r.egglestone at auckland
Aug 5, 2013, 3:13 PM
Post #2 of 4
(50 views)
Permalink
|
|
Re: Change client.ip based on x-forwaded-for headers?
[In reply to]
|
|
Hi Stephen,
The configuration from here can do that:
http://zcentric.com/tag/header/
C{
#include <netinet/in.h>
#include <string.h>
#include <sys/socket.h>
#include <arpa/inet.h>
}C
acl vpn {
"192.168.0.0"/16;
}
sub vcl_recv {
C{
//
// This is a hack from Igor Gariev (gariev hotmail com):
// Copy IP address from "X-Forwarded-For" header
// into Varnish's client_ip structure.
// This works with Varnish 3.0.1; test with other versions
//
// Trusted "X-Forwarded-For" header is a must!
// No commas are allowed. If your load balancer something other
// than a single IP, then use a regsub() to fix it.
//
struct sockaddr_storage *client_ip_ss = VRT_r_client_ip(sp);
struct sockaddr_in *client_ip_si = (struct sockaddr_in *) client_ip_ss;
struct in_addr *client_ip_ia = &(client_ip_si->sin_addr);
char *xff_ip = VRT_GetHdr(sp, HDR_REQ, "\020X-Forwarded-For:");
if (xff_ip != NULL) {
// Copy the ip address into the struct's sin_addr.
inet_pton(AF_INET, xff_ip, client_ip_ia);
}
}C
if (client.ip ~ vpn) {
# do something here
}
return(pass);
}
Kind regards,
Robert Egglestone | Application Engineering Team Lead | The University of Auckland
r.egglestone [at] auckland | ext: 84624 | m: +64 21 240 8992 | Level 2, 58 Symonds St, Auckland, NZ
On 6/08/2013, at 9:05 AM, Stephen Wood <smwood4 [at] gmail> wrote:
> Is there a way to change client.ip?
>
> For example, I would like to set up an ACL to block certain IPs, but since the instances are behind a load balancer the only thing I have to work with is the x-forwarded-for header. I've tried something like this:
>
> sub vcl_recv {
> if (req.http.X-Forwarded-For) {
> set client.ip = req.http.X-Forwarded-For;
> }
> }
>
> But of course that kind of thing doesn't compile.
>
> Can someone please advise me on this issue or the broader question about implementing ACLs via x-forwarded-for headers for those of us stuck behind another load balancer?
> _______________________________________________
> varnish-misc mailing list
> varnish-misc [at] varnish-cache
> https://www.varnish-cache.org/lists/mailman/listinfo/varnish-misc
|
smime.p7s
