Re: varnish with ssl

Wed, 07 Apr 2010 10:47:47 -0700 

This is far-ranging problem that isn't unique to Varnish or SSL.  What is 
typical of CDNs, load-balancers, and proxies of all sorts is to set a header 
with the IP of the request *it* received.  That header is then passed down and 
can be parsed by your upstream.  X-Forwarded-For is the standard header for 
this, but the format and naming of this header can vary (no pun intended).

You can imagine how fun it is to handle IPs for a client request that goes 
through a CDN's proxy/cache network, through your load-balancer, then Varnish, 
then the upstream web server:

Client = 1.1.1.1
CDN = 2.2.2.2
        sets => CDN-Client-IP: 1.1.1.1
LB (e.g., Pound) = 3.3.3.3
        sets => LB-Client-IP: 2.2.2.2
Varnish = 4.4.4.4
        sets => X-Forwarded-For: 3.3.3.3

Your upstream receives the request from 4.4.4.4 with the following headers:
        CDN-Client-IP: 1.1.1.1
        LB-Client-IP: 2.2.2.2
        X-Forwarded-For: 3.3.3.3

You'll care about the highest level one (CDN-Client-IP in this case), something 
like:

        IP = CDN-Client-IP or LB-Client-IP or X-Forwarded-For or <TCP connect 
IP>

Hope it helps,
-- 
kb

PS: The Pound suggestion is good -- probably a cleaner solution than stunnel 
given that we're talking HTTP(S).

On Apr 7, 2010, at 5:47 AM, Gerhard Schmidt wrote:

> Hi,
> 
> I've a Problem using varnish and ssl. I trying to setup varnish to act as
> reverse proxy for our website.
> 
> I need both unencrypted requests and requests via ssl.
> 
> I know that varnish can not accept ssl connections itself. So I tried to setup
> stunnel to accept connections. That's not the problem. The problem I have is
> that I loose information from which IP the request originated.
> 
> Are there plans to include ssl in varnish directly or is there a setup to
> retain this information.
> 
> Regards
>       Estartu
> 
> -- 
> ----------------------------------------------------------
> Gerhard Schmidt                | E-Mail: [email protected]
> Technische Universität München |
> WWW & Online Services          |
> Tel: +49 89 289-25270          | PGP-PublicKey
> Fax: +49 89 289-25257          | on request
> 
> _______________________________________________
> varnish-misc mailing list
> [email protected]
> http://lists.varnish-cache.org/mailman/listinfo/varnish-misc


_______________________________________________
varnish-misc mailing list
[email protected]
http://lists.varnish-cache.org/mailman/listinfo/varnish-misc

Reply via email to