Using ACL with non-IP fields

Mark Hanford mark at
Fri Mar 31 11:44:32 CEST 2017

Hi folks.

Because my varnish nodes are behind two different proxies, I can't really
use client.ip within my VCL. What I have is a header "X-Real-Ip" instead,
which is populated automatically by one proxy, and by me derived from the
"X-Forwarded-For" for the other.

What this means is that where I would usually use ACL to block access to a

    if ( == "") {
        if (client.ip ~ trustedips) {
            # allow access
        } else {
            return (synth(405, "Not allowed");

But this doesn't work if I replace client.ip with a non-IP typed field.

Message from VCC-compiler:
Expected CSTR got 'purgers'
(program line 1193), at
('default.vcl' Line 339 Pos 34)
if (req.http.X-Real-Ip ~ trustedips) {

Is there any way I can get the same result as this but without using


-------------- next part --------------
An HTML attachment was scrubbed...
URL: <>

More information about the varnish-misc mailing list