Hi, If I read this correctly: https://docs.aws.amazon.com/elasticloadbalancing/latest/application/x-forwarded-headers.html , you can trust the before-last IP, because it was added by the ALB, always. (and using vmod_str makes it easy to retrieve https://github.com/varnish/varnish-modules/blob/master/src/vmod_str.vcc#L42)
Side question: would an NLB work? They support proxy-protocol, that would also solve your problem. Cheers, -- Guillaume Quintard On Thu, Aug 19, 2021 at 1:52 PM Carlos Abalde <[email protected]> wrote: > Hi, > > No so sure about that. Let's assume the client address is 1.1.1.1. Two > possible scenarios: > > - The client request reaches the ALB without XFF. The ALB will inject XFF > with value 1.1.1.1. Then Varnish will modify XFF adding the ALB's address > (i.e., 1.1.1.1,<ALB IP>). Using the next-to-last IP you're using the right > client address. > > - The client request reaches the ALB with a forged XFF (e.g. 127.0.0.1). > The ALB will will modify XFF (i.e. 127.0.0.1,1.1.1.1). The Varnish will do > the same (i.e. 127.0.0.1,1.1.1.1,<ALB IP>). Using the next-to-last IP > you're still using the right client address. > > > I've not checked using a ALB, but that should be the expected behaviour > for me. > > Best, > > -- > Carlos Abalde > > _______________________________________________ > varnish-misc mailing list > [email protected] > https://www.varnish-cache.org/lists/mailman/listinfo/varnish-misc >
_______________________________________________ varnish-misc mailing list [email protected] https://www.varnish-cache.org/lists/mailman/listinfo/varnish-misc
