RE: Varnish and AWS ALBs

2021-08-20 Thread Justin Lloyd
: Guillaume Quintard ; varnish-misc@varnish-cache.org Subject: Re: Varnish and AWS ALBs This is a possible regsub() to extract the next-to-last IP address (it assumes at lest two are available): set req.http.X-Client-Ip = regsub( req.http.X-Forwarded-For, "^.*(?:^|,)\s*([^,\s

Re: Varnish and AWS ALBs

2021-08-20 Thread Carlos Abalde
m: varnish-misc > On Behalf Of Justin Lloyd > Sent: Thursday, August 19, 2021 2:39 PM > To: Guillaume Quintard ; Carlos Abalde > > Cc: varnish-misc@varnish-cache.org > Subject: RE: Varnish and AWS ALBs > > Hi Guillaume! > > It looks like you and Carlos are both

RE: Varnish and AWS ALBs

2021-08-20 Thread Justin Lloyd
Abalde Cc: varnish-misc@varnish-cache.org Subject: RE: Varnish and AWS ALBs Hi Guillaume! It looks like you and Carlos are both correct. For some reason, before I was not seeing the Varnish XFF values from faked XFFs, not sure why, but now I’m seeing the fakes I’m using against one of my dev

RE: Varnish and AWS ALBs

2021-08-19 Thread Justin Lloyd
; varnish-misc@varnish-cache.org Subject: Re: Varnish and AWS ALBs Hi, If I read this correctly: https://docs.aws.amazon.com/elasticloadbalancing/latest/application/x-forwarded-headers.html , you can trust the before-last IP, because it was added by the ALB, always. (and using vmod_str makes

Re: Varnish and AWS ALBs

2021-08-19 Thread Guillaume Quintard
Hi, If I read this correctly: https://docs.aws.amazon.com/elasticloadbalancing/latest/application/x-forwarded-headers.html , you can trust the before-last IP, because it was added by the ALB, always. (and using vmod_str makes it easy to retrieve

Re: Varnish and AWS ALBs

2021-08-19 Thread Carlos Abalde
Hi, No so sure about that. Let's assume the client address is 1.1.1.1. Two possible scenarios: - The client request reaches the ALB without XFF. The ALB will inject XFF with value 1.1.1.1. Then Varnish will modify XFF adding the ALB's address (i.e., 1.1.1.1,). Using the next-to-last IP you're

RE: Varnish and AWS ALBs

2021-08-19 Thread Justin Lloyd
by the ALB’s SG. I don’t like having two ALBs to manage, but it seems it’s probably the only way to handle this situation. Justin From: Carlos Abalde Sent: Thursday, August 19, 2021 1:35 PM To: Justin Lloyd Cc: varnish-misc@varnish-cache.org Subject: Re: Varnish and AWS ALBs Hi Justin, You cannot

Re: Varnish and AWS ALBs

2021-08-19 Thread Carlos Abalde
Hi Justin, You cannot rely on the first IP in XFF (I guess you're doing that at the moment), but you can rely on the next-to-last. The last one is added to XFF by Varnish before entering 'vcl_recv', and the next-to-last is added by the ALB. That's the client IP as seen by the ALB and cannot be