<html><head><meta http-equiv="Content-Type" content="text/html charset=iso-8859-1"></head><body style="word-wrap: break-word; -webkit-nbsp-mode: space; -webkit-line-break: after-white-space; ">Hi Stephen,<div><br></div><div>The configuration from here can do that:</div><div><a href="http://zcentric.com/tag/header/">http://zcentric.com/tag/header/</a></div><div><br></div><div><br></div><div><div>C{</div><div>#include <netinet/in.h></div><div>#include <string.h></div><div>#include <sys/socket.h></div><div>#include <arpa/inet.h></div><div>}C</div><div><br></div><div>acl vpn {</div><div> "192.168.0.0"/16;</div><div>}</div><div><br></div><div>sub vcl_recv {</div><div><br></div><div>C{</div><div>//</div><div>// This is a hack from Igor Gariev (gariev hotmail com):</div><div>// Copy IP address from "X-Forwarded-For" header</div><div>// into Varnish's client_ip structure.</div><div>// This works with Varnish 3.0.1; test with other versions</div><div>//</div><div>// Trusted "X-Forwarded-For" header is a must!</div><div>// No commas are allowed. If your load balancer something other</div><div>// than a single IP, then use a regsub() to fix it.</div><div>//</div><div>struct sockaddr_storage *client_ip_ss = VRT_r_client_ip(sp);</div><div>struct sockaddr_in *client_ip_si = (struct sockaddr_in *) client_ip_ss;</div><div>struct in_addr *client_ip_ia = &(client_ip_si->sin_addr);</div><div>char *xff_ip = VRT_GetHdr(sp, HDR_REQ, "\020X-Forwarded-For:");</div><div><br></div><div>if (xff_ip != NULL) {</div><div>// Copy the ip address into the struct's sin_addr.</div><div>inet_pton(AF_INET, xff_ip, client_ip_ia);</div><div>}</div><div>}C</div><div><br></div><div> if (client.ip ~ vpn) {</div><div> # do something here</div><div> }</div><div><br></div><div> return(pass);</div><div>}</div></div><div><br></div><div><br></div><div>Kind regards,</div><div><div>
<div><span class="x_Apple-style-span" style="border-collapse: separate; "><div style="word-wrap: break-word; ">Robert Egglestone <span class="x_Apple-style-span" style="color: rgb(121, 121, 121); font-size: small; ">| Application Engineering Team Lead | The University of Auckland</span></div></span><font class="x_Apple-style-span" color="#797979" size="2"><span class="x_Apple-style-span" style="border-collapse: separate; "><div style="word-wrap: break-word; "><span class="x_Apple-style-span" style="border-collapse: separate; "><div style="word-wrap: break-word; "><span class="x_Apple-style-span" style="border-collapse: separate; "><div style="word-wrap: break-word; "><span class="x_Apple-style-span" style="border-collapse: separate; "><div style="word-wrap: break-word; "><a href="mailto:r.egglestone@auckland.ac.nz">r.egglestone@auckland.ac.nz</a> | ext: 84624 | m: +64 21 240 8992 | Level 2, 58 Symonds St, Auckland, NZ</div></span></div></span></div></span></div></span></font></div>
</div>
<br><div><div>On 6/08/2013, at 9:05 AM, Stephen Wood <<a href="mailto:smwood4@gmail.com">smwood4@gmail.com</a>> wrote:</div><br class="Apple-interchange-newline"><blockquote type="cite"><meta http-equiv="Content-Type" content="text/html; charset=iso-8859-1"><div dir="ltr">Is there a way to change client.ip?<div><br></div><div>For example, I would like to set up an ACL to block certain IPs, but since the instances are behind a load balancer the only thing I have to work with is the x-forwarded-for header. I've tried something like this:</div>
<div><br></div><div><div>sub vcl_recv {</div><div> if (req.http.X-Forwarded-For) {</div><div> set client.ip = req.http.X-Forwarded-For;</div><div> }</div><div>}</div><div><br></div><div>But of course that kind of thing doesn't compile.</div>
<div><br></div><div>Can someone please advise me on this issue or the broader question about implementing ACLs via x-forwarded-for headers for those of us stuck behind another load balancer?</div><div dir="ltr"></div>
</div></div>
_______________________________________________<br>varnish-misc mailing list<br><a href="mailto:varnish-misc@varnish-cache.org">varnish-misc@varnish-cache.org</a><br>https://www.varnish-cache.org/lists/mailman/listinfo/varnish-misc</blockquote></div><br></div></body></html>