Varnish and AWS ALBs
Carlos Abalde
carlos.abalde at gmail.com
Thu Aug 19 20:48:47 UTC 2021
Hi,
No so sure about that. Let's assume the client address is 1.1.1.1. Two possible scenarios:
- The client request reaches the ALB without XFF. The ALB will inject XFF with value 1.1.1.1. Then Varnish will modify XFF adding the ALB's address (i.e., 1.1.1.1,<ALB IP>). Using the next-to-last IP you're using the right client address.
- The client request reaches the ALB with a forged XFF (e.g. 127.0.0.1). The ALB will will modify XFF (i.e. 127.0.0.1,1.1.1.1). The Varnish will do the same (i.e. 127.0.0.1,1.1.1.1,<ALB IP>). Using the next-to-last IP you're still using the right client address.
I've not checked using a ALB, but that should be the expected behaviour for me.
Best,
--
Carlos Abalde
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://www.varnish-cache.org/lists/pipermail/varnish-misc/attachments/20210819/8a888067/attachment.html>
More information about the varnish-misc
mailing list