Nginx Not Showing Client IP and Varnish Not Forwarding Client IP

I came across a setup using numerous Varnish front end cache servers with one Nginx backend server.  All built on Ubuntu machines.  It appeared that Varnish was not forwarding the client IP to the backend server, which meant that the only records in the web server logs was the IP addresses of the Varnish Cache servers.

Nginx and Varnish were installed from the standard Ubuntu repositories but were not configured to talk nicely to one another.  The web masters only saw a handfull of IP addresses, and this wasn’t right.

I’m assuming you have a Varnish cache server already running and an Nginx backend.

Part 1 – Varnish Configuration

SSH onto your Varnish cache(s) as normal.

Edit the default Varnish configuration:

nano /etc/varnish/default.vcl

Find the configuration section called:

sub vcl_recv

The default.vcl file has the following commented out, if yours looks like this you don’t need to do anything:

#sub vcl_recv {
# if (req.restarts == 0) {
# if (req.http.x-forwarded-for) {
# set req.http.X-Forwarded-For =
# req.http.X-Forwarded-For + “, ” + client.ip;
# } else {
# set req.http.X-Forwarded-For = client.ip;
# }
# }
# if (req.request != “GET” &&
# req.request != “HEAD” &&
# req.request != “PUT” &&
# req.request != “POST” &&
# req.request != “TRACE” &&
# req.request != “OPTIONS” &&
# req.request != “DELETE”) {
# /* Non-RFC2616 or CONNECT which is weird. */
# return (pipe);
# }
# if (req.request != “GET” && req.request != “HEAD”) {
# /* We only deal with GET and HEAD by default */
# return (pass);
# }
# if (req.http.Authorization || req.http.Cookie) {
# /* Not cacheable by default */
# return (pass);
# }
# return (lookup);
# }

What we’re seeing is the HTTP headers that Varnish will forward to Nginx, so we are specifically interested in this bit:

# if (req.http.x-forwarded-for) {
# set req.http.X-Forwarded-For =
# req.http.X-Forwarded-For + “, ” + client.ip;

Thats tells us that Varnish is appending a standard HTTP header to the conversation, so all we need to do is tell Nginx to use that in the logs.  If you have anything different in there you’ll have to make a note of it to use for Nginx.

Part 2 – Nginx Configuration

Now we need to SSH onto our Nginx server.

Open up the main Nginx conf file like this:

nano /etc/nginx/nginx.conf

In the http { } section, add lines like the following:

set_real_ip_from [IP Address of Varnish Cache 1];
set_real_ip_from [IP Address of Varnish Cache 2];
real_ip_header [The HTTP Header Varnish Adds to the Conversation];

With the default installations on our Ubuntu boxes the configuration looks like this:

real_ip_header X-Forwarded-For;

[ctrl]+o to save, and [ctrl]+x to exit.

Now lets restart the Nginx server:

service nginx restart

Looking at the logs should now display the correct client IP.

Got something to say? Go for it!