<html>
<head>
<meta content="text/html; charset=windows-1252"
http-equiv="Content-Type">
</head>
<body bgcolor="#FFFFFF" text="#000000">
Ok. When using strictly IPv4 my setup works just fine.<br>
Looks like this is an IPv6 only problem.<br>
<br>
Jan Hugo<br>
<br>
<br>
<div class="moz-cite-prefix">On 04/08/2017 05:14 PM, Jan Hugo Prins
| BetterBe wrote:<br>
</div>
<blockquote
cite="mid:c6cbd435-9e98-3cc2-29bb-d66826aa206c@betterbe.com"
type="cite">
<meta http-equiv="content-type" content="text/html;
charset=windows-1252">
Hi,<br>
<br>
I have the following test setup running at the moment:<br>
<br>
Cloudflare -> HaProxy --> Varnish -> Haproxy
-> Backend application.<br>
|-------------------------------------------------|
|---------------------------------|<br>
CDN API<br>
<br>
Between the first HaProxy, Varnish and the second HaProxy I use
the proxy protocol to make sure that the requests that enter my
environment using the CDN are restricted using the same IP
whitelist rules as they would when accessing directly using the
API. To get the external IP into the request information and the
proxy protocol I have the following configuration in my first
haproxy config: <br>
<br>
acl FROM_CLOUDFLARE req.hdr(CF-Connecting-IP) -m found<br>
http-request set-src hdr(CF-Connecting-IP) if FROM_CLOUDFLARE<br>
<br>
Normal users connect to the API from the outside world and we use
IP whitelists to allow certain people access to this API. <br>
I'm trying to setup an CDN in front of my application and to build
this I use CloudFlare, HaProxy (SSL Termination and some minimal
rewrites) and Varnish (to offload requests from my backend
application) <br>
<br>
This all works fine so far, but today I noticed that access using
the CDN is not restricted enough and I found out that it looks
like the connection between Varnish and my API is not using the
proxy protocol, or at least the information that should be
available from the CF-Connecting-IP is not visible in the HaProxy
on the API backend. The result is that all requests that enter the
environment using the CDN seem to be coming from the Varnish hosts
instead of the external world.<br>
<br>
My backend configuration in Varnish config looks like this:<br>
<br>
import directors; # load the directors<br>
<br>
backend blsproxy01 {<br>
.host = "95.130.232.181";<br>
.port = "81";<br>
.proxy_header = 2;<br>
.probe = {<br>
.request =<br>
"GET /haproxy_test HTTP/1.1"<br>
"Host: leaseservices.eu"<br>
"Connection: close";<br>
}<br>
}<br>
<br>
backend blsproxy02 {<br>
.host = "95.130.232.182";<br>
.port = "81";<br>
.proxy_header = 2;<br>
.probe = {<br>
.request =<br>
"GET /haproxy_test HTTP/1.1"<br>
"Host: leaseservices.eu"<br>
"Connection: close";<br>
}<br>
}<br>
<br>
<br>
backend blsproxy03 {<br>
.host = "95.130.232.183";<br>
.port = "81";<br>
.proxy_header = 2;<br>
.probe = {<br>
.request =<br>
"GET /haproxy_test HTTP/1.1"<br>
"Host: leaseservices.eu"<br>
"Connection: close";<br>
}<br>
}<br>
<br>
sub vcl_init {<br>
# new blsproxy = directors.round_robin();<br>
new blsproxy = directors.random();<br>
blsproxy.add_backend(blsproxy01,10);<br>
blsproxy.add_backend(blsproxy02,10);<br>
blsproxy.add_backend(blsproxy03,10);<br>
}<br>
<br>
I upgraded to Varnish 5.1 a little while back and I think the
problem might have started at that time, but I'm not sure at the
moment. It's all a test setup, so this was only noticed because I
was doing some tests from my home where my home should not be able
to request any CDN content at the moment.<br>
<br>
<br>
<br>
<div class="moz-signature">-- <br>
<table
style="font-family:Arial,Roboto;font-size:12px;line-height:1.38em;border-collapse:collapse;color:#332F60;letter-spacing:0.1px;white-space:nowrap;">
<colgroup><col style="width:174px"><col style="width:174px"><col
style="width:166px"></colgroup> <tbody>
<tr>
<td colspan="3"
style="font-size:13px;color:#000;line-height:20px;padding:0
0 42px 0"> Kind regards<br>
<br>
Jan Hugo Prins<br>
<i>DevOps Engineer</i> </td>
</tr>
<tr>
<td colspan="3" style="padding:0 0 42px 0"><a
moz-do-not-send="true" href="https://betterbe.com"><img
src="cid:part1.CDB06052.2DC790EC@betterbe.com"
style="width:376px"></a></td>
</tr>
<tr>
<td> Auke Vleerstraat 140 E<br>
7547 AN Enschede<br>
CC no. <a moz-do-not-send="true"
href="https://www.kvk.nl/orderstraat/product-kiezen/?kvknummer=080975270000"
style="text-decoration:none;color:#332F60;">08097527</a>
</td>
<td> <b>T</b> <a moz-do-not-send="true"
href="tel:+31534800694"
style="text-decoration:none;color:#332F60;">+31 (0) 53
48 00 694</a><br>
<b>E</b> <a moz-do-not-send="true"
href="mailto:jprins@betterbe.com"
style="text-decoration:none;color:#332F60;">jprins@betterbe.com</a><br>
<b>M</b> <a moz-do-not-send="true"
href="tel:+31%20%280%296%20263%2058%20951"
style="text-decoration:none;color:#332F60;">+31 (0)6
263 58 951</a> </td>
<td style="vertical-align:bottom"><a
moz-do-not-send="true" href="https://www.betterbe.com"
style="color:#E73C57;font-weight:bold;text-decoration:none;">www.betterbe.com</a></td>
</tr>
<tr>
<td colspan="3" style="font-size:
9px;color:#A0A6B2;letter-spacing:0;line-height:1.5em;padding-top:42px;">
BetterBe accepts no liability for the content of this
email, or for the consequences of any actions taken on
the basis<br>
of the information provided, unless that information is
subsequently confirmed in writing. If you are not the
intended<br>
recipient you are notified that disclosing, copying,
distributing or taking any action in reliance on the
contents of this<br>
information is strictly prohibited. </td>
</tr>
</tbody>
</table>
</div>
<br>
<fieldset class="mimeAttachmentHeader"></fieldset>
<br>
<pre wrap="">_______________________________________________
varnish-misc mailing list
<a class="moz-txt-link-abbreviated" href="mailto:varnish-misc@varnish-cache.org">varnish-misc@varnish-cache.org</a>
<a class="moz-txt-link-freetext" href="https://www.varnish-cache.org/lists/mailman/listinfo/varnish-misc">https://www.varnish-cache.org/lists/mailman/listinfo/varnish-misc</a></pre>
</blockquote>
<br>
<div class="moz-signature">-- <br>
<table
style="font-family:Arial,Roboto;font-size:12px;line-height:1.38em;border-collapse:collapse;color:#332F60;letter-spacing:0.1px;white-space:nowrap;">
<colgroup><col style="width:174px"><col style="width:174px"><col
style="width:166px"></colgroup> <tbody>
<tr>
<td colspan="3"
style="font-size:13px;color:#000;line-height:20px;padding:0
0 42px 0"> Kind regards<br>
<br>
Jan Hugo Prins<br>
<i>DevOps Engineer</i> </td>
</tr>
<tr>
<td colspan="3" style="padding:0 0 42px 0"><a
href="https://betterbe.com"><img
src="cid:part8.74C83B20.6692629C@betterbe.com"
style="width:376px"></a></td>
</tr>
<tr>
<td>
Auke Vleerstraat 140 E<br>
7547 AN Enschede<br>
CC no. <a
href="https://www.kvk.nl/orderstraat/product-kiezen/?kvknummer=080975270000"
style="text-decoration:none;color:#332F60;">08097527</a>
</td>
<td>
<b>T</b> <a href="tel:+31534800694"
style="text-decoration:none;color:#332F60;">+31 (0) 53
48 00 694</a><br>
<b>E</b> <a href="mailto:jprins@betterbe.com"
style="text-decoration:none;color:#332F60;">jprins@betterbe.com</a><br>
<b>M</b> <a href="tel:+31%20%280%296%20263%2058%20951"
style="text-decoration:none;color:#332F60;">+31 (0)6 263
58 951</a>
</td>
<td style="vertical-align:bottom"><a
href="https://www.betterbe.com"
style="color:#E73C57;font-weight:bold;text-decoration:none;">www.betterbe.com</a></td>
</tr>
<tr>
<td colspan="3" style="font-size:
9px;color:#A0A6B2;letter-spacing:0;line-height:1.5em;padding-top:42px;">
BetterBe accepts no liability for the content of this
email, or for the consequences of any actions taken on the
basis<br>
of the information provided, unless that information is
subsequently confirmed in writing. If you are not the
intended<br>
recipient you are notified that disclosing, copying,
distributing or taking any action in reliance on the
contents of this<br>
information is strictly prohibited.
</td>
</tr>
</tbody>
</table>
</div>
</body>
</html>