I don't believe there's a trivial way to do this. Varnish will return the cached response to any IP address that comes calling. Even if the first request comes from a valid IP, which gets passed through via X-Forward or similar, and mod_auth is tweaked to respond to that, any subsequent request will not be seen by either apache or mod_auth at all.
You have a few options: 1) IP Whitelists are a rather poor means of authentication. Moving to something else might be prudent. But that's not easy. 2) There are probably VMODs that do something similar. If not and if the list of IPs isn't too long, you could limit the IPs in VCL rather than mod_auth. 3) Push the list of IP addresses that can connect to the external port down to IPTables or similar. 4) Push the list of IP addresses to external Firewall, or Security Group or whatever. On Thu, Mar 16, 2017 at 5:46 PM, Hernán Marsili <[email protected]> wrote: > Hi, > > We are having an issue with VARNISH and apache mod_auth. Varnish is on > port 80 serving users and Apache is the backend. > > We have servers restricting access only to authenticated users or certain > IP addresses. Since we installed Varnish the issue is that we need to > enable 127.0.0.1 as a permitted IP (required ip rule) so the Varnish can > fetch content. The problem, is that the real IP is not used and all the > other rules does not apply. > > Bottom line, how can we still control who is requesting using MOD_AUTH and > having Varnish? > > Regards > Hernán. > > _______________________________________________ > varnish-misc mailing list > [email protected] > https://www.varnish-cache.org/lists/mailman/listinfo/varnish-misc >
_______________________________________________ varnish-misc mailing list [email protected] https://www.varnish-cache.org/lists/mailman/listinfo/varnish-misc
