varnishlog client IP problem via Apache SSL reverse proxy

Tue, 15 Aug 2017 02:42:35 -0700 

Hello there ;)
I'm running varnish in front of my apache on port 80 without any issues so far. 

Recently I decided to also use varnish for SSL connections

To do so I first do a http to https redirect within varnish VCL

if ( req.http.X-Forwarded-Proto !~ "(?i)https" ) {
    return (synth(750, ""));
}

then in vcl_synth()

sub vcl_synth {

            if (resp.status == 750) {
                set resp.status = 301;

                set resp.http.Location = "https://"; + req.http.host + 
req.url;

                return(deliver);
            }
}

This works fine and all http got redirected to https


Then on port 443 I got apache listening as a reverse proxy with the 
following config:


<VirtualHost *:443>

    ServerName somedomain.com
    ServerAlias *.somedomain.org

    SSLEngine on

    ... ssl cert stuff here ...

    ProxyPreserveHost On
    ProxyPass / http://127.0.0.1:80/
    ProxyPassReverse / http://127.0.0.1:80/
    RequestHeader set X-Forwarded-Port "443"
    RequestHeader set X-Forwarded-Proto "https"

</VirtualHost>


Also this works perfectly fine! Apache does the SSL termination and then 
reverse proxies everything back to varnish on port 80


If I have a look in the apache ssl log:


[15/Aug/2017:02:03:41 +0200] 35.190.201.122 TLSv1.2 
ECDHE-RSA-AES128-GCM-SHA256 "GET /feed/ HTTP/1.1" - 
"http://domain.org/feed/"; "Go-http-client/1.1"
[15/Aug/2017:02:03:41 +0200] 35.190.201.122 TLSv1.2 
ECDHE-RSA-AES128-GCM-SHA256 "GET /feed HTTP/1.1" 10513 
"https://domain.org/feed/"; "Go-http-client/1.1"


If I look in the varnishlog I see the following:


domain.org 35.190.201.122 - - [15/Aug/2017:02:03:41 +0200] "GET 
http://domain.org/feed/ HTTP/1.1" 301 0 "-" "Go-http-client/1.1"
domain.org 127.0.0.1 - - [15/Aug/2017:02:03:41 +0200] "GET 
http://domain.org/feed/ HTTP/1.1" 301 0 "http://domain.org/feed/"; 
"Go-http-client/1.1"
domain.org 127.0.0.1 - - [15/Aug/2017:02:03:41 +0200] "GET 
http://domain.org/feed HTTP/1.1" 200 10513 "https://domain.org/feed/"; 
"Go-http-client/1.1"



But in the process of Varnish -> Redirect http to https -> Apache 
Reverse Proxy -> Varnish I loose the client IP address in varnishlog

It jsut says 127.0.0.1

How can I forward the client IP to varnishlog in this process?


I need to have the client IP in varnishlog as I use those to generate 
statistics about the website.


any help, hints or insights would be awesome ;)

Thanks & greetings
Becki


--
Beckspaced - Server Administration
------------------------------------------------
Ralf Flederer
Marienplatz 9
97353 Wiesentheid
Tel.: 09383-9033825
Mobil: 01577-7258912
Internet: www.beckspaced.com
------------------------------------------------


_______________________________________________
varnish-misc mailing list
varnish-misc@varnish-cache.org
https://www.varnish-cache.org/lists/mailman/listinfo/varnish-misc





















					Reply via email to