Varnish and AWS ALBs
Guillaume Quintard
guillaume.quintard at gmail.com
Thu Aug 19 20:59:56 UTC 2021
Hi,
If I read this correctly:
https://docs.aws.amazon.com/elasticloadbalancing/latest/application/x-forwarded-headers.html
, you can trust the before-last IP, because it was added by the ALB,
always. (and using vmod_str makes it easy to retrieve
https://github.com/varnish/varnish-modules/blob/master/src/vmod_str.vcc#L42)
Side question: would an NLB work? They support proxy-protocol, that would
also solve your problem.
Cheers,
--
Guillaume Quintard
On Thu, Aug 19, 2021 at 1:52 PM Carlos Abalde <carlos.abalde at gmail.com>
wrote:
> Hi,
>
> No so sure about that. Let's assume the client address is 1.1.1.1. Two
> possible scenarios:
>
> - The client request reaches the ALB without XFF. The ALB will inject XFF
> with value 1.1.1.1. Then Varnish will modify XFF adding the ALB's address
> (i.e., 1.1.1.1,<ALB IP>). Using the next-to-last IP you're using the right
> client address.
>
> - The client request reaches the ALB with a forged XFF (e.g. 127.0.0.1).
> The ALB will will modify XFF (i.e. 127.0.0.1,1.1.1.1). The Varnish will do
> the same (i.e. 127.0.0.1,1.1.1.1,<ALB IP>). Using the next-to-last IP
> you're still using the right client address.
>
>
> I've not checked using a ALB, but that should be the expected behaviour
> for me.
>
> Best,
>
> --
> Carlos Abalde
>
> _______________________________________________
> varnish-misc mailing list
> varnish-misc at varnish-cache.org
> https://www.varnish-cache.org/lists/mailman/listinfo/varnish-misc
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://www.varnish-cache.org/lists/pipermail/varnish-misc/attachments/20210819/fa853fc9/attachment.html>
More information about the varnish-misc
mailing list