Yeah, I'm looking into PROXY. We have up to two proxies in the way, the first that all traffic has to go through is a Cisco Ace we use for load balancing and SSL offloading, and the second is a CaddyServer that some traffic will go through for LetsEncrypt certificates. It's getting both of those setup to present similar data to the Varnish nodes that's the trick - we don't have direct control of the Cisco gear either. Both should be able to do it, I guess I just need to work out the wrinkles.
-- Mark On 31 March 2017 at 10:59, Guillaume Quintard < [email protected]> wrote: > Hi Mark, you need to use std.ip() from the std vmod. > > Also, I highly recommend using the PROXY protocol (Varnish, HAProxy and > Nginx, at least support it), it will allow you to use client.ip directly > and not bother with this. > > -- > Guillaume Quintard > > On Fri, Mar 31, 2017 at 11:44 AM, Mark Hanford <[email protected]> > wrote: > >> Hi folks. >> >> Because my varnish nodes are behind two different proxies, I can't really >> use client.ip within my VCL. What I have is a header "X-Real-Ip" instead, >> which is populated automatically by one proxy, and by me derived from the >> "X-Forwarded-For" for the other. >> >> What this means is that where I would usually use ACL to block access to >> a resource: >> >> if (req.http.host == "test.mydomain.com") { >> if (client.ip ~ trustedips) { >> # allow access >> } else { >> return (synth(405, "Not allowed"); >> } >> } >> >> But this doesn't work if I replace client.ip with a non-IP typed field. >> >> Message from VCC-compiler: >> Expected CSTR got 'purgers' >> (program line 1193), at >> ('default.vcl' Line 339 Pos 34) >> if (req.http.X-Real-Ip ~ trustedips) { >> ---------------------------------##########--- >> >> Is there any way I can get the same result as this but without using >> client.ip? >> >> thanks, >> >> Mark >> >> _______________________________________________ >> varnish-misc mailing list >> [email protected] >> https://www.varnish-cache.org/lists/mailman/listinfo/varnish-misc >> > >
_______________________________________________ varnish-misc mailing list [email protected] https://www.varnish-cache.org/lists/mailman/listinfo/varnish-misc
