<html>
<head>
<meta http-equiv="Content-Type" content="text/html; charset=utf-8">
</head>
<body text="#000000" bgcolor="#FFFFFF">
I would not do it like that. <br>
Better is to use something like Hitch or HaProxy (my preference) and
put that in front of Varnish. <br>
Then HaProxy / Hitch can terminate all SSL traffic, and HaProxy can
also do your redirect to SSL if needed. <br>
Then in Varnish you use the Apache server as a backend and let it
only serve what it needs to serve.<br>
Use the ProxyProtocol to send the client information from HaProxy to
Vernish.<br>
In Varnish you need to put the client IP into the X-Forwarded-For
header.<br>
In Apache you can then use this header to have the real client IP
address.<br>
<br>
This way you have the real client IP information on all layers.<br>
<br>
Jan Hugo Prins<br>
<br>
<br>
<br>
<div class="moz-cite-prefix">On 08/15/2017 11:39 AM, Admin
Beckspaced wrote:<br>
</div>
<blockquote type="cite"
cite="mid:647da1e5-6b80-a52b-f957-60ed74cf0c95@beckspaced.com">
<meta http-equiv="content-type" content="text/html; charset=utf-8">
<p><font face="Tahoma">Hello there ;)</font></p>
<p>I'm running varnish in front of my apache on port 80 without
any issues so far.<br>
<br>
Recently I decided to also use varnish for SSL connections<br>
<br>
To do so I first do a http to https redirect within varnish VCL<br>
<br>
if ( req.http.X-Forwarded-Proto !~ "(?i)https" ) {<br>
return (synth(750, ""));<br>
}<br>
<br>
then in vcl_synth()<br>
<br>
sub vcl_synth {<br>
<br>
if (resp.status == 750) {<br>
set resp.status = 301;<br>
set resp.http.Location = <a
class="moz-txt-link-rfc2396E" href="https://"
moz-do-not-send="true">"https://"</a> + req.http.host +
req.url;<br>
return(deliver);<br>
}<br>
}<br>
<br>
This works fine and all http got redirected to https<br>
<br>
Then on port 443 I got apache listening as a reverse proxy with
the following config:<br>
<br>
<VirtualHost *:443><br>
<br>
ServerName somedomain.com<br>
ServerAlias *.somedomain.org<br>
<br>
SSLEngine on</p>
<p> ... ssl cert stuff here ...<br>
</p>
ProxyPreserveHost On<br>
ProxyPass / <a class="moz-txt-link-freetext"
href="http://127.0.0.1:80/" moz-do-not-send="true">http://127.0.0.1:80/</a><br>
ProxyPassReverse / <a class="moz-txt-link-freetext"
href="http://127.0.0.1:80/" moz-do-not-send="true">http://127.0.0.1:80/</a><br>
RequestHeader set X-Forwarded-Port "443"<br>
RequestHeader set X-Forwarded-Proto "https"<br>
<p></VirtualHost><br>
<br>
Also this works perfectly fine! Apache does the SSL termination
and then reverse proxies everything back to varnish on port 80<br>
<br>
If I have a look in the apache ssl log:<br>
<br>
[15/Aug/2017:02:03:41 +0200] 35.190.201.122 TLSv1.2
ECDHE-RSA-AES128-GCM-SHA256 "GET /feed/ HTTP/1.1" - <a
class="moz-txt-link-rfc2396E" href="http://domain.org/feed/"
moz-do-not-send="true">"http://domain.org/feed/"</a>
"Go-http-client/1.1"<br>
[15/Aug/2017:02:03:41 +0200] 35.190.201.122 TLSv1.2
ECDHE-RSA-AES128-GCM-SHA256 "GET /feed HTTP/1.1" 10513 <a
class="moz-txt-link-rfc2396E" href="https://domain.org/feed/"
moz-do-not-send="true">"https://domain.org/feed/"</a>
"Go-http-client/1.1"<br>
<br>
If I look in the varnishlog I see the following:<br>
<br>
domain.org 35.190.201.122 - - [15/Aug/2017:02:03:41 +0200] "GET
<a class="moz-txt-link-freetext" href="http://domain.org/feed/"
moz-do-not-send="true">http://domain.org/feed/</a> HTTP/1.1"
301 0 "-" "Go-http-client/1.1"<br>
domain.org 127.0.0.1 - - [15/Aug/2017:02:03:41 +0200] "GET <a
class="moz-txt-link-freetext" href="http://domain.org/feed/"
moz-do-not-send="true">http://domain.org/feed/</a> HTTP/1.1"
301 0 <a class="moz-txt-link-rfc2396E"
href="http://domain.org/feed/" moz-do-not-send="true">"http://domain.org/feed/"</a>
"Go-http-client/1.1"<br>
domain.org 127.0.0.1 - - [15/Aug/2017:02:03:41 +0200] "GET <a
class="moz-txt-link-freetext" href="http://domain.org/feed"
moz-do-not-send="true">http://domain.org/feed</a> HTTP/1.1"
200 10513 <a class="moz-txt-link-rfc2396E"
href="https://domain.org/feed/" moz-do-not-send="true">"https://domain.org/feed/"</a>
"Go-http-client/1.1"<br>
<br>
But in the process of Varnish -> Redirect http to https ->
Apache Reverse Proxy -> Varnish I loose the client IP address
in varnishlog<br>
It jsut says 127.0.0.1<br>
<br>
How can I forward the client IP to varnishlog in this process?<br>
<br>
I need to have the client IP in varnishlog as I use those to
generate statistics about the website.<br>
<br>
any help, hints or insights would be awesome ;)<br>
<br>
Thanks & greetings<br>
Becki<br>
<br>
<br>
</p>
<pre class="moz-signature" cols="72">--
Beckspaced - Server Administration
------------------------------------------------
Ralf Flederer
Marienplatz 9
97353 Wiesentheid
Tel.: 09383-9033825
Mobil: 01577-7258912
Internet: <a class="moz-txt-link-abbreviated" href="http://www.beckspaced.com" moz-do-not-send="true">www.beckspaced.com</a>
------------------------------------------------</pre>
<br>
<fieldset class="mimeAttachmentHeader"></fieldset>
<br>
<pre wrap="">_______________________________________________
varnish-misc mailing list
<a class="moz-txt-link-abbreviated" href="mailto:varnish-misc@varnish-cache.org">varnish-misc@varnish-cache.org</a>
<a class="moz-txt-link-freetext" href="https://www.varnish-cache.org/lists/mailman/listinfo/varnish-misc">https://www.varnish-cache.org/lists/mailman/listinfo/varnish-misc</a></pre>
</blockquote>
<br>
<div class="moz-signature">-- <br>
<table
style="font-family:Arial,Roboto;font-size:12px;line-height:1.38em;border-collapse:collapse;color:#332F60;letter-spacing:0.1px;white-space:nowrap;">
<colgroup><col style="width:174px"><col style="width:174px"><col
style="width:166px"></colgroup> <tbody>
<tr>
<td colspan="3"
style="font-size:13px;color:#000;line-height:20px;padding:0
0 42px 0"> Kind regards<br>
<br>
Jan Hugo Prins<br>
<i>DevOps Engineer</i> </td>
</tr>
<tr>
<td colspan="3" style="padding:0 0 42px 0"><a
href="https://betterbe.com"><img
src="cid:part12.DC84B1CF.E2B5AAB4@betterbe.com"
style="width:376px"></a></td>
</tr>
<tr>
<td>
Auke Vleerstraat 140 E<br>
7547 AN Enschede<br>
CC no. <a
href="https://www.kvk.nl/orderstraat/product-kiezen/?kvknummer=080975270000"
style="text-decoration:none;color:#332F60;">08097527</a>
</td>
<td>
<b>T</b> <a href="tel:+31534800694"
style="text-decoration:none;color:#332F60;">+31 (0) 53
48 00 694</a><br>
<b>E</b> <a href="mailto:jprins@betterbe.com"
style="text-decoration:none;color:#332F60;">jprins@betterbe.com</a><br>
<b>M</b> <a href="tel:+31%20%280%296%20263%2058%20951"
style="text-decoration:none;color:#332F60;">+31 (0)6 263
58 951</a>
</td>
<td style="vertical-align:bottom"><a
href="https://www.betterbe.com"
style="color:#E73C57;font-weight:bold;text-decoration:none;">www.betterbe.com</a></td>
</tr>
<tr>
<td colspan="3" style="font-size:
9px;color:#A0A6B2;letter-spacing:0;line-height:1.5em;padding-top:42px;">
BetterBe accepts no liability for the content of this
email, or for the consequences of any actions taken on the
basis<br>
of the information provided, unless that information is
subsequently confirmed in writing. If you are not the
intended<br>
recipient you are notified that disclosing, copying,
distributing or taking any action in reliance on the
contents of this<br>
information is strictly prohibited.
</td>
</tr>
</tbody>
</table>
</div>
</body>
</html>