Configuring X-Forwarded-For headers with Apache and Varnish

Hi!

This site is using WordPress with Varnish. i’ve just looked at the logs, as it turns out my access logs are next to useless as Varnish Cache acts as a proxy, thus all access requests for content appear to come from the localhost. however all is not lost.

Varnish Cache can be configured to use a special X-Forwarded-For header. This header is specifically for this purpose.

In the varnish default.vcl file you’re going to want to put the following under “sub vcl_recv”

if (req.restarts == 0) {
if (req.http.x-forwarded-for) {
set req.http.X-Forwarded-For = req.http.X-Forwarded-For + ", " + client.ip;
} else {
set req.http.X-Forwarded-For = client.ip;
}

To sum up what this snippet does, it writes a new HTTP header to the request detailing the client ip address. thus you can modify apache’s logging configuration to display this rather than the frankly useless 127.0.0.1 localhost…

In my case i’m going to use the Apache Module “remoteip” as this will be far cleaner than faffing around with modifying the verbose logging.

Now the logging section of my apache config looks something like:
RemoteIPHeader X-Forwarded-For
RemoteIPInternalProxy 127.0.0.1/8

LogFormat "%v:%p %h %l %u %t \"%r\" %>s %O \"%{Referer}i\" \"%{User-Agent}i\"" vhost_combined
#LogFormat "%h %l %u %t \"%r\" %>s %O \"%{Referer}i\" \"%{User-Agent}i\"" combined
LogFormat "%a %l %u %t \"%r\" %>s %O \"%{Referer}i\" \"%{User-Agent}i\"" combined
LogFormat "%h %l %u %t \"%r\" %>s %O" common
LogFormat "%{Referer}i -> %U" referer
LogFormat "%{User-agent}i" agent

from the default i’ve added:
RemoteIPHeader X-Forwarded-For
RemoteIPInternalProxy 127.0.0.1/8

This is the configuration for the “remoteip” module, this configuration states that the header “X-Forwarded-For” will contain the IP address of the client, and that the IP address of the proxy is 127.0.0.1

the other piece of configuration i’ve changed is from:
LogFormat "%h %l %u %t \"%r\" %>s %O \"%{Referer}i\" \"%{User-Agent}i\"" combined
to;
LogFormat "%a %l %u %t \"%r\" %>s %O \"%{Referer}i\" \"%{User-Agent}i\"" combined

the %h to %a is from “Remote host” to “Remote IP”

from implementing these changes my logs have gone from this:
127.0.0.1 - - [24/Dec/2015:00:39:14 +0000] "GET / HTTP/1.1" 200 5028 "-" "Rackspace Monitoring/1.1 (https://monitoring.api.rackspacecloud.com)"
127.0.0.1 - - [24/Dec/2015:00:41:41 +0000] "GET / HTTP/1.1" 200 5028 "-" "Rackspace Monitoring/1.1 (https://monitoring.api.rackspacecloud.com)"
127.0.0.1 - - [24/Dec/2015:00:42:34 +0000] "GET / HTTP/1.1" 200 6501 "-" "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_11_2) AppleWebKit/601.3.9 (KHTML, like Gecko) Version/9.0.2 Safari/601.3.9"

to this:

50.56.142.170 - - [24/Dec/2015:01:07:14 +0000] "GET / HTTP/1.1" 200 5028 "-" "Rackspace Monitoring/1.1 (https://monitoring.api.rackspacecloud.com)"
50.57.61.21 - - [24/Dec/2015:01:09:41 +0000] "GET / HTTP/1.1" 200 5028 "-" "Rackspace Monitoring/1.1 (https://monitoring.api.rackspacecloud.com)"
109.*.22.* - - [24/Dec/2015:01:11:30 +0000] "GET / HTTP/1.1" 200 6501 "-" "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_11_2) AppleWebKit/601.3.9 (KHTML, like Gecko) Version/9.0.2 Safari/601.3.9"
109.*.22.* - - [24/Dec/2015:01:11:31 +0000] "GET /wp-content/themes/twentysixteen/genericons/Genericons.svg HTTP/1.1" 304 126 "http://damiennugent.com/" "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_11_2) AppleWebKit/601.3.9 (KHTML, like Gecko) Version/9.0.2 Safari/601.3.9"

IP Addresses modified to protect the innocent… i.e. me haha.

So to Summarise:

  1. Ensure you have the X-Forwarded-For header enabled in your Varnish Configuration file, as above.
  2. Use the Apache Module “remoteip”
  3. in the Apache Configuration file, configure remote ip with:
    RemoteIPHeader X-Forwarded-For
    RemoteIPInternalProxy 127.0.0.1/8
  4. update the Logging configuration to point to the remote IP Header as opposed to the remote host.

This may work with Rackspace Cloud load balancers, however i haven’t confirmed this yet: Expect an update.

-Damien

3 thoughts on “Configuring X-Forwarded-For headers with Apache and Varnish”

Leave a Reply

Your email address will not be published. Required fields are marked *