<div dir="ltr">Out of curiosity, has anyone done a CDN of Varnish servers? I have 4 Varnish servers in different datacenters around the world, and use anycast IPs to direct traffic based on the region. I managed to do cache replication using a "fanout" method for new cache hits to be replicated through an intermediary server to the related group of Varnish servers, but was wondering if anyone had a better method.</div><div class="gmail_extra"><br><div class="gmail_quote">On Fri, Mar 17, 2017 at 2:48 PM, Guillaume Quintard <span dir="ltr"><<a href="mailto:guillaume@varnish-software.com" target="_blank">guillaume@varnish-software.com</a>></span> wrote:<br><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"><div dir="auto">Actually, Varnish should set the XFF header even before you enter vcl_recv. <span class="HOEnZb"><font color="#888888"><br><br><div data-smartmail="gmail_signature">-- <br>Guillaume Quintard </div></font></span></div><div class="HOEnZb"><div class="h5"><div class="gmail_extra"><br><div class="gmail_quote">On Mar 17, 2017 19:23, "Hernán Marsili" <<a href="mailto:hernan@cmsmedios.com" target="_blank">hernan@cmsmedios.com</a>> wrote:<br type="attribution"><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"><div dir="ltr">Ok, so I finally make it work with the suggested rule. <div><br></div><div>On the vcl_recv I have:</div><div><p style="margin:0px;font-size:11px;line-height:normal;font-family:menlo"><span style="font-variant-ligatures:no-common-ligatures"><span class="m_7236291618795710973m_-5385414711863745893inbox-Apple-tab-span" style="white-space:pre-wrap"> </span>if (req.http.x-forwarded-for) {</span></p>
<p style="margin:0px;font-size:11px;line-height:normal;font-family:menlo"><span style="font-variant-ligatures:no-common-ligatures"> <span class="m_7236291618795710973m_-5385414711863745893inbox-Apple-tab-span" style="white-space:pre-wrap"> </span>set req.http.X-Forwarded-For = req.http.X-Forwarded-For + ", " + client.ip;</span></p>
<p style="margin:0px;font-size:11px;line-height:normal;font-family:menlo"><span style="font-variant-ligatures:no-common-ligatures"><span class="m_7236291618795710973m_-5385414711863745893inbox-Apple-tab-span" style="white-space:pre-wrap"> </span>set req.http.x-cdn-ip = regsub(req.http.X-Forwarded-Fo<wbr>r, "([^,]+), *([^ ,]+)[ ,]?.*", "\2");</span></p>
<p style="margin:0px;font-size:11px;line-height:normal;font-family:menlo"><span style="font-variant-ligatures:no-common-ligatures"> <span class="m_7236291618795710973m_-5385414711863745893inbox-Apple-tab-span" style="white-space:pre-wrap"> </span>} else {</span></p>
<p style="margin:0px;font-size:11px;line-height:normal;font-family:menlo"><span style="font-variant-ligatures:no-common-ligatures"> <span class="m_7236291618795710973m_-5385414711863745893inbox-Apple-tab-span" style="white-space:pre-wrap"> </span>set req.http.X-Forwarded-For = client.ip;</span></p>
<p style="margin:0px;font-size:11px;line-height:normal;font-family:menlo"><span style="font-variant-ligatures:no-common-ligatures"><span class="m_7236291618795710973m_-5385414711863745893inbox-Apple-tab-span" style="white-space:pre-wrap"> </span>set req.http.x-cdn-ip = regsub(req.http.X-Forwarded-Fo<wbr>r, "([^,]+), *([^ ,]+)[ ,]?.*", "\2");</span></p>
<p style="margin:0px;font-size:11px;line-height:normal;font-family:menlo"><span style="font-variant-ligatures:no-common-ligatures"> <span class="m_7236291618795710973m_-5385414711863745893inbox-Apple-tab-span" style="white-space:pre-wrap"> </span>}</span></p><div><span style="font-variant-ligatures:no-common-ligatures"><br></span></div></div><div>I then use Apache remote_ip to listen to x-cd-ip with this:</div><div><p style="margin:0px;font-size:11px;line-height:normal;font-family:menlo"><span style="font-variant-ligatures:no-common-ligatures"> RemoteIPHeader x-cdn-ip</span></p>
<p style="margin:0px;font-size:11px;line-height:normal;font-family:menlo"><span style="font-variant-ligatures:no-common-ligatures"> RemoteIPTrustedProxy 127.0.0.1 172.31.29.204</span></p><div><span style="font-variant-ligatures:no-common-ligatures"><br></span></div></div><div><span style="font-variant-ligatures:no-common-ligatures">I don't probable need the IF but since this was in place for some reason, I just leave it.</span></div><div><span style="font-variant-ligatures:no-common-ligatures"><br></span></div><div><span style="font-variant-ligatures:no-common-ligatures">It seems to be working just fine. What do you think?</span></div></div><br><div class="gmail_quote"><div dir="ltr">On Fri, Mar 17, 2017 at 10:32 AM Andrei <<a href="mailto:lagged@gmail.com" target="_blank">lagged@gmail.com</a>> wrote:<br></div><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"><div dir="ltr" class="m_7236291618795710973m_-5385414711863745893gmail_msg">Does the CDN not provide the IP you want in a separate header? Typically CDN's have custom headers for just that which you can use as well</div><div class="gmail_extra m_7236291618795710973m_-5385414711863745893gmail_msg"><br class="m_7236291618795710973m_-5385414711863745893gmail_msg"><div class="gmail_quote m_7236291618795710973m_-5385414711863745893gmail_msg">On Fri, Mar 17, 2017 at 3:31 PM, Guillaume Quintard <span dir="ltr" class="m_7236291618795710973m_-5385414711863745893gmail_msg"><<a href="mailto:guillaume@varnish-software.com" class="m_7236291618795710973m_-5385414711863745893gmail_msg" target="_blank">guillaume@varnish-software.co<wbr>m</a>></span> wrote:<br class="m_7236291618795710973m_-5385414711863745893gmail_msg"><blockquote class="gmail_quote m_7236291618795710973m_-5385414711863745893gmail_msg" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"><div dir="ltr" class="m_7236291618795710973m_-5385414711863745893gmail_msg">If you have the ability to compile a vmod, you can use split() from vmod-str (disclaimer: I wrote that) <a href="https://github.com/gquintard/libvmod-str/blob/master/src/vmod_str.vcc" class="m_7236291618795710973m_-5385414711863745893gmail_msg" target="_blank">https://github.com/gquin<wbr>tard/libvmod-str/blob/master/<wbr>src/vmod_str.vcc</a><div class="m_7236291618795710973m_-5385414711863745893gmail_msg"><br class="m_7236291618795710973m_-5385414711863745893gmail_msg"></div><div class="m_7236291618795710973m_-5385414711863745893gmail_msg">otherwise, to get the second ip, something like :</div><div class="m_7236291618795710973m_-5385414711863745893gmail_msg"><br class="m_7236291618795710973m_-5385414711863745893gmail_msg"></div><div class="m_7236291618795710973m_-5385414711863745893gmail_msg">regsub(req.http.xff, "([^,]+), *([^ ,]+)[ ,]?.*", "\2")<br class="m_7236291618795710973m_-5385414711863745893gmail_msg"></div><div class="m_7236291618795710973m_-5385414711863745893gmail_msg"><br class="m_7236291618795710973m_-5385414711863745893gmail_msg"></div><div class="m_7236291618795710973m_-5385414711863745893gmail_msg">should work. Fell free to test, using <a href="http://regex101.com" class="m_7236291618795710973m_-5385414711863745893gmail_msg" target="_blank">regex101.com</a> for example. or better, a Varnish Test case Case: <a href="https://gist.github.com/gquintard/ee47432bb8b5c97b615d973b57b6338e" class="m_7236291618795710973m_-5385414711863745893gmail_msg" target="_blank">https://gist.github.com/<wbr>gquintard/ee47432bb8b5c97b615d<wbr>973b57b6338e</a></div><div class="m_7236291618795710973m_-5385414711863745893gmail_msg">test it using: varnishtest foo.vtc</div></div><div class="gmail_extra m_7236291618795710973m_-5385414711863745893gmail_msg"><span class="m_7236291618795710973m_-5385414711863745893m_-8433437325267808329HOEnZb m_7236291618795710973m_-5385414711863745893gmail_msg"><font color="#888888" class="m_7236291618795710973m_-5385414711863745893gmail_msg"><br clear="all" class="m_7236291618795710973m_-5385414711863745893gmail_msg"><div class="m_7236291618795710973m_-5385414711863745893gmail_msg"><div class="m_7236291618795710973m_-5385414711863745893m_-8433437325267808329m_-1313992653972545342gmail_signature m_7236291618795710973m_-5385414711863745893gmail_msg" data-smartmail="gmail_signature"><div dir="ltr" class="m_7236291618795710973m_-5385414711863745893gmail_msg"><div class="m_7236291618795710973m_-5385414711863745893gmail_msg">-- <br class="m_7236291618795710973m_-5385414711863745893gmail_msg"></div>Guillaume Quintard<br class="m_7236291618795710973m_-5385414711863745893gmail_msg"></div></div></div></font></span><div class="m_7236291618795710973m_-5385414711863745893gmail_msg"><div class="m_7236291618795710973m_-5385414711863745893m_-8433437325267808329h5 m_7236291618795710973m_-5385414711863745893gmail_msg">
<br class="m_7236291618795710973m_-5385414711863745893gmail_msg"><div class="gmail_quote m_7236291618795710973m_-5385414711863745893gmail_msg">On Fri, Mar 17, 2017 at 1:33 PM, Hernán Marsili <span dir="ltr" class="m_7236291618795710973m_-5385414711863745893gmail_msg"><<a href="mailto:hernan@cmsmedios.com" class="m_7236291618795710973m_-5385414711863745893gmail_msg" target="_blank">hernan@cmsmedios.com</a>></span> wrote:<br class="m_7236291618795710973m_-5385414711863745893gmail_msg"><blockquote class="gmail_quote m_7236291618795710973m_-5385414711863745893gmail_msg" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"><div dir="ltr" class="m_7236291618795710973m_-5385414711863745893gmail_msg">Thank you! so, I figure I can parse the x-forwarded-for in which I have 3 ips. The first one is the customer, the second one is the one 1 need (the CDN) and the third I think is the load balancer.<div class="m_7236291618795710973m_-5385414711863745893gmail_msg"><br class="m_7236291618795710973m_-5385414711863745893gmail_msg"></div><div class="m_7236291618795710973m_-5385414711863745893gmail_msg">I can assign it to a new header x-cdn-ip and use apache_remoteip to use that ip as the connecting ip. </div><div class="m_7236291618795710973m_-5385414711863745893gmail_msg"><br class="m_7236291618795710973m_-5385414711863745893gmail_msg"></div><div class="m_7236291618795710973m_-5385414711863745893gmail_msg">What do you think?</div><div class="m_7236291618795710973m_-5385414711863745893gmail_msg"><br class="m_7236291618795710973m_-5385414711863745893gmail_msg"></div><div class="m_7236291618795710973m_-5385414711863745893gmail_msg">Only problem here is to parse the second iP. I have something like this:</div><div class="m_7236291618795710973m_-5385414711863745893gmail_msg"><p style="margin:0px;font-size:11px;line-height:normal;font-family:menlo" class="m_7236291618795710973m_-5385414711863745893gmail_msg"><span style="font-variant-ligatures:no-common-ligatures" class="m_7236291618795710973m_-5385414711863745893gmail_msg"><span class="m_7236291618795710973m_-5385414711863745893m_-8433437325267808329m_-1313992653972545342m_5660521226061879830inbox-Apple-tab-span m_7236291618795710973m_-5385414711863745893gmail_msg" style="white-space:pre-wrap"> </span>set req.http.x-cdn-ip = regsub(req.http.X-Forwarded-Fo<wbr>r, "^([^,]+),?.*$", "\1");</span></p><div class="m_7236291618795710973m_-5385414711863745893gmail_msg"><span style="font-variant-ligatures:no-common-ligatures" class="m_7236291618795710973m_-5385414711863745893gmail_msg"><br class="m_7236291618795710973m_-5385414711863745893gmail_msg"></span></div></div><div class="m_7236291618795710973m_-5385414711863745893gmail_msg"><span style="font-variant-ligatures:no-common-ligatures" class="m_7236291618795710973m_-5385414711863745893gmail_msg">I was able to get the first IP but not the second only which is the one I need. Any one can point me in the right direction with the regsub?</span></div><div class="m_7236291618795710973m_-5385414711863745893gmail_msg"><span style="font-variant-ligatures:no-common-ligatures" class="m_7236291618795710973m_-5385414711863745893gmail_msg"><br class="m_7236291618795710973m_-5385414711863745893gmail_msg"></span></div><div class="m_7236291618795710973m_-5385414711863745893gmail_msg"><span style="font-variant-ligatures:no-common-ligatures" class="m_7236291618795710973m_-5385414711863745893gmail_msg">Thank you!</span></div></div><div class="m_7236291618795710973m_-5385414711863745893m_-8433437325267808329m_-1313992653972545342HOEnZb m_7236291618795710973m_-5385414711863745893gmail_msg"><div class="m_7236291618795710973m_-5385414711863745893m_-8433437325267808329m_-1313992653972545342h5 m_7236291618795710973m_-5385414711863745893gmail_msg"><br class="m_7236291618795710973m_-5385414711863745893gmail_msg"><div class="gmail_quote m_7236291618795710973m_-5385414711863745893gmail_msg"><div dir="ltr" class="m_7236291618795710973m_-5385414711863745893gmail_msg">On Fri, Mar 17, 2017 at 4:43 AM Andrei <<a href="mailto:lagged@gmail.com" class="m_7236291618795710973m_-5385414711863745893gmail_msg" target="_blank">lagged@gmail.com</a>> wrote:<br class="m_7236291618795710973m_-5385414711863745893gmail_msg"></div><blockquote class="gmail_quote m_7236291618795710973m_-5385414711863745893gmail_msg" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"><div dir="ltr" class="m_7236291618795710973m_-5385414711863745893m_-8433437325267808329m_-1313992653972545342m_5660521226061879830gmail_msg m_7236291618795710973m_-5385414711863745893gmail_msg">Authenticated requests should typically bypass cache, unless you want to hash the related session id(s), however that can get "interesting". I suggest using an Apache module such as rpaf or remoteip in order for Apache to set the client IP from the X-Forwarded-For header set by Varnish. This way, you will not need to worry about whitelisting localhost, or other cucumbersome iptables rules, and your IP restrictions will work as intended.</div><div class="gmail_extra m_7236291618795710973m_-5385414711863745893m_-8433437325267808329m_-1313992653972545342m_5660521226061879830gmail_msg m_7236291618795710973m_-5385414711863745893gmail_msg"><br class="m_7236291618795710973m_-5385414711863745893m_-8433437325267808329m_-1313992653972545342m_5660521226061879830gmail_msg m_7236291618795710973m_-5385414711863745893gmail_msg"><div class="gmail_quote m_7236291618795710973m_-5385414711863745893m_-8433437325267808329m_-1313992653972545342m_5660521226061879830gmail_msg m_7236291618795710973m_-5385414711863745893gmail_msg">On Fri, Mar 17, 2017 at 1:32 AM, Jason Price <span dir="ltr" class="m_7236291618795710973m_-5385414711863745893m_-8433437325267808329m_-1313992653972545342m_5660521226061879830gmail_msg m_7236291618795710973m_-5385414711863745893gmail_msg"><<a href="mailto:japrice@gmail.com" class="m_7236291618795710973m_-5385414711863745893m_-8433437325267808329m_-1313992653972545342m_5660521226061879830gmail_msg m_7236291618795710973m_-5385414711863745893gmail_msg" target="_blank">japrice@gmail.com</a>></span> wrote:<br class="m_7236291618795710973m_-5385414711863745893m_-8433437325267808329m_-1313992653972545342m_5660521226061879830gmail_msg m_7236291618795710973m_-5385414711863745893gmail_msg"><blockquote class="gmail_quote m_7236291618795710973m_-5385414711863745893m_-8433437325267808329m_-1313992653972545342m_5660521226061879830gmail_msg m_7236291618795710973m_-5385414711863745893gmail_msg" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"><div dir="ltr" class="m_7236291618795710973m_-5385414711863745893m_-8433437325267808329m_-1313992653972545342m_5660521226061879830gmail_msg m_7236291618795710973m_-5385414711863745893gmail_msg">I don't believe there's a trivial way to do this.<div class="m_7236291618795710973m_-5385414711863745893m_-8433437325267808329m_-1313992653972545342m_5660521226061879830gmail_msg m_7236291618795710973m_-5385414711863745893gmail_msg"><br class="m_7236291618795710973m_-5385414711863745893m_-8433437325267808329m_-1313992653972545342m_5660521226061879830gmail_msg m_7236291618795710973m_-5385414711863745893gmail_msg"></div><div class="m_7236291618795710973m_-5385414711863745893m_-8433437325267808329m_-1313992653972545342m_5660521226061879830gmail_msg m_7236291618795710973m_-5385414711863745893gmail_msg">Varnish will return the cached response to any IP address that comes calling. Even if the first request comes from a valid IP, which gets passed through via X-Forward or similar, and mod_auth is tweaked to respond to that, any subsequent request will not be seen by either apache or mod_auth at all.</div><div class="m_7236291618795710973m_-5385414711863745893m_-8433437325267808329m_-1313992653972545342m_5660521226061879830gmail_msg m_7236291618795710973m_-5385414711863745893gmail_msg"><br class="m_7236291618795710973m_-5385414711863745893m_-8433437325267808329m_-1313992653972545342m_5660521226061879830gmail_msg m_7236291618795710973m_-5385414711863745893gmail_msg"></div><div class="m_7236291618795710973m_-5385414711863745893m_-8433437325267808329m_-1313992653972545342m_5660521226061879830gmail_msg m_7236291618795710973m_-5385414711863745893gmail_msg">You have a few options:</div><div class="m_7236291618795710973m_-5385414711863745893m_-8433437325267808329m_-1313992653972545342m_5660521226061879830gmail_msg m_7236291618795710973m_-5385414711863745893gmail_msg">1) IP Whitelists are a rather poor means of authentication. Moving to something else might be prudent. But that's not easy.</div><div class="m_7236291618795710973m_-5385414711863745893m_-8433437325267808329m_-1313992653972545342m_5660521226061879830gmail_msg m_7236291618795710973m_-5385414711863745893gmail_msg">2) There are probably VMODs that do something similar. If not and if the list of IPs isn't too long, you could limit the IPs in VCL rather than mod_auth.</div><div class="m_7236291618795710973m_-5385414711863745893m_-8433437325267808329m_-1313992653972545342m_5660521226061879830gmail_msg m_7236291618795710973m_-5385414711863745893gmail_msg">3) Push the list of IP addresses that can connect to the external port down to IPTables or similar.</div><div class="m_7236291618795710973m_-5385414711863745893m_-8433437325267808329m_-1313992653972545342m_5660521226061879830gmail_msg m_7236291618795710973m_-5385414711863745893gmail_msg">4) Push the list of IP addresses to external Firewall, or Security Group or whatever.</div><div class="m_7236291618795710973m_-5385414711863745893m_-8433437325267808329m_-1313992653972545342m_5660521226061879830gmail_msg m_7236291618795710973m_-5385414711863745893gmail_msg"><br class="m_7236291618795710973m_-5385414711863745893m_-8433437325267808329m_-1313992653972545342m_5660521226061879830gmail_msg m_7236291618795710973m_-5385414711863745893gmail_msg"></div><div class="m_7236291618795710973m_-5385414711863745893m_-8433437325267808329m_-1313992653972545342m_5660521226061879830gmail_msg m_7236291618795710973m_-5385414711863745893gmail_msg"><br class="m_7236291618795710973m_-5385414711863745893m_-8433437325267808329m_-1313992653972545342m_5660521226061879830gmail_msg m_7236291618795710973m_-5385414711863745893gmail_msg"></div></div><div class="gmail_extra m_7236291618795710973m_-5385414711863745893m_-8433437325267808329m_-1313992653972545342m_5660521226061879830gmail_msg m_7236291618795710973m_-5385414711863745893gmail_msg"><br class="m_7236291618795710973m_-5385414711863745893m_-8433437325267808329m_-1313992653972545342m_5660521226061879830gmail_msg m_7236291618795710973m_-5385414711863745893gmail_msg"><div class="gmail_quote m_7236291618795710973m_-5385414711863745893m_-8433437325267808329m_-1313992653972545342m_5660521226061879830gmail_msg m_7236291618795710973m_-5385414711863745893gmail_msg"><div class="m_7236291618795710973m_-5385414711863745893m_-8433437325267808329m_-1313992653972545342m_5660521226061879830gmail_msg m_7236291618795710973m_-5385414711863745893gmail_msg"><div class="m_7236291618795710973m_-5385414711863745893m_-8433437325267808329m_-1313992653972545342m_5660521226061879830m_-7363131261474093851h5 m_7236291618795710973m_-5385414711863745893m_-8433437325267808329m_-1313992653972545342m_5660521226061879830gmail_msg m_7236291618795710973m_-5385414711863745893gmail_msg">On Thu, Mar 16, 2017 at 5:46 PM, Hernán Marsili <span dir="ltr" class="m_7236291618795710973m_-5385414711863745893m_-8433437325267808329m_-1313992653972545342m_5660521226061879830gmail_msg m_7236291618795710973m_-5385414711863745893gmail_msg"><<a href="mailto:hernan@cmsmedios.com" class="m_7236291618795710973m_-5385414711863745893m_-8433437325267808329m_-1313992653972545342m_5660521226061879830gmail_msg m_7236291618795710973m_-5385414711863745893gmail_msg" target="_blank">hernan@cmsmedios.com</a>></span> wrote:<br class="m_7236291618795710973m_-5385414711863745893m_-8433437325267808329m_-1313992653972545342m_5660521226061879830gmail_msg m_7236291618795710973m_-5385414711863745893gmail_msg"></div></div><blockquote class="gmail_quote m_7236291618795710973m_-5385414711863745893m_-8433437325267808329m_-1313992653972545342m_5660521226061879830gmail_msg m_7236291618795710973m_-5385414711863745893gmail_msg" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"><div class="m_7236291618795710973m_-5385414711863745893m_-8433437325267808329m_-1313992653972545342m_5660521226061879830gmail_msg m_7236291618795710973m_-5385414711863745893gmail_msg"><div class="m_7236291618795710973m_-5385414711863745893m_-8433437325267808329m_-1313992653972545342m_5660521226061879830m_-7363131261474093851h5 m_7236291618795710973m_-5385414711863745893m_-8433437325267808329m_-1313992653972545342m_5660521226061879830gmail_msg m_7236291618795710973m_-5385414711863745893gmail_msg"><div dir="ltr" class="m_7236291618795710973m_-5385414711863745893m_-8433437325267808329m_-1313992653972545342m_5660521226061879830gmail_msg m_7236291618795710973m_-5385414711863745893gmail_msg">Hi,<div class="m_7236291618795710973m_-5385414711863745893m_-8433437325267808329m_-1313992653972545342m_5660521226061879830gmail_msg m_7236291618795710973m_-5385414711863745893gmail_msg"><br class="m_7236291618795710973m_-5385414711863745893m_-8433437325267808329m_-1313992653972545342m_5660521226061879830gmail_msg m_7236291618795710973m_-5385414711863745893gmail_msg"></div><div class="m_7236291618795710973m_-5385414711863745893m_-8433437325267808329m_-1313992653972545342m_5660521226061879830gmail_msg m_7236291618795710973m_-5385414711863745893gmail_msg">We are having an issue with VARNISH and apache mod_auth. Varnish is on port 80 serving users and Apache is the backend. </div><div class="m_7236291618795710973m_-5385414711863745893m_-8433437325267808329m_-1313992653972545342m_5660521226061879830gmail_msg m_7236291618795710973m_-5385414711863745893gmail_msg"><br class="m_7236291618795710973m_-5385414711863745893m_-8433437325267808329m_-1313992653972545342m_5660521226061879830gmail_msg m_7236291618795710973m_-5385414711863745893gmail_msg"></div><div class="m_7236291618795710973m_-5385414711863745893m_-8433437325267808329m_-1313992653972545342m_5660521226061879830gmail_msg m_7236291618795710973m_-5385414711863745893gmail_msg">We have servers restricting access only to authenticated users or certain IP addresses. Since we installed Varnish the issue is that we need to enable 127.0.0.1 as a permitted IP (required ip rule) so the Varnish can fetch content. The problem, is that the real IP is not used and all the other rules does not apply. </div><div class="m_7236291618795710973m_-5385414711863745893m_-8433437325267808329m_-1313992653972545342m_5660521226061879830gmail_msg m_7236291618795710973m_-5385414711863745893gmail_msg"><br class="m_7236291618795710973m_-5385414711863745893m_-8433437325267808329m_-1313992653972545342m_5660521226061879830gmail_msg m_7236291618795710973m_-5385414711863745893gmail_msg"></div><div class="m_7236291618795710973m_-5385414711863745893m_-8433437325267808329m_-1313992653972545342m_5660521226061879830gmail_msg m_7236291618795710973m_-5385414711863745893gmail_msg">Bottom line, how can we still control who is requesting using MOD_AUTH and having Varnish?</div><div class="m_7236291618795710973m_-5385414711863745893m_-8433437325267808329m_-1313992653972545342m_5660521226061879830gmail_msg m_7236291618795710973m_-5385414711863745893gmail_msg"><br class="m_7236291618795710973m_-5385414711863745893m_-8433437325267808329m_-1313992653972545342m_5660521226061879830gmail_msg m_7236291618795710973m_-5385414711863745893gmail_msg"></div><div class="m_7236291618795710973m_-5385414711863745893m_-8433437325267808329m_-1313992653972545342m_5660521226061879830gmail_msg m_7236291618795710973m_-5385414711863745893gmail_msg">Regards</div><span class="m_7236291618795710973m_-5385414711863745893m_-8433437325267808329m_-1313992653972545342m_5660521226061879830m_-7363131261474093851m_3758069336204431268HOEnZb m_7236291618795710973m_-5385414711863745893m_-8433437325267808329m_-1313992653972545342m_5660521226061879830gmail_msg m_7236291618795710973m_-5385414711863745893gmail_msg"><font color="#888888" class="m_7236291618795710973m_-5385414711863745893m_-8433437325267808329m_-1313992653972545342m_5660521226061879830gmail_msg m_7236291618795710973m_-5385414711863745893gmail_msg"><div class="m_7236291618795710973m_-5385414711863745893m_-8433437325267808329m_-1313992653972545342m_5660521226061879830gmail_msg m_7236291618795710973m_-5385414711863745893gmail_msg">Hernán.</div></font></span></div>
<br class="m_7236291618795710973m_-5385414711863745893m_-8433437325267808329m_-1313992653972545342m_5660521226061879830gmail_msg m_7236291618795710973m_-5385414711863745893gmail_msg"></div></div>______________________________<wbr>_________________<br class="m_7236291618795710973m_-5385414711863745893m_-8433437325267808329m_-1313992653972545342m_5660521226061879830gmail_msg m_7236291618795710973m_-5385414711863745893gmail_msg">
varnish-misc mailing list<br class="m_7236291618795710973m_-5385414711863745893m_-8433437325267808329m_-1313992653972545342m_5660521226061879830gmail_msg m_7236291618795710973m_-5385414711863745893gmail_msg">
<a href="mailto:varnish-misc@varnish-cache.org" class="m_7236291618795710973m_-5385414711863745893m_-8433437325267808329m_-1313992653972545342m_5660521226061879830gmail_msg m_7236291618795710973m_-5385414711863745893gmail_msg" target="_blank">varnish-misc@varnish-cache.org</a><br class="m_7236291618795710973m_-5385414711863745893m_-8433437325267808329m_-1313992653972545342m_5660521226061879830gmail_msg m_7236291618795710973m_-5385414711863745893gmail_msg">
<a href="https://www.varnish-cache.org/lists/mailman/listinfo/varnish-misc" rel="noreferrer" class="m_7236291618795710973m_-5385414711863745893m_-8433437325267808329m_-1313992653972545342m_5660521226061879830gmail_msg m_7236291618795710973m_-5385414711863745893gmail_msg" target="_blank">https://www.varnish-cache.org/<wbr>lists/mailman/listinfo/varnish<wbr>-misc</a><br class="m_7236291618795710973m_-5385414711863745893m_-8433437325267808329m_-1313992653972545342m_5660521226061879830gmail_msg m_7236291618795710973m_-5385414711863745893gmail_msg"></blockquote></div><br class="m_7236291618795710973m_-5385414711863745893m_-8433437325267808329m_-1313992653972545342m_5660521226061879830gmail_msg m_7236291618795710973m_-5385414711863745893gmail_msg"></div>
<br class="m_7236291618795710973m_-5385414711863745893m_-8433437325267808329m_-1313992653972545342m_5660521226061879830gmail_msg m_7236291618795710973m_-5385414711863745893gmail_msg">______________________________<wbr>_________________<br class="m_7236291618795710973m_-5385414711863745893m_-8433437325267808329m_-1313992653972545342m_5660521226061879830gmail_msg m_7236291618795710973m_-5385414711863745893gmail_msg">
varnish-misc mailing list<br class="m_7236291618795710973m_-5385414711863745893m_-8433437325267808329m_-1313992653972545342m_5660521226061879830gmail_msg m_7236291618795710973m_-5385414711863745893gmail_msg">
<a href="mailto:varnish-misc@varnish-cache.org" class="m_7236291618795710973m_-5385414711863745893m_-8433437325267808329m_-1313992653972545342m_5660521226061879830gmail_msg m_7236291618795710973m_-5385414711863745893gmail_msg" target="_blank">varnish-misc@varnish-cache.org</a><br class="m_7236291618795710973m_-5385414711863745893m_-8433437325267808329m_-1313992653972545342m_5660521226061879830gmail_msg m_7236291618795710973m_-5385414711863745893gmail_msg">
<a href="https://www.varnish-cache.org/lists/mailman/listinfo/varnish-misc" rel="noreferrer" class="m_7236291618795710973m_-5385414711863745893m_-8433437325267808329m_-1313992653972545342m_5660521226061879830gmail_msg m_7236291618795710973m_-5385414711863745893gmail_msg" target="_blank">https://www.varnish-cache.org/<wbr>lists/mailman/listinfo/varnish<wbr>-misc</a><br class="m_7236291618795710973m_-5385414711863745893m_-8433437325267808329m_-1313992653972545342m_5660521226061879830gmail_msg m_7236291618795710973m_-5385414711863745893gmail_msg"></blockquote></div><br class="m_7236291618795710973m_-5385414711863745893m_-8433437325267808329m_-1313992653972545342m_5660521226061879830gmail_msg m_7236291618795710973m_-5385414711863745893gmail_msg"></div>
</blockquote></div>
</div></div><br class="m_7236291618795710973m_-5385414711863745893gmail_msg">______________________________<wbr>_________________<br class="m_7236291618795710973m_-5385414711863745893gmail_msg">
varnish-misc mailing list<br class="m_7236291618795710973m_-5385414711863745893gmail_msg">
<a href="mailto:varnish-misc@varnish-cache.org" class="m_7236291618795710973m_-5385414711863745893gmail_msg" target="_blank">varnish-misc@varnish-cache.org</a><br class="m_7236291618795710973m_-5385414711863745893gmail_msg">
<a href="https://www.varnish-cache.org/lists/mailman/listinfo/varnish-misc" rel="noreferrer" class="m_7236291618795710973m_-5385414711863745893gmail_msg" target="_blank">https://www.varnish-cache.org/<wbr>lists/mailman/listinfo/varnish<wbr>-misc</a><br class="m_7236291618795710973m_-5385414711863745893gmail_msg"></blockquote></div><br class="m_7236291618795710973m_-5385414711863745893gmail_msg"></div></div></div>
</blockquote></div><br class="m_7236291618795710973m_-5385414711863745893gmail_msg"></div>
</blockquote></div>
</blockquote></div></div>
</div></div></blockquote></div><br></div>