: Guillaume Quintard ;
varnish-misc@varnish-cache.org
Subject: Re: Varnish and AWS ALBs
This is a possible regsub() to extract the next-to-last IP address (it assumes
at lest two are available):
set req.http.X-Client-Ip = regsub(
req.http.X-Forwarded-For,
"^.*(?:^|,)\s*([^,\s
m: varnish-misc
> On Behalf Of Justin Lloyd
> Sent: Thursday, August 19, 2021 2:39 PM
> To: Guillaume Quintard ; Carlos Abalde
>
> Cc: varnish-misc@varnish-cache.org
> Subject: RE: Varnish and AWS ALBs
>
> Hi Guillaume!
>
> It looks like you and Carlos are both
Abalde
Cc: varnish-misc@varnish-cache.org
Subject: RE: Varnish and AWS ALBs
Hi Guillaume!
It looks like you and Carlos are both correct. For some reason, before I was
not seeing the Varnish XFF values from faked XFFs, not sure why, but now I’m
seeing the fakes I’m using against one of my dev
; varnish-misc@varnish-cache.org
Subject: Re: Varnish and AWS ALBs
Hi,
If I read this correctly:
https://docs.aws.amazon.com/elasticloadbalancing/latest/application/x-forwarded-headers.html
, you can trust the before-last IP, because it was added by the ALB, always.
(and using vmod_str makes
Hi,
If I read this correctly:
https://docs.aws.amazon.com/elasticloadbalancing/latest/application/x-forwarded-headers.html
, you can trust the before-last IP, because it was added by the ALB,
always. (and using vmod_str makes it easy to retrieve
Hi,
No so sure about that. Let's assume the client address is 1.1.1.1. Two possible
scenarios:
- The client request reaches the ALB without XFF. The ALB will inject XFF with
value 1.1.1.1. Then Varnish will modify XFF adding the ALB's address (i.e.,
1.1.1.1,). Using the next-to-last IP you're
by the ALB’s SG. I don’t like having two
ALBs to manage, but it seems it’s probably the only way to handle this
situation.
Justin
From: Carlos Abalde
Sent: Thursday, August 19, 2021 1:35 PM
To: Justin Lloyd
Cc: varnish-misc@varnish-cache.org
Subject: Re: Varnish and AWS ALBs
Hi Justin,
You cannot
Hi Justin,
You cannot rely on the first IP in XFF (I guess you're doing that at the
moment), but you can rely on the next-to-last. The last one is added to XFF by
Varnish before entering 'vcl_recv', and the next-to-last is added by the ALB.
That's the client IP as seen by the ALB and cannot be