• Home
  • The Song
  • The Avatar
  • The Cat
  • Contact the Cat

Gyp the Cat dot Com

Nginx Not Showing Client IP and Varnish Not Forwarding Client IP
Computers, internet

Nginx Not Showing Client IP and Varnish Not Forwarding Client IP

I came across a setup using numerous Varnish front end cache servers with one Nginx backend server.  All built on Ubuntu machines.  It appeared that Varnish was not forwarding the client IP to the backend server, which meant that the only records in the web server logs was the IP addresses of the Varnish Cache servers.

Nginx and Varnish were installed from the standard Ubuntu repositories but were not configured to talk nicely to one another.  The web masters only saw a handfull of IP addresses, and this wasn’t right.

I’m assuming you have a Varnish cache server already running and an Nginx backend.

Part 1 – Varnish Configuration

SSH onto your Varnish cache(s) as normal.

Edit the default Varnish configuration:

nano /etc/varnish/default.vcl

Find the configuration section called:

sub vcl_recv

The default.vcl file has the following commented out, if yours looks like this you don’t need to do anything:

#sub vcl_recv {
# if (req.restarts == 0) {
# if (req.http.x-forwarded-for) {
# set req.http.X-Forwarded-For =
# req.http.X-Forwarded-For + “, ” + client.ip;
# } else {
# set req.http.X-Forwarded-For = client.ip;
# }
# }
# if (req.request != “GET” &&
# req.request != “HEAD” &&
# req.request != “PUT” &&
# req.request != “POST” &&
# req.request != “TRACE” &&
# req.request != “OPTIONS” &&
# req.request != “DELETE”) {
# /* Non-RFC2616 or CONNECT which is weird. */
# return (pipe);
# }
# if (req.request != “GET” && req.request != “HEAD”) {
# /* We only deal with GET and HEAD by default */
# return (pass);
# }
# if (req.http.Authorization || req.http.Cookie) {
# /* Not cacheable by default */
# return (pass);
# }
# return (lookup);
# }

What we’re seeing is the HTTP headers that Varnish will forward to Nginx, so we are specifically interested in this bit:

…
# if (req.http.x-forwarded-for) {
# set req.http.X-Forwarded-For =
# req.http.X-Forwarded-For + “, ” + client.ip;
…

Thats tells us that Varnish is appending a standard HTTP header to the conversation, so all we need to do is tell Nginx to use that in the logs.  If you have anything different in there you’ll have to make a note of it to use for Nginx.

Part 2 – Nginx Configuration

Now we need to SSH onto our Nginx server.

Open up the main Nginx conf file like this:

nano /etc/nginx/nginx.conf

In the http { } section, add lines like the following:

set_real_ip_from [IP Address of Varnish Cache 1];
set_real_ip_from [IP Address of Varnish Cache 2];
real_ip_header [The HTTP Header Varnish Adds to the Conversation];

With the default installations on our Ubuntu boxes the configuration looks like this:

set_real_ip_from 1.2.3.4;
set_real_ip_from 4.5.6.7;
real_ip_header X-Forwarded-For;

[ctrl]+o to save, and [ctrl]+x to exit.

Now lets restart the Nginx server:

service nginx restart

Looking at the logs should now display the correct client IP.

Related

Written by gyp - October 2, 2012 - 3147 Views
Tags | internet, nginx, ubuntu, varnish

You Might Also Like

A Tinyproxy Transparent Installation on Ubuntu 12.04 with HTTPS Support

October 8, 2012

Quick & Easy Nginx Load Balancer with Backend

September 16, 2013

How to Log BIND Queries on Ubuntu 12.10

September 14, 2012

No Comment

Please Post Your Comments & Reviews
Cancel reply

Your email address will not be published. Required fields are marked *

Previous Post
Next Post

Latest Posts

  • Monitoring Tor Usage in Azure Sentinel, ASC, MDATP and ALA
  • HTTP to HTTPS Redirect on Azure CDN
  • Strongswan IPSec (Including Cryptomap) to Microsoft Azure Virtual Network Gateway
  • Black Ops 3 NAT Type Strict & PS4 NAT Type 3 with pfSense Fixed!
  • Sorry for the lack of posts
  • How to Block Internet Access with Group Policy (GPO)
  • Enforcing Microsoft Office 365 and Azure Tennancy with McAfee Web Gateway (MWG)
  • Scanning Subnet for Issuing Certificate Authority with OpenSSL
  • How to Configure Windows 2012 NPS for Radius Authentication with Ubiquiti Unifi
  • Steam & Valve IP Ranges

Top Posts & Pages

  • IPSec VPN Host to Host on Ubuntu 14.04 with strongSwan
    IPSec VPN Host to Host on Ubuntu 14.04 with strongSwan
  • How to Configure Windows 2012 NPS for Radius Authentication with Ubiquiti Unifi
    How to Configure Windows 2012 NPS for Radius Authentication with Ubiquiti Unifi
  • How to Block Internet Access with Group Policy (GPO)
    How to Block Internet Access with Group Policy (GPO)
  • Tinyproxy A Quick and Easy Proxy Server on Ubuntu
    Tinyproxy A Quick and Easy Proxy Server on Ubuntu
  • ISEB Business Analysis (BA) Revision Notes
    ISEB Business Analysis (BA) Revision Notes
  • How to Log BIND Queries on Ubuntu 12.10
    How to Log BIND Queries on Ubuntu 12.10
  • Steam & Valve IP Ranges
    Steam & Valve IP Ranges
  • HTTP to HTTPS Redirect on Azure CDN
    HTTP to HTTPS Redirect on Azure CDN
  • Monitoring Tor Usage in Azure Sentinel, ASC, MDATP and ALA
    Monitoring Tor Usage in Azure Sentinel, ASC, MDATP and ALA

Tags

apache2 azure azure log analytics blops business centos cheating cissp cloudflare cryptography dns game google gyp internet iphone ipsec isc linux mac marketing microsoft mw2 mx mysql nginx pfsense postfix proxy ps3 qualification radius revision security seo smtp socks squid ssh strongswan tinyproxy ubuntu windows 2012 wordpress xdecrypt.com
Gyp the Cat dot Com

Some rights retained Gyp the Cat Dot Com