This is a possible regsub() to extract the next-to-last IP address (it assumes
at lest two are available):
set req.http.X-Client-Ip = regsub(
req.http.X-Forwarded-For,
"^.*(?:^|,)\s*([^,\s]+)\s*,[^,]+$",
"\1");
Best,
--
Carlos Abalde
> On 20 Aug 2021, at 13:08, Justin Lloyd <[email protected]> wrote:
>
> I was just trying to get varnish-modules to build (having to install varnish
> and build tools on my dev manager server) and hit the limitation that
> vmod_str isn’t available until Varnish 6.6. I’m on Varnish 6.5 so I’d need to
> test the 6.6 upgrade in dev and then roll that out to live, which will take
> some time (higher priority and urgency issues and projects on my plate). I’ll
> play with regsub() some more to see if I can figure out a temporary approach.
>
> Thanks,
> Justin
>
>
> From: varnish-misc <[email protected]>
> On Behalf Of Justin Lloyd
> Sent: Thursday, August 19, 2021 2:39 PM
> To: Guillaume Quintard <[email protected]>; Carlos Abalde
> <[email protected]>
> Cc: [email protected]
> Subject: RE: Varnish and AWS ALBs
>
> Hi Guillaume!
>
> It looks like you and Carlos are both correct. For some reason, before I was
> not seeing the Varnish XFF values from faked XFFs, not sure why, but now I’m
> seeing the fakes I’m using against one of my dev sites and I’m seeing the
> three values where it’s FAKED_IP, REAL_IP, ALB_IP. So with a little bit more
> VCL code (or probably easier once I move to Varnish Enterprise next year), I
> should be able to handle this. I’ll give it a whirl and see how it goes.
>
> Thanks!
>
> Justin
>
>
> From: Guillaume Quintard <[email protected]
> <mailto:[email protected]>>
> Sent: Thursday, August 19, 2021 2:00 PM
> To: Carlos Abalde <[email protected] <mailto:[email protected]>>
> Cc: Justin Lloyd <[email protected] <mailto:[email protected]>>;
> [email protected] <mailto:[email protected]>
> Subject: Re: Varnish and AWS ALBs
>
> Hi,
>
> If I read this correctly:
> https://docs.aws.amazon.com/elasticloadbalancing/latest/application/x-forwarded-headers.html
>
> <https://docs.aws.amazon.com/elasticloadbalancing/latest/application/x-forwarded-headers.html>
> , you can trust the before-last IP, because it was added by the ALB, always.
> (and using vmod_str makes it easy to retrieve
> https://github.com/varnish/varnish-modules/blob/master/src/vmod_str.vcc#L42
> <https://github.com/varnish/varnish-modules/blob/master/src/vmod_str.vcc#L42>)
>
> Side question: would an NLB work? They support proxy-protocol, that would
> also solve your problem.
>
> Cheers,
>
> --
> Guillaume Quintard
>
>
> On Thu, Aug 19, 2021 at 1:52 PM Carlos Abalde <[email protected]
> <mailto:[email protected]>> wrote:
> Hi,
>
> No so sure about that. Let's assume the client address is 1.1.1.1. Two
> possible scenarios:
>
> - The client request reaches the ALB without XFF. The ALB will inject XFF
> with value 1.1.1.1. Then Varnish will modify XFF adding the ALB's address
> (i.e., 1.1.1.1,<ALB IP>). Using the next-to-last IP you're using the right
> client address.
>
> - The client request reaches the ALB with a forged XFF (e.g. 127.0.0.1). The
> ALB will will modify XFF (i.e. 127.0.0.1,1.1.1.1). The Varnish will do the
> same (i.e. 127.0.0.1,1.1.1.1,<ALB IP>). Using the next-to-last IP you're
> still using the right client address.
>
> I've not checked using a ALB, but that should be the expected behaviour for
> me.
>
> Best,
>
> --
> Carlos Abalde
>
> _______________________________________________
> varnish-misc mailing list
> [email protected] <mailto:[email protected]>
> https://www.varnish-cache.org/lists/mailman/listinfo/varnish-misc
> <https://www.varnish-cache.org/lists/mailman/listinfo/varnish-misc>
_______________________________________________
varnish-misc mailing list
[email protected]
https://www.varnish-cache.org/lists/mailman/listinfo/varnish-misc
