Varnish pass client ip?

josh4trunks · Jan 7, 2012, 6:00 PM

Hey guys I've been using pfsense 2.0 for a few monthes now and been loving it, currently on 2.0.1 and have the varnish package working well, I just can't get one feature of varnish working as expected.

When I used to have varnish on my ubuntu box I used the lines below to pass the original ip to my apache server on another ubuntu box and it worked great (I got a module for apache that accepts ip). But the same 2 lines doesn't seem to work now on my pfsense box. My ubuntu webserver backend see's all requests comming from 192.168.1.1, when I try everything through varnish on my ubuntu box again it seems to work as expected and expternal ip's are seen.

sub vcl_recv {
  remove req.http.X-Forwarded-For;
  set req.http.X-Forwarded-For = client.ip;
}

Not sure what's going on and if maybe the varnish version on pfsense works a bit differently, thanks for the help!

marcelloc · Jan 8, 2012, 1:41 AM

It works to me, check these settings on your varnish package and then on configuration files.

josh4trunks · Jan 8, 2012, 7:51 AM

tried that, it adds
"set req.http.X-Forwarded-Varnish = client.ip;"
to the vcl, but my backend still says all requests come from 192.168.1.1, when I passthrough varnish on my ubuntu box it works fine

marcelloc · Jan 8, 2012, 12:39 PM

Change forward var name to x-Forwarded-for.

I've created this x-forwarded-varnish to be sure I was reading the right value

josh4trunks · Jan 11, 2012, 6:28 AM

I've definitely tried x-forwarded-for option as well, I've also tried a custom config with the same options i use for varnish on my ubuntu box (I use x-forwarded-for there). Neither seem to pass the ip, maybe the nat port forwarding is doing something funny? I'm running varnish on pfsense's port 8080, and forwarding that to wan on port 80. I doubt it but i can't rule out anything at this point…

marcelloc · Jan 11, 2012, 11:53 AM

You cannot setup a port forward on same port varnish is listening on.

Disable this nat and be sure you have a wan rule to permit traffic on varnish listening port.

josh4trunks · Jan 11, 2012, 10:53 PM

I didn't configure apache to allow x-forwardedip's from 192.168.1.1, lol only from my old ubuntu varnish server's ip. Well I guess I'm an idiot and this thread can be closed

marcelloc · Jan 12, 2012, 3:04 AM

ok, never mind. ;)

Just to know. Are you using 3.x or 2.x varnish version?

josh4trunks · Jan 19, 2012, 5:24 PM

2.X don't need streaming support, still trying to learn how to put together a decent static website, lol