Using ACL with non-IP fields
Guillaume Quintard
guillaume at varnish-software.com
Fri Mar 31 11:59:58 CEST 2017
Hi Mark, you need to use std.ip() from the std vmod.
Also, I highly recommend using the PROXY protocol (Varnish, HAProxy and
Nginx, at least support it), it will allow you to use client.ip directly
and not bother with this.
--
Guillaume Quintard
On Fri, Mar 31, 2017 at 11:44 AM, Mark Hanford <mark at hanfordonline.co.uk>
wrote:
> Hi folks.
>
> Because my varnish nodes are behind two different proxies, I can't really
> use client.ip within my VCL. What I have is a header "X-Real-Ip" instead,
> which is populated automatically by one proxy, and by me derived from the
> "X-Forwarded-For" for the other.
>
> What this means is that where I would usually use ACL to block access to a
> resource:
>
> if (req.http.host == "test.mydomain.com") {
> if (client.ip ~ trustedips) {
> # allow access
> } else {
> return (synth(405, "Not allowed");
> }
> }
>
> But this doesn't work if I replace client.ip with a non-IP typed field.
>
> Message from VCC-compiler:
> Expected CSTR got 'purgers'
> (program line 1193), at
> ('default.vcl' Line 339 Pos 34)
> if (req.http.X-Real-Ip ~ trustedips) {
> ---------------------------------##########---
>
> Is there any way I can get the same result as this but without using
> client.ip?
>
> thanks,
>
> Mark
>
> _______________________________________________
> varnish-misc mailing list
> varnish-misc at varnish-cache.org
> https://www.varnish-cache.org/lists/mailman/listinfo/varnish-misc
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://www.varnish-cache.org/lists/pipermail/varnish-misc/attachments/20170331/7664e5ab/attachment.html>
More information about the varnish-misc
mailing list