Blog personnel d'Alex Sbille sur les technologies, et autres de mes centres d’intérêts.

Aller au contenu | Aller au menu | Aller à la recherche

Mot-clé - reverse proxy

Fil des billets - Fil des commentaires

lundi 24 mars 2014

Loggin ip adress of visitors with Varnish3 and Apache2 as a backend

It is natural to find varnish public ip in apache logs but not very secure in my context, so I'll need to configure Varnish 3 using req.http.X-Forwarded-For and apache2 with mod_rpaf

With a debian like:

On the backend server

apt-get install libapache2-mod-rpaf
nano /etc/apache2/mods-enabled/rpaf.conf
<IfModule rpaf_module>
    RPAFenable On

    # When enabled, take the incoming X-Host header and
    # update the virtualhost settings accordingly:
    RPAFsethostname On

    # Define which IP's are your frontend proxies that sends
    # the correct X-Forwarded-For headers:
    RPAFproxy_ips 5.39.38.60 127.0.0.1 ::1

    # Change the header name to parse from the default
    # X-Forwarded-For to something of your choice:
    RPAFheader X-Forwarded-For

</IfModule>
service apache2 reload

On the reverse proxy / varnish server:

Insert after the start of sub vcl_recv :

if (req.restarts == 0) {
  if (req.http.X-Forwarded-For) {
    set req.http.X-Forwarded-For = req.http.X-Forwarded-For + ", " + client.ip;
  } else {
    set req.http.X-Forwarded-For = client.ip;
  }
}

Then reload the configuration and verify a2 logs.

Partage

Log de l'adresse ip du visiteur dans apache2 derrière un reverse proxy varnish3

Varnish, comme tout reverse proxy laissera naturellement son adresse ip dans les logs du backend, ici apache. Dans mon cas, dans un contexte de sécurité, il est nécessaire que le reverse proxy utilise req.http.X-Forwarded-For pour annoncer au backend l'adresse ip du client.

Avec une debian like:

Sur le serveur de backend

apt-get install libapache2-mod-rpaf
nano /etc/apache2/mods-enabled/rpaf.conf
<IfModule rpaf_module>
    RPAFenable On

    # When enabled, take the incoming X-Host header and
    # update the virtualhost settings accordingly:
    RPAFsethostname On

    # Define which IP's are your frontend proxies that sends
    # the correct X-Forwarded-For headers:
    RPAFproxy_ips 5.39.38.60 127.0.0.1 ::1

    # Change the header name to parse from the default
    # X-Forwarded-For to something of your choice:
    RPAFheader X-Forwarded-For

</IfModule>
service apache2 reload

Sur le reverse proxy / varnish:

Insérer après le début de sub vcl_recv :

if (req.restarts == 0) {
  if (req.http.X-Forwarded-For) {
    set req.http.X-Forwarded-For = req.http.X-Forwarded-For + ", " + client.ip;
  } else {
    set req.http.X-Forwarded-For = client.ip;
  }
}

Suivi d'un reload de la configuration.

Partage