Using ACL with non-IP fields

Mark Hanford mark at hanfordonline.co.uk
Fri Mar 31 12:14:04 CEST 2017 

Yeah, I'm looking into PROXY. We have up to two proxies in the way, the
first that all traffic has to go through is a Cisco Ace we use for load
balancing and SSL offloading, and the second is a CaddyServer that some
traffic will go through for LetsEncrypt certificates. It's getting both of
those setup to present similar data to the Varnish nodes that's the trick -
we don't have direct control of the Cisco gear either. Both should be able
to do it, I guess I just need to work out the wrinkles.

--
Mark

On 31 March 2017 at 10:59, Guillaume Quintard <
guillaume at varnish-software.com> wrote:

> Hi Mark, you need to use std.ip() from the std vmod.
>
> Also, I highly recommend using the PROXY protocol (Varnish, HAProxy and
> Nginx, at least support it), it will allow you to use client.ip directly
> and not bother with this.
>
> --
> Guillaume Quintard
>
> On Fri, Mar 31, 2017 at 11:44 AM, Mark Hanford <mark at hanfordonline.co.uk>
> wrote:
>
>> Hi folks.
>>
>> Because my varnish nodes are behind two different proxies, I can't really
>> use client.ip within my VCL. What I have is a header "X-Real-Ip" instead,
>> which is populated automatically by one proxy, and by me derived from the
>> "X-Forwarded-For" for the other.
>>
>> What this means is that where I would usually use ACL to block access to
>> a resource:
>>
>>     if (req.http.host == "test.mydomain.com") {
>>         if (client.ip ~ trustedips) {
>>             # allow access
>>         } else {
>>             return (synth(405, "Not allowed");
>>         }
>>     }
>>
>> But this doesn't work if I replace client.ip with a non-IP typed field.
>>
>> Message from VCC-compiler:
>> Expected CSTR got 'purgers'
>> (program line 1193), at
>> ('default.vcl' Line 339 Pos 34)
>> if (req.http.X-Real-Ip ~ trustedips) {
>> ---------------------------------##########---
>>
>> Is there any way I can get the same result as this but without using
>> client.ip?
>>
>> thanks,
>>
>> Mark
>>
>> _______________________________________________
>> varnish-misc mailing list
>> varnish-misc at varnish-cache.org
>> https://www.varnish-cache.org/lists/mailman/listinfo/varnish-misc
>>
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://www.varnish-cache.org/lists/pipermail/varnish-misc/attachments/20170331/ac91322f/attachment-0001.html>

More information about the varnish-misc mailing list