Ken Brownfield wrote: > This is far-ranging problem that isn't unique to Varnish or SSL. What is > typical of CDNs, load-balancers, and proxies of all sorts is to set a header > with the IP of the request *it* received. That header is then passed down > and can be parsed by your upstream. X-Forwarded-For is the standard header > for this, but the format and naming of this header can vary (no pun intended). > > You can imagine how fun it is to handle IPs for a client request that goes > through a CDN's proxy/cache network, through your load-balancer, then > Varnish, then the upstream web server: > > Client = 1.1.1.1 > CDN = 2.2.2.2 > sets => CDN-Client-IP: 1.1.1.1 > LB (e.g., Pound) = 3.3.3.3 > sets => LB-Client-IP: 2.2.2.2 > Varnish = 4.4.4.4 > sets => X-Forwarded-For: 3.3.3.3 > > Your upstream receives the request from 4.4.4.4 with the following headers: > CDN-Client-IP: 1.1.1.1 > LB-Client-IP: 2.2.2.2 > X-Forwarded-For: 3.3.3.3 > > You'll care about the highest level one (CDN-Client-IP in this case), > something like: > > IP = CDN-Client-IP or LB-Client-IP or X-Forwarded-For or <TCP connect > IP> > > Hope it helps,
At Least it would be consistent for both if varnish able to handle both and not have to go through another system. KISS apply's here too. Every new program adds new Bugs, new security holes and increases the maintenance work. Squid does handle https: request and so do all the other reverse proxies I know. Would make replacing squid with varnish a lot less painful. I don't see the license problem. It should be optional. Use it when is OpenSSL is there, leave it if not. Regards Estartu -- ------------------------------------------------- Gerhard Schmidt | E-Mail: [email protected] TU-München | WWW & Online Services | Tel: 089/289-25270 | Fax: 089/289-25257 | PGP-Publickey auf Anfrage
signature.asc
Description: OpenPGP digital signature
_______________________________________________ varnish-misc mailing list [email protected] http://lists.varnish-cache.org/mailman/listinfo/varnish-misc
