• Home
  • The Song
  • The Avatar
  • The Cat
  • Contact the Cat

Gyp the Cat dot Com

Nginx Not Showing Client IP and Varnish Not Forwarding Client IP
Computers, internet

Nginx Not Showing Client IP and Varnish Not Forwarding Client IP

I came across a setup using numerous Varnish front end cache servers with one Nginx backend server.  All built on Ubuntu machines.  It appeared that Varnish was not forwarding the client IP to the backend server, which meant that the only records in the web server logs was the IP addresses of the Varnish Cache servers.

Nginx and Varnish were installed from the standard Ubuntu repositories but were not configured to talk nicely to one another.  The web masters only saw a handfull of IP addresses, and this wasn’t right.

I’m assuming you have a Varnish cache server already running and an Nginx backend.

Part 1 – Varnish Configuration

SSH onto your Varnish cache(s) as normal.

Edit the default Varnish configuration:

nano /etc/varnish/default.vcl

Find the configuration section called:

sub vcl_recv

The default.vcl file has the following commented out, if yours looks like this you don’t need to do anything:

#sub vcl_recv {
# if (req.restarts == 0) {
# if (req.http.x-forwarded-for) {
# set req.http.X-Forwarded-For =
# req.http.X-Forwarded-For + “, ” + client.ip;
# } else {
# set req.http.X-Forwarded-For = client.ip;
# }
# }
# if (req.request != “GET” &&
# req.request != “HEAD” &&
# req.request != “PUT” &&
# req.request != “POST” &&
# req.request != “TRACE” &&
# req.request != “OPTIONS” &&
# req.request != “DELETE”) {
# /* Non-RFC2616 or CONNECT which is weird. */
# return (pipe);
# }
# if (req.request != “GET” && req.request != “HEAD”) {
# /* We only deal with GET and HEAD by default */
# return (pass);
# }
# if (req.http.Authorization || req.http.Cookie) {
# /* Not cacheable by default */
# return (pass);
# }
# return (lookup);
# }

What we’re seeing is the HTTP headers that Varnish will forward to Nginx, so we are specifically interested in this bit:

…
# if (req.http.x-forwarded-for) {
# set req.http.X-Forwarded-For =
# req.http.X-Forwarded-For + “, ” + client.ip;
…

Thats tells us that Varnish is appending a standard HTTP header to the conversation, so all we need to do is tell Nginx to use that in the logs.  If you have anything different in there you’ll have to make a note of it to use for Nginx.

Part 2 – Nginx Configuration

Now we need to SSH onto our Nginx server.

Open up the main Nginx conf file like this:

nano /etc/nginx/nginx.conf

In the http { } section, add lines like the following:

set_real_ip_from [IP Address of Varnish Cache 1];
set_real_ip_from [IP Address of Varnish Cache 2];
real_ip_header [The HTTP Header Varnish Adds to the Conversation];

With the default installations on our Ubuntu boxes the configuration looks like this:

set_real_ip_from 1.2.3.4;
set_real_ip_from 4.5.6.7;
real_ip_header X-Forwarded-For;

[ctrl]+o to save, and [ctrl]+x to exit.

Now lets restart the Nginx server:

service nginx restart

Looking at the logs should now display the correct client IP.

Related

Written by gyp - October 2, 2012 - 3405 Views
Tags | internet, nginx, ubuntu, varnish

You Might Also Like

Fail2ban

October 2, 2010

A God way to Change MX Records

October 4, 2010

Spammers Ignore MX Records

October 8, 2010

No Comment

Please Post Your Comments & Reviews
Cancel reply

Your email address will not be published. Required fields are marked *

Previous Post
Next Post

Latest Posts

  • Kusto Geolocation IP Lookup
  • Monitoring Tor Usage in Azure Sentinel, ASC, MDATP and ALA
  • HTTP to HTTPS Redirect on Azure CDN
  • Strongswan IPSec (Including Cryptomap) to Microsoft Azure Virtual Network Gateway
  • Black Ops 3 NAT Type Strict & PS4 NAT Type 3 with pfSense Fixed!
  • Sorry for the lack of posts
  • How to Block Internet Access with Group Policy (GPO)
  • Enforcing Microsoft Office 365 and Azure Tennancy with McAfee Web Gateway (MWG)
  • Scanning Subnet for Issuing Certificate Authority with OpenSSL
  • How to Configure Windows 2012 NPS for Radius Authentication with Ubiquiti Unifi

Top Posts & Pages

  • How to Block Internet Access with Group Policy (GPO)
    How to Block Internet Access with Group Policy (GPO)
  • IPSec VPN Host to Host on Ubuntu 14.04 with strongSwan
    IPSec VPN Host to Host on Ubuntu 14.04 with strongSwan
  • How to fix Mail Loops Back to Myself
    How to fix Mail Loops Back to Myself
  • ISEB Business Analysis (BA) Revision Notes
    ISEB Business Analysis (BA) Revision Notes
  • HTTP to HTTPS Redirect on Azure CDN
    HTTP to HTTPS Redirect on Azure CDN
  • How to Configure Windows 2012 NPS for Radius Authentication with Ubiquiti Unifi
    How to Configure Windows 2012 NPS for Radius Authentication with Ubiquiti Unifi
  • 3 Ethical Dilemma for Information Security Professionals
    3 Ethical Dilemma for Information Security Professionals
  • Why Does Lightening McQueen Stick His Tongue Out?
    Why Does Lightening McQueen Stick His Tongue Out?
  • Using SSH as a SOCKS VPN on Mac OS
    Using SSH as a SOCKS VPN on Mac OS
  • Black Ops 3 NAT Type Strict & PS4 NAT Type 3 with pfSense Fixed!
    Black Ops 3 NAT Type Strict & PS4 NAT Type 3 with pfSense Fixed!

Tags

apache2 azure azure log analytics blops business centos cheating cissp cloudflare cryptography dns game google gyp internet iphone ipsec isc linux mac marketing microsoft mw2 mx mysql nginx pfsense postfix proxy ps3 qualification radius revision security seo smtp socks squid ssh strongswan tinyproxy ubuntu windows 2012 wordpress xdecrypt.com
Gyp the Cat dot Com

Some rights retained Gyp the Cat Dot Com