varnish with ssl

Ken Brownfield kb+varnish at slide.com
Wed Apr 7 19:47:22 CEST 2010 

This is far-ranging problem that isn't unique to Varnish or SSL.  What is typical of CDNs, load-balancers, and proxies of all sorts is to set a header with the IP of the request *it* received.  That header is then passed down and can be parsed by your upstream.  X-Forwarded-For is the standard header for this, but the format and naming of this header can vary (no pun intended).

You can imagine how fun it is to handle IPs for a client request that goes through a CDN's proxy/cache network, through your load-balancer, then Varnish, then the upstream web server:

Client = 1.1.1.1
CDN = 2.2.2.2
	sets => CDN-Client-IP: 1.1.1.1
LB (e.g., Pound) = 3.3.3.3
	sets => LB-Client-IP: 2.2.2.2
Varnish = 4.4.4.4
	sets => X-Forwarded-For: 3.3.3.3

Your upstream receives the request from 4.4.4.4 with the following headers:
	CDN-Client-IP: 1.1.1.1
	LB-Client-IP: 2.2.2.2
	X-Forwarded-For: 3.3.3.3

You'll care about the highest level one (CDN-Client-IP in this case), something like:

	IP = CDN-Client-IP or LB-Client-IP or X-Forwarded-For or <TCP connect IP>

Hope it helps,
-- 
kb

PS: The Pound suggestion is good -- probably a cleaner solution than stunnel given that we're talking HTTP(S).

On Apr 7, 2010, at 5:47 AM, Gerhard Schmidt wrote:

> Hi,
> 
> I've a Problem using varnish and ssl. I trying to setup varnish to act as
> reverse proxy for our website.
> 
> I need both unencrypted requests and requests via ssl.
> 
> I know that varnish can not accept ssl connections itself. So I tried to setup
> stunnel to accept connections. That's not the problem. The problem I have is
> that I loose information from which IP the request originated.
> 
> Are there plans to include ssl in varnish directly or is there a setup to
> retain this information.
> 
> Regards
> 	Estartu
> 
> -- 
> ----------------------------------------------------------
> Gerhard Schmidt                | E-Mail: schmidt at ze.tum.de
> Technische Universität München |
> WWW & Online Services          |
> Tel: +49 89 289-25270          | PGP-PublicKey
> Fax: +49 89 289-25257          | on request
> 
> _______________________________________________
> varnish-misc mailing list
> varnish-misc at varnish-cache.org
> http://lists.varnish-cache.org/mailman/listinfo/varnish-misc

More information about the varnish-misc mailing list