Varnish: Obtain the real IP address of the user when Nginx is used as the backend (multiple proxies ).

I have to say that I have a problem. It is not enough for an Apache + Varnish website. I also need to insert a third party-Nginx between Apache and Varnish. Because of some requirements, CDN is also applied to individual websites on the server. Apache is used as the backend. It is difficult to obtain the real IP address of a user by adding NginxProxyCache + Varnish.

I have to say that I have a problem. It is not enough for an Apache + Varnish website. I also need to insert a third party-Nginx between Apache and Varnish. Because of some requirements, CDN is also applied to individual websites on the server. Apache is used as the backend. It is difficult to obtain the real IP address of the user by adding an Nginx Proxy Cache + Varnish.

I have to say that I have a problem. It is not enough for an Apache + Varnish website. I also need to insert a third party-Nginx between Apache and Varnish.

Because of some requirements, CDN is also applied to individual websites on the server.
Apache is used as the backend. It is not difficult to obtain the real IP address of the user by adding an Nginx Proxy Cache + Varnish. You only need to add an rpaf module to Apache, then let Varnish process the XFF content:

if (req.restarts == 0) {       if (req.http.x-forwarded-for) {           set req.http.X-Forwarded-For =               req.http.X-Forwarded-For + ", " + client.ip;       } else {           set req.http.X-Forwarded-For = client.ip;       }     }

When you access a website without CDN, you can obtain the real IP address of the user.

Recently, when a CDN is added to the website, the rpaf module becomes powerless. As a result, my website has been suffering from getting users' real IP addresses over the past few days.
I asked the customer service of the CDN and gave me this answer:
When CDN is used, the IP addresses in the website server access logs are recorded as the official IP addresses of the CDN server. You can obtain the user's original IP address in the following ways:
ASP
Request. ServerVariables ("HTTP_X_FORWARDED_FOR ")
PHP
$ _ SERVER ["HTTP_X_FORWARDED_FOR"]
JSP
Request. getHeader ("HTTP_X_FORWARDED_FOR ")

It seems that I want to modify the code of my website, but this indicator is not permanent. Besides, after Ioncube is encrypted, there is no possibility of modification, ask them if they can modify the Nginx configuration file implementation and ignore me ......

It seems that you have to rely on yourself. Since they can send the code, it proves that their cdn server stores the real IP address in HTTP_X_FORWARD_FOR, So let nginx process the xff content sent by the CDN server.

First, remove Varnish from processing XFF, and send the XFF transmitted by CDN directly to Nginx for processing, that is, comment out the following content:

#     if (req.restarts == 0) {#       if (req.http.x-forwarded-for) {#           set req.http.X-Forwarded-For =#               req.http.X-Forwarded-For + ", " + client.ip;#       } else {#           set req.http.X-Forwarded-For = client.ip;#       }#     }

Then add a line of code in the location/layer of the setver layer of the corresponding domain name of nginx:

proxy_set_header ? ?X-Forwarded-For $http_x_forwarded_for;

Restart Nginx, open the probe, and check again ......

Original article address: Varnish. When Nginx is used as a backend (Multi-proxy), it gets the user's real IP address. Thank you for sharing it with the original author.