Yurik has uploaded a new change for review. https://gerrit.wikimedia.org/r/62103
Change subject: Allow XFF spoofing from the trusted IPs ...................................................................... Allow XFF spoofing from the trusted IPs In order to do automated testing of the varnish+zero configurations, allow test frameworks to spoof source IP so that varnish would treat request as if comming from a Zero carrier. Change-Id: I25e2b0bf01bac1f2739f90efa3725e18e4494a01 --- M templates/varnish/mobile-frontend.inc.vcl.erb 1 file changed, 5 insertions(+), 3 deletions(-) git pull ssh://gerrit.wikimedia.org:29418/operations/puppet refs/changes/03/62103/1 diff --git a/templates/varnish/mobile-frontend.inc.vcl.erb b/templates/varnish/mobile-frontend.inc.vcl.erb index 6c16ffb..069cbf8 100644 --- a/templates/varnish/mobile-frontend.inc.vcl.erb +++ b/templates/varnish/mobile-frontend.inc.vcl.erb @@ -513,9 +513,11 @@ } sub vcl_recv { - /* if the request comes from Opera Mini's accelerating proxies, grab - * XFF Header and replace client ip value */ - if (client.ip ~ opera_mini) { + /* if the request comes from Opera Mini's accelerating proxies, or it came + * from the allowed_xff ip range and the XFF header is set, + * replace client ip value with the XFF Header + */ + if (req.http.X-Forwarded-For && (client.ip ~ opera_mini || client.ip ~ allow_xff)) { C{ struct sockaddr_storage *client_ip_ss = VRT_r_client_ip(sp); struct sockaddr_in *client_ip_si = (struct sockaddr_in *) client_ip_ss; -- To view, visit https://gerrit.wikimedia.org/r/62103 To unsubscribe, visit https://gerrit.wikimedia.org/r/settings Gerrit-MessageType: newchange Gerrit-Change-Id: I25e2b0bf01bac1f2739f90efa3725e18e4494a01 Gerrit-PatchSet: 1 Gerrit-Project: operations/puppet Gerrit-Branch: production Gerrit-Owner: Yurik <yu...@wikimedia.org> _______________________________________________ MediaWiki-commits mailing list MediaWiki-commits@lists.wikimedia.org https://lists.wikimedia.org/mailman/listinfo/mediawiki-commits