Yurik has uploaded a new change for review.
https://gerrit.wikimedia.org/r/62103
Change subject: Allow XFF spoofing from the trusted IPs
......................................................................
Allow XFF spoofing from the trusted IPs
In order to do automated testing of the varnish+zero configurations,
allow test frameworks to spoof source IP so that varnish would treat
request as if comming from a Zero carrier.
Change-Id: I25e2b0bf01bac1f2739f90efa3725e18e4494a01
---
M templates/varnish/mobile-frontend.inc.vcl.erb
1 file changed, 5 insertions(+), 3 deletions(-)
git pull ssh://gerrit.wikimedia.org:29418/operations/puppet
refs/changes/03/62103/1
diff --git a/templates/varnish/mobile-frontend.inc.vcl.erb
b/templates/varnish/mobile-frontend.inc.vcl.erb
index 6c16ffb..069cbf8 100644
--- a/templates/varnish/mobile-frontend.inc.vcl.erb
+++ b/templates/varnish/mobile-frontend.inc.vcl.erb
@@ -513,9 +513,11 @@
}
sub vcl_recv {
- /* if the request comes from Opera Mini's accelerating proxies, grab
- * XFF Header and replace client ip value */
- if (client.ip ~ opera_mini) {
+ /* if the request comes from Opera Mini's accelerating proxies, or it
came
+ * from the allowed_xff ip range and the XFF header is set,
+ * replace client ip value with the XFF Header
+ */
+ if (req.http.X-Forwarded-For && (client.ip ~ opera_mini || client.ip ~
allow_xff)) {
C{
struct sockaddr_storage *client_ip_ss = VRT_r_client_ip(sp);
struct sockaddr_in *client_ip_si = (struct sockaddr_in *)
client_ip_ss;
--
To view, visit https://gerrit.wikimedia.org/r/62103
To unsubscribe, visit https://gerrit.wikimedia.org/r/settings
Gerrit-MessageType: newchange
Gerrit-Change-Id: I25e2b0bf01bac1f2739f90efa3725e18e4494a01
Gerrit-PatchSet: 1
Gerrit-Project: operations/puppet
Gerrit-Branch: production
Gerrit-Owner: Yurik <yu...@wikimedia.org>
_______________________________________________
MediaWiki-commits mailing list
MediaWiki-commits@lists.wikimedia.org
https://lists.wikimedia.org/mailman/listinfo/mediawiki-commits
