<html>
<head>
<meta http-equiv="content-type" content="text/html; charset=utf-8">
</head>
<body bgcolor="#FFFFFF" text="#000000">
Hi,<br>
<br>
I have the following test setup running at the moment:<br>
<br>
Cloudflare -> HaProxy --> Varnish -> Haproxy ->
Backend application.<br>
|-------------------------------------------------|
|---------------------------------|<br>
CDN API<br>
<br>
Between the first HaProxy, Varnish and the second HaProxy I use the
proxy protocol to make sure that the requests that enter my
environment using the CDN are restricted using the same IP whitelist
rules as they would when accessing directly using the API. To get
the external IP into the request information and the proxy protocol
I have the following configuration in my first haproxy config: <br>
<br>
acl FROM_CLOUDFLARE req.hdr(CF-Connecting-IP) -m found<br>
http-request set-src hdr(CF-Connecting-IP) if FROM_CLOUDFLARE<br>
<br>
Normal users connect to the API from the outside world and we use IP
whitelists to allow certain people access to this API. <br>
I'm trying to setup an CDN in front of my application and to build
this I use CloudFlare, HaProxy (SSL Termination and some minimal
rewrites) and Varnish (to offload requests from my backend
application) <br>
<br>
This all works fine so far, but today I noticed that access using
the CDN is not restricted enough and I found out that it looks like
the connection between Varnish and my API is not using the proxy
protocol, or at least the information that should be available from
the CF-Connecting-IP is not visible in the HaProxy on the API
backend. The result is that all requests that enter the environment
using the CDN seem to be coming from the Varnish hosts instead of
the external world.<br>
<br>
My backend configuration in Varnish config looks like this:<br>
<br>
import directors; # load the directors<br>
<br>
backend blsproxy01 {<br>
.host = "95.130.232.181";<br>
.port = "81";<br>
.proxy_header = 2;<br>
.probe = {<br>
.request =<br>
"GET /haproxy_test HTTP/1.1"<br>
"Host: leaseservices.eu"<br>
"Connection: close";<br>
}<br>
}<br>
<br>
backend blsproxy02 {<br>
.host = "95.130.232.182";<br>
.port = "81";<br>
.proxy_header = 2;<br>
.probe = {<br>
.request =<br>
"GET /haproxy_test HTTP/1.1"<br>
"Host: leaseservices.eu"<br>
"Connection: close";<br>
}<br>
}<br>
<br>
<br>
backend blsproxy03 {<br>
.host = "95.130.232.183";<br>
.port = "81";<br>
.proxy_header = 2;<br>
.probe = {<br>
.request =<br>
"GET /haproxy_test HTTP/1.1"<br>
"Host: leaseservices.eu"<br>
"Connection: close";<br>
}<br>
}<br>
<br>
sub vcl_init {<br>
# new blsproxy = directors.round_robin();<br>
new blsproxy = directors.random();<br>
blsproxy.add_backend(blsproxy01,10);<br>
blsproxy.add_backend(blsproxy02,10);<br>
blsproxy.add_backend(blsproxy03,10);<br>
}<br>
<br>
I upgraded to Varnish 5.1 a little while back and I think the
problem might have started at that time, but I'm not sure at the
moment. It's all a test setup, so this was only noticed because I
was doing some tests from my home where my home should not be able
to request any CDN content at the moment.<br>
<br>
<br>
<br>
<div class="moz-signature">-- <br>
<table
style="font-family:Arial,Roboto;font-size:12px;line-height:1.38em;border-collapse:collapse;color:#332F60;letter-spacing:0.1px;white-space:nowrap;">
<colgroup><col style="width:174px"><col style="width:174px"><col
style="width:166px"></colgroup> <tbody>
<tr>
<td colspan="3"
style="font-size:13px;color:#000;line-height:20px;padding:0
0 42px 0"> Kind regards<br>
<br>
Jan Hugo Prins<br>
<i>DevOps Engineer</i> </td>
</tr>
<tr>
<td colspan="3" style="padding:0 0 42px 0"><a
href="https://betterbe.com"><img
src="cid:part1.B4B3922A.372C0D4C@betterbe.com"
style="width:376px"></a></td>
</tr>
<tr>
<td>
Auke Vleerstraat 140 E<br>
7547 AN Enschede<br>
CC no. <a
href="https://www.kvk.nl/orderstraat/product-kiezen/?kvknummer=080975270000"
style="text-decoration:none;color:#332F60;">08097527</a>
</td>
<td>
<b>T</b> <a href="tel:+31534800694"
style="text-decoration:none;color:#332F60;">+31 (0) 53
48 00 694</a><br>
<b>E</b> <a href="mailto:jprins@betterbe.com"
style="text-decoration:none;color:#332F60;">jprins@betterbe.com</a><br>
<b>M</b> <a href="tel:+31%20%280%296%20263%2058%20951"
style="text-decoration:none;color:#332F60;">+31 (0)6 263
58 951</a>
</td>
<td style="vertical-align:bottom"><a
href="https://www.betterbe.com"
style="color:#E73C57;font-weight:bold;text-decoration:none;">www.betterbe.com</a></td>
</tr>
<tr>
<td colspan="3" style="font-size:
9px;color:#A0A6B2;letter-spacing:0;line-height:1.5em;padding-top:42px;">
BetterBe accepts no liability for the content of this
email, or for the consequences of any actions taken on the
basis<br>
of the information provided, unless that information is
subsequently confirmed in writing. If you are not the
intended<br>
recipient you are notified that disclosing, copying,
distributing or taking any action in reliance on the
contents of this<br>
information is strictly prohibited.
</td>
</tr>
</tbody>
</table>
</div>
</body>
</html>