Varnish and AWS ALBs
Justin Lloyd
justinl at arena.net
Fri Aug 20 11:37:51 UTC 2021
Hey Carlos,
That seems to do the trick, thanks! I’ve always thought I was pretty good with PCRE (used Perl heavily for like 15 years) but for some reason this one was eluding me. I appreciate the help!
Justin
From: Carlos Abalde <carlos.abalde at gmail.com>
Sent: Friday, August 20, 2021 4:12 AM
To: Justin Lloyd <justinl at arena.net>
Cc: Guillaume Quintard <guillaume.quintard at gmail.com>; varnish-misc at varnish-cache.org
Subject: Re: Varnish and AWS ALBs
This is a possible regsub() to extract the next-to-last IP address (it assumes at lest two are available):
set req.http.X-Client-Ip = regsub(
req.http.X-Forwarded-For,
"^.*(?:^|,)\s*([^,\s]+)\s*,[^,]+$",
"\1");
Best,
--
Carlos Abalde
On 20 Aug 2021, at 13:08, Justin Lloyd <justinl at arena.net<mailto:justinl at arena.net>> wrote:
I was just trying to get varnish-modules to build (having to install varnish and build tools on my dev manager server) and hit the limitation that vmod_str isn’t available until Varnish 6.6. I’m on Varnish 6.5 so I’d need to test the 6.6 upgrade in dev and then roll that out to live, which will take some time (higher priority and urgency issues and projects on my plate). I’ll play with regsub() some more to see if I can figure out a temporary approach.
Thanks,
Justin
From: varnish-misc <varnish-misc-bounces+justinl=arena.net at varnish-cache.org<mailto:varnish-misc-bounces+justinl=arena.net at varnish-cache.org>> On Behalf Of Justin Lloyd
Sent: Thursday, August 19, 2021 2:39 PM
To: Guillaume Quintard <guillaume.quintard at gmail.com<mailto:guillaume.quintard at gmail.com>>; Carlos Abalde <carlos.abalde at gmail.com<mailto:carlos.abalde at gmail.com>>
Cc: varnish-misc at varnish-cache.org<mailto:varnish-misc at varnish-cache.org>
Subject: RE: Varnish and AWS ALBs
Hi Guillaume!
It looks like you and Carlos are both correct. For some reason, before I was not seeing the Varnish XFF values from faked XFFs, not sure why, but now I’m seeing the fakes I’m using against one of my dev sites and I’m seeing the three values where it’s FAKED_IP, REAL_IP, ALB_IP. So with a little bit more VCL code (or probably easier once I move to Varnish Enterprise next year), I should be able to handle this. I’ll give it a whirl and see how it goes.
Thanks!
Justin
From: Guillaume Quintard <guillaume.quintard at gmail.com<mailto:guillaume.quintard at gmail.com>>
Sent: Thursday, August 19, 2021 2:00 PM
To: Carlos Abalde <carlos.abalde at gmail.com<mailto:carlos.abalde at gmail.com>>
Cc: Justin Lloyd <justinl at arena.net<mailto:justinl at arena.net>>; varnish-misc at varnish-cache.org<mailto:varnish-misc at varnish-cache.org>
Subject: Re: Varnish and AWS ALBs
Hi,
If I read this correctly: https://docs.aws.amazon.com/elasticloadbalancing/latest/application/x-forwarded-headers.html , you can trust the before-last IP, because it was added by the ALB, always. (and using vmod_str makes it easy to retrieve https://github.com/varnish/varnish-modules/blob/master/src/vmod_str.vcc#L42)
Side question: would an NLB work? They support proxy-protocol, that would also solve your problem.
Cheers,
--
Guillaume Quintard
On Thu, Aug 19, 2021 at 1:52 PM Carlos Abalde <carlos.abalde at gmail.com<mailto:carlos.abalde at gmail.com>> wrote:
Hi,
No so sure about that. Let's assume the client address is 1.1.1.1. Two possible scenarios:
- The client request reaches the ALB without XFF. The ALB will inject XFF with value 1.1.1.1. Then Varnish will modify XFF adding the ALB's address (i.e., 1.1.1.1,<ALB IP>). Using the next-to-last IP you're using the right client address.
- The client request reaches the ALB with a forged XFF (e.g. 127.0.0.1). The ALB will will modify XFF (i.e. 127.0.0.1,1.1.1.1). The Varnish will do the same (i.e. 127.0.0.1,1.1.1.1,<ALB IP>). Using the next-to-last IP you're still using the right client address.
I've not checked using a ALB, but that should be the expected behaviour for me.
Best,
--
Carlos Abalde
_______________________________________________
varnish-misc mailing list
varnish-misc at varnish-cache.org<mailto:varnish-misc at varnish-cache.org>
https://www.varnish-cache.org/lists/mailman/listinfo/varnish-misc
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://www.varnish-cache.org/lists/pipermail/varnish-misc/attachments/20210820/565aacac/attachment-0001.html>
More information about the varnish-misc
mailing list