I was just trying to get varnish-modules to build (having to install varnish and build tools on my dev manager server) and hit the limitation that vmod_str isn’t available until Varnish 6.6. I’m on Varnish 6.5 so I’d need to test the 6.6 upgrade in dev and then roll that out to live, which will take some time (higher priority and urgency issues and projects on my plate). I’ll play with regsub() some more to see if I can figure out a temporary approach.
Thanks, Justin From: varnish-misc <[email protected]> On Behalf Of Justin Lloyd Sent: Thursday, August 19, 2021 2:39 PM To: Guillaume Quintard <[email protected]>; Carlos Abalde <[email protected]> Cc: [email protected] Subject: RE: Varnish and AWS ALBs Hi Guillaume! It looks like you and Carlos are both correct. For some reason, before I was not seeing the Varnish XFF values from faked XFFs, not sure why, but now I’m seeing the fakes I’m using against one of my dev sites and I’m seeing the three values where it’s FAKED_IP, REAL_IP, ALB_IP. So with a little bit more VCL code (or probably easier once I move to Varnish Enterprise next year), I should be able to handle this. I’ll give it a whirl and see how it goes. Thanks! Justin From: Guillaume Quintard <[email protected]<mailto:[email protected]>> Sent: Thursday, August 19, 2021 2:00 PM To: Carlos Abalde <[email protected]<mailto:[email protected]>> Cc: Justin Lloyd <[email protected]<mailto:[email protected]>>; [email protected]<mailto:[email protected]> Subject: Re: Varnish and AWS ALBs Hi, If I read this correctly: https://docs.aws.amazon.com/elasticloadbalancing/latest/application/x-forwarded-headers.html , you can trust the before-last IP, because it was added by the ALB, always. (and using vmod_str makes it easy to retrieve https://github.com/varnish/varnish-modules/blob/master/src/vmod_str.vcc#L42) Side question: would an NLB work? They support proxy-protocol, that would also solve your problem. Cheers, -- Guillaume Quintard On Thu, Aug 19, 2021 at 1:52 PM Carlos Abalde <[email protected]<mailto:[email protected]>> wrote: Hi, No so sure about that. Let's assume the client address is 1.1.1.1. Two possible scenarios: - The client request reaches the ALB without XFF. The ALB will inject XFF with value 1.1.1.1. Then Varnish will modify XFF adding the ALB's address (i.e., 1.1.1.1,<ALB IP>). Using the next-to-last IP you're using the right client address. - The client request reaches the ALB with a forged XFF (e.g. 127.0.0.1). The ALB will will modify XFF (i.e. 127.0.0.1,1.1.1.1). The Varnish will do the same (i.e. 127.0.0.1,1.1.1.1,<ALB IP>). Using the next-to-last IP you're still using the right client address. I've not checked using a ALB, but that should be the expected behaviour for me. Best, -- Carlos Abalde _______________________________________________ varnish-misc mailing list [email protected]<mailto:[email protected]> https://www.varnish-cache.org/lists/mailman/listinfo/varnish-misc
_______________________________________________ varnish-misc mailing list [email protected] https://www.varnish-cache.org/lists/mailman/listinfo/varnish-misc
