diff --git a/doc/varnish/vcl/varnish3.vcl b/doc/varnish/vcl/varnish3.vcl index 718c26ea75..b7579bfe78 100644 --- a/doc/varnish/vcl/varnish3.vcl +++ b/doc/varnish/vcl/varnish3.vcl @@ -20,6 +20,12 @@ acl debuggers { "192.168.0.0"/16; } +// ACL for the proxies in front of Varnish (e.g. Nginx terminating https) +acl proxies { + "127.0.0.1"; + "192.168.0.0"/16; +} + // Called at the beginning of a request, after the complete request has been received sub vcl_recv { @@ -31,11 +37,15 @@ sub vcl_recv { // Add a unique header containing the client address (only for master request) // Please note that /_fragment URI can change in Symfony configuration - if (!req.url ~ "^/_fragment") { - if (req.http.x-forwarded-for) { - set req.http.X-Forwarded-For = req.http.X-Forwarded-For + ", " + client.ip; + // Take care of requests getting 'restarted' because of the user-hash lookup + if (req.url !~ "^/_fragment" && req.restarts == 0) { + // Only accept the x-forwarded-for header if the remote-proxy is trusted + // Also we add our ip to the list of forwarders, as it is logged by Apache by default, e.g. + // ip-client, ip-nginx, ip-varnish - - [17/Feb/2016:10:55:08 +0000] "GET /setup/info/php HTTP/1.1" 200 ... + if (req.http.x-forwarded-for && client.ip ~ proxies) { + set req.http.X-Forwarded-For = req.http.X-Forwarded-For + ", " + server.ip; } else { - set req.http.X-Forwarded-For = client.ip; + set req.http.X-Forwarded-For = "" + client.ip + ", " + server.ip; } } @@ -213,7 +223,7 @@ sub vcl_deliver { // Sanity check to prevent ever exposing the hash to a client. unset resp.http.x-user-hash; - if (client.ip ~ debuggers) { + if ((client.ip ~ debuggers) || (client.ip ~ proxies && std.ip(regsub(req.http.X-Forwarded-For, "^(([0-9]{1,3}\.){3}[0-9]{1,3}),(.*)$", "\1"), "0.0.0.0") ~ debuggers)) { if (obj.hits > 0) { set resp.http.X-Cache = "HIT"; set resp.http.X-Cache-Hits = obj.hits; diff --git a/doc/varnish/vcl/varnish4.vcl b/doc/varnish/vcl/varnish4.vcl index 8d743b6563..1c01c80937 100644 --- a/doc/varnish/vcl/varnish4.vcl +++ b/doc/varnish/vcl/varnish4.vcl @@ -22,6 +22,12 @@ acl debuggers { "192.168.0.0"/16; } +// ACL for the proxies in front of Varnish (e.g. Nginx terminating https) +acl proxies { + "127.0.0.1"; + "192.168.0.0"/16; +} + // Called at the beginning of a request, after the complete request has been received sub vcl_recv { @@ -33,11 +39,15 @@ sub vcl_recv { // Add a unique header containing the client address (only for master request) // Please note that /_fragment URI can change in Symfony configuration - if (!req.url ~ "^/_fragment") { - if (req.http.x-forwarded-for) { - set req.http.X-Forwarded-For = req.http.X-Forwarded-For + ", " + client.ip; + // Take care of requests getting 'restarted' because of the user-hash lookup + if (req.url !~ "^/_fragment" && req.restarts == 0) { + // Only accept the x-forwarded-for header if the remote-proxy is trusted + // Also we add our ip to the list of forwarders, as it is logged by Apache by default, e.g. + // ip-client, ip-nginx, ip-varnish - - [17/Feb/2016:10:55:08 +0000] "GET /setup/info/php HTTP/1.1" 200 ... + if (req.http.x-forwarded-for && client.ip ~ proxies) { + set req.http.X-Forwarded-For = req.http.X-Forwarded-For + ", " + server.ip; } else { - set req.http.X-Forwarded-For = client.ip; + set req.http.X-Forwarded-For = "" + client.ip + ", " + server.ip; } } @@ -209,7 +219,7 @@ sub vcl_deliver { // Sanity check to prevent ever exposing the hash to a client. unset resp.http.x-user-hash; - if (client.ip ~ debuggers) { + if ((client.ip ~ debuggers) || (client.ip ~ proxies && std.ip(regsub(req.http.X-Forwarded-For, "^(([0-9]{1,3}\.){3}[0-9]{1,3}),(.*)$", "\1"), "0.0.0.0") ~ debuggers)) { if (obj.hits > 0) { set resp.http.X-Cache = "HIT"; set resp.http.X-Cache-Hits = obj.hits;