[MediaWiki-commits] [Gerrit] VCL: switch nginx IP data from XRIP to XCIP - change (operations/puppet)

Thu, 10 Dec 2015 05:37:12 -0800 

BBlack has uploaded a new change for review.

  https://gerrit.wikimedia.org/r/258138

Change subject: VCL: switch nginx IP data from XRIP to XCIP
......................................................................

VCL: switch nginx IP data from XRIP to XCIP

Change-Id: I43e5f47d562d55c8ff8dece65fa6afd451aaaa6a
---
M modules/varnish/templates/vcl/wikimedia.vcl.erb
1 file changed, 4 insertions(+), 7 deletions(-)


  git pull ssh://gerrit.wikimedia.org:29418/operations/puppet 
refs/changes/38/258138/1

diff --git a/modules/varnish/templates/vcl/wikimedia.vcl.erb 
b/modules/varnish/templates/vcl/wikimedia.vcl.erb
index 973b9b7..91480ad 100644
--- a/modules/varnish/templates/vcl/wikimedia.vcl.erb
+++ b/modules/varnish/templates/vcl/wikimedia.vcl.erb
@@ -379,10 +379,9 @@
 // Must be done at the top of vcl_recv, in our varnish-frontend layer only,
 // and should be guarded against running on request restarts.
 sub recv_fe_ip_processing {
-       // this subroutine "owns" these 4 headers - nothing else in our VCL or
+       // this subroutine "owns" these 3 headers - nothing else in our VCL or
        // anywhere in our network should be setting them.
        unset req.http.X-Trusted-Proxy;
-       unset req.http.X-Client-IP;
        unset req.http.X-Carrier;
        unset req.http.X-Carrier-Meta;
 
@@ -398,7 +397,7 @@
        if (client.ip !~ local_host) {
                // only the local nginx TLS terminator should set this one at
                // all - there are no other internal exceptions to that rule
-               unset req.http.X-Real-IP;
+               unset req.http.X-Client-IP;
        }
 
        if (req.http.X-Forwarded-For) {
@@ -419,10 +418,10 @@
        }
 
        // There are two possible cases here: either nginx acted as our TLS
-       // proxy and already set X-Real-IP (as well as appended the same value
+       // proxy and already set X-Client-IP (as well as appended the same value
        // as XFF), or the traffic was direct to varnish-fe, in which case
        // XRIP is not yet set and XFF is directly from external.
-       if (!req.http.X-Real-IP) {
+       if (!req.http.X-Client-IP) {
                // direct-to-port-80 case, set XRIP ourselves
                set req.http.X-Client-IP = client.ip;
                set req.http.X-Trusted-Proxy = netmapper.map("proxies", 
req.http.X-Client-IP);
@@ -438,8 +437,6 @@
                // XRIP from nginx, XFF set/appended by nginx and contains at
                // least XRIP at the end, possibly prepended by other addrs
                // set externally by some proxy.
-               set req.http.X-Client-IP = req.http.X-Real-IP;
-               unset req.http.X-Real-IP;
                set req.http.X-Trusted-Proxy = netmapper.map("proxies", 
req.http.X-Client-IP);
                // normalize to boolean post-netmapper (varnish-3.0.4...)
                if (req.http.X-Trusted-Proxy == "") {

-- 
To view, visit https://gerrit.wikimedia.org/r/258138
To unsubscribe, visit https://gerrit.wikimedia.org/r/settings

Gerrit-MessageType: newchange
Gerrit-Change-Id: I43e5f47d562d55c8ff8dece65fa6afd451aaaa6a
Gerrit-PatchSet: 1
Gerrit-Project: operations/puppet
Gerrit-Branch: production
Gerrit-Owner: BBlack <[email protected]>

_______________________________________________
MediaWiki-commits mailing list
[email protected]
https://lists.wikimedia.org/mailman/listinfo/mediawiki-commits

Reply via email to