Hi, No so sure about that. Let's assume the client address is 1.1.1.1. Two possible scenarios:
- The client request reaches the ALB without XFF. The ALB will inject XFF with value 1.1.1.1. Then Varnish will modify XFF adding the ALB's address (i.e., 1.1.1.1,<ALB IP>). Using the next-to-last IP you're using the right client address. - The client request reaches the ALB with a forged XFF (e.g. 127.0.0.1). The ALB will will modify XFF (i.e. 127.0.0.1,1.1.1.1). The Varnish will do the same (i.e. 127.0.0.1,1.1.1.1,<ALB IP>). Using the next-to-last IP you're still using the right client address. I've not checked using a ALB, but that should be the expected behaviour for me. Best, -- Carlos Abalde
_______________________________________________ varnish-misc mailing list [email protected] https://www.varnish-cache.org/lists/mailman/listinfo/varnish-misc
