I came across a setup using numerous Varnish front end cache servers with one Nginx backend server. All built on Ubuntu machines. It appeared that Varnish was not forwarding the client IP to the backend server, which meant that the only records in the web server logs was the IP addresses of the Varnish Cache servers.

Nginx and Varnish were installed from the standard Ubuntu repositories but were not configured to talk nicely to one another. The web masters only saw a handfull of IP addresses, and this wasn’t right.

I’m assuming you have a Varnish cache server already running and an Nginx backend.

Part 1 – Varnish Configuration

SSH onto your Varnish cache(s) as normal.

Edit the default Varnish configuration:

nano /etc/varnish/default.vcl

Find the configuration section called:

sub vcl_recv

The default.vcl file has the following commented out, if yours looks like this you don’t need to do anything:

#sub vcl_recv {
# if (req.restarts == 0) {
# if (req.http.x-forwarded-for) {
# set req.http.X-Forwarded-For =
# req.http.X-Forwarded-For + “, ” + client.ip;
# } else {
# set req.http.X-Forwarded-For = client.ip;
# }
# }
# if (req.request != “GET” &&
# req.request != “HEAD” &&
# req.request != “PUT” &&
# req.request != “POST” &&
# req.request != “TRACE” &&
# req.request != “OPTIONS” &&
# req.request != “DELETE”) {
# /* Non-RFC2616 or CONNECT which is weird. */
# return (pipe);
# }
# if (req.request != “GET” && req.request != “HEAD”) {
# /* We only deal with GET and HEAD by default */
# return (pass);
# }
# if (req.http.Authorization || req.http.Cookie) {
# /* Not cacheable by default */
# return (pass);
# }
# return (lookup);
# }

What we’re seeing is the HTTP headers that Varnish will forward to Nginx, so we are specifically interested in this bit:

…
# if (req.http.x-forwarded-for) {
# set req.http.X-Forwarded-For =
# req.http.X-Forwarded-For + “, ” + client.ip;
…

Thats tells us that Varnish is appending a standard HTTP header to the conversation, so all we need to do is tell Nginx to use that in the logs. If you have anything different in there you’ll have to make a note of it to use for Nginx.

Part 2 – Nginx Configuration

Now we need to SSH onto our Nginx server.

Open up the main Nginx conf file like this:

nano /etc/nginx/nginx.conf

In the http { } section, add lines like the following:

set_real_ip_from [IP Address of Varnish Cache 1];
set_real_ip_from [IP Address of Varnish Cache 2];
real_ip_header [The HTTP Header Varnish Adds to the Conversation];

With the default installations on our Ubuntu boxes the configuration looks like this:

set_real_ip_from 1.2.3.4;
set_real_ip_from 4.5.6.7;
real_ip_header X-Forwarded-For;

[ctrl]+o to save, and [ctrl]+x to exit.

Now lets restart the Nginx server:

service nginx restart

Looking at the logs should now display the correct client IP.

Nginx Not Showing Client IP and Varnish Not Forwarding Client IP

Part 1 – Varnish Configuration

Part 2 – Nginx Configuration

Related

Got something to say? Go for it!

Top 5 Deep Web Myths (and why it’s not as exciting as you think it is)

ISEB Business Analysis (BA) Revision Notes

What is xdecrypt.com?

How to Configure Windows 2012 NPS for Radius Authentication with Ubiquiti Unifi

IPSec VPN Host to Host on Ubuntu 14.04 with strongSwan

Enforcing Microsoft Office 365 and Azure Tennancy with McAfee Web Gateway (MWG)

Scanning Subnet for Issuing Certificate Authority with OpenSSL

How to Configure Windows 2012 NPS for Radius Authentication with Ubiquiti Unifi

Steam & Valve IP Ranges

Easy(ish) IPSec VPN with Shared ECDSA Certificates for Host to Host Connections

Nginx Not Showing Client IP and Varnish Not Forwarding Client IP

Part 1 – Varnish Configuration

Part 2 – Nginx Configuration

Share this:

Related

Got something to say? Go for it!

Tag Cloud