<div dir="ltr">Authenticated requests should typically bypass cache, unless you want to hash the related session id(s), however that can get "interesting". I suggest using an Apache module such as rpaf or remoteip in order for Apache to set the client IP from the X-Forwarded-For header set by Varnish. This way, you will not need to worry about whitelisting localhost, or other cucumbersome iptables rules, and your IP restrictions will work as intended.</div><div class="gmail_extra"><br><div class="gmail_quote">On Fri, Mar 17, 2017 at 1:32 AM, Jason Price <span dir="ltr"><<a href="mailto:japrice@gmail.com" target="_blank">japrice@gmail.com</a>></span> wrote:<br><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"><div dir="ltr">I don't believe there's a trivial way to do this.<div><br></div><div>Varnish will return the cached response to any IP address that comes calling. Even if the first request comes from a valid IP, which gets passed through via X-Forward or similar, and mod_auth is tweaked to respond to that, any subsequent request will not be seen by either apache or mod_auth at all.</div><div><br></div><div>You have a few options:</div><div>1) IP Whitelists are a rather poor means of authentication. Moving to something else might be prudent. But that's not easy.</div><div>2) There are probably VMODs that do something similar. If not and if the list of IPs isn't too long, you could limit the IPs in VCL rather than mod_auth.</div><div>3) Push the list of IP addresses that can connect to the external port down to IPTables or similar.</div><div>4) Push the list of IP addresses to external Firewall, or Security Group or whatever.</div><div><br></div><div><br></div></div><div class="gmail_extra"><br><div class="gmail_quote"><div><div class="h5">On Thu, Mar 16, 2017 at 5:46 PM, Hernán Marsili <span dir="ltr"><<a href="mailto:hernan@cmsmedios.com" target="_blank">hernan@cmsmedios.com</a>></span> wrote:<br></div></div><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"><div><div class="h5"><div dir="ltr">Hi,<div><br></div><div>We are having an issue with VARNISH and apache mod_auth. Varnish is on port 80 serving users and Apache is the backend. </div><div><br></div><div>We have servers restricting access only to authenticated users or certain IP addresses. Since we installed Varnish the issue is that we need to enable 127.0.0.1 as a permitted IP (required ip rule) so the Varnish can fetch content. The problem, is that the real IP is not used and all the other rules does not apply. </div><div><br></div><div>Bottom line, how can we still control who is requesting using MOD_AUTH and having Varnish?</div><div><br></div><div>Regards</div><span class="m_3758069336204431268HOEnZb"><font color="#888888"><div>Hernán.</div></font></span></div>
<br></div></div>______________________________<wbr>_________________<br>
varnish-misc mailing list<br>
<a href="mailto:varnish-misc@varnish-cache.org" target="_blank">varnish-misc@varnish-cache.org</a><br>
<a href="https://www.varnish-cache.org/lists/mailman/listinfo/varnish-misc" rel="noreferrer" target="_blank">https://www.varnish-cache.org/<wbr>lists/mailman/listinfo/varnish<wbr>-misc</a><br></blockquote></div><br></div>
<br>______________________________<wbr>_________________<br>
varnish-misc mailing list<br>
<a href="mailto:varnish-misc@varnish-cache.org">varnish-misc@varnish-cache.org</a><br>
<a href="https://www.varnish-cache.org/lists/mailman/listinfo/varnish-misc" rel="noreferrer" target="_blank">https://www.varnish-cache.org/<wbr>lists/mailman/listinfo/<wbr>varnish-misc</a><br></blockquote></div><br></div>