Fix EZP-25479: better support for nginx in front of varnish

doc/varnish/vcl/varnish3.vcl

@@ -20,6 +20,12 @@ acl debuggers {
     "192.168.0.0"/16;
 }
 
+// ACL for the proxies in front of Varnish (e.g. Nginx terminating https)
+acl proxies {
+    "127.0.0.1";
+    "192.168.0.0"/16;
+}
+
 // Called at the beginning of a request, after the complete request has been received
 sub vcl_recv {
 
@@ -31,11 +37,15 @@ sub vcl_recv {
 
     // Add a unique header containing the client address (only for master request)
     // Please note that /_fragment URI can change in Symfony configuration
-    if (!req.url ~ "^/_fragment") {
-        if (req.http.x-forwarded-for) {
-            set req.http.X-Forwarded-For = req.http.X-Forwarded-For + ", " + client.ip;
+    // Take care of requests getting 'restarted' because of the user-hash lookup
+    if (req.url !~ "^/_fragment" && req.restarts == 0) {
+        // Only accept the x-forwarded-for header if the remote-proxy is trusted
+        // Also we add our ip to the list of forwarders, as it is logged by Apache by default, e.g.
+        // ip-client, ip-nginx, ip-varnish - - [17/Feb/2016:10:55:08 +0000] "GET /setup/info/php HTTP/1.1" 200 ...
+        if (req.http.x-forwarded-for && client.ip ~ proxies) {
+            set req.http.X-Forwarded-For = req.http.X-Forwarded-For + ", " + server.ip;
         } else {
-            set req.http.X-Forwarded-For = client.ip;
+            set req.http.X-Forwarded-For = "" + client.ip + ", " + server.ip;
         }
     }
 
@@ -213,7 +223,7 @@ sub vcl_deliver {
     // Sanity check to prevent ever exposing the hash to a client.
     unset resp.http.x-user-hash;
 
-    if (client.ip ~ debuggers) {
+    if ((client.ip ~ debuggers) || (client.ip ~ proxies && std.ip(regsub(req.http.X-Forwarded-For, "^(([0-9]{1,3}\.){3}[0-9]{1,3}),(.*)$", "\1"), "0.0.0.0") ~ debuggers)) {
         if (obj.hits > 0) {
             set resp.http.X-Cache = "HIT";
             set resp.http.X-Cache-Hits = obj.hits;

doc/varnish/vcl/varnish4.vcl

@@ -22,6 +22,12 @@ acl debuggers {
     "192.168.0.0"/16;
 }
 
+// ACL for the proxies in front of Varnish (e.g. Nginx terminating https)
+acl proxies {
+    "127.0.0.1";
+    "192.168.0.0"/16;
+}
+
 // Called at the beginning of a request, after the complete request has been received
 sub vcl_recv {
 
@@ -33,11 +39,15 @@ sub vcl_recv {
 
     // Add a unique header containing the client address (only for master request)
     // Please note that /_fragment URI can change in Symfony configuration
-    if (!req.url ~ "^/_fragment") {
-        if (req.http.x-forwarded-for) {
-            set req.http.X-Forwarded-For = req.http.X-Forwarded-For + ", " + client.ip;
+    // Take care of requests getting 'restarted' because of the user-hash lookup
+    if (req.url !~ "^/_fragment" && req.restarts == 0) {
+        // Only accept the x-forwarded-for header if the remote-proxy is trusted
+        // Also we add our ip to the list of forwarders, as it is logged by Apache by default, e.g.
+        // ip-client, ip-nginx, ip-varnish - - [17/Feb/2016:10:55:08 +0000] "GET /setup/info/php HTTP/1.1" 200 ...
+        if (req.http.x-forwarded-for && client.ip ~ proxies) {
+            set req.http.X-Forwarded-For = req.http.X-Forwarded-For + ", " + server.ip;
         } else {
-            set req.http.X-Forwarded-For = client.ip;
+            set req.http.X-Forwarded-For = "" + client.ip + ", " + server.ip;
         }
     }
 
@@ -209,7 +219,7 @@ sub vcl_deliver {
     // Sanity check to prevent ever exposing the hash to a client.
     unset resp.http.x-user-hash;
 
-    if (client.ip ~ debuggers) {
+    if ((client.ip ~ debuggers) || (client.ip ~ proxies && std.ip(regsub(req.http.X-Forwarded-For, "^(([0-9]{1,3}\.){3}[0-9]{1,3}),(.*)$", "\1"), "0.0.0.0") ~ debuggers)) {
         if (obj.hits > 0) {
             set resp.http.X-Cache = "HIT";
             set resp.http.X-Cache-Hits = obj.hits;