffic spikes hit the apache runaround will
> not be the optimal solution.
> Do you guys have any recent up-to-date tutorials / howtos on setting
> up HaProxy as SSL terminator in front of varnish.
> also doing the SSL redirects ...
> Did look around for Hitch but wasn't very pleased with the info
> provided ;(
> Any hints are welcome & thanks for your help & replies ;)
> Greetings
> Becki
> On 15.08.2017 22:04, Jan Hugo Prins | BetterBe wrote:
>> I would not do it like that.
>> Better is to use something like Hitch or HaProxy (my preference) and
>> put that in front of Varnish.
>> Then HaProxy / Hitch can terminate all SSL traffic, and HaProxy can
>> also do your redirect to SSL if needed.
>> Then in Varnish you use the Apache server as a backend and let it
>> only serve what it needs to serve.
>> Use the ProxyProtocol to send the client information from HaProxy to
>> Vernish.
>> In Varnish you need to put the client IP into the X-Forwarded-For
>> header.
>> In Apache you can then use this header to have the real client IP
>> address.
>> This way you have the real client IP information on all layers.
>> Jan Hugo Prins

Kind regards

Jan Hugo Prins
/DevOps Engineer/
Auke Vleerstraat 140 E
7547 AN Enschede
CC no. 08097527
*T* +31 (0) 53 48 00 694 <tel:+31534800694>
*E* jprins at <mailto:jprins at>
*M* +31 (0)6 263 58 951 <tel:+31%20%280%296%20263%2058%20951> <>
BetterBe accepts no liability for the content of this email, or for the
consequences of any actions taken on the basis
of the information provided, unless that information is subsequently
confirmed in writing. If you are not the intended
recipient you are notified that disclosing, copying, distributing or
taking any action in reliance on the contents of this
information is strictly prohibited.

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: kinfkennhjlkhind.png
Type: image/png
Size: 13988 bytes
Desc: not available
URL: <>

More information about the varnish-misc mailing list