Varnish reverse proxy, apache backend, forward IP is not working consistently

Question

This is my vcl config file section related for IP forwarding:

sub vcl_recv {
    remove req.http.X-Forwarded-For;
    set req.http.X-Forwarded-For = client.ip;

    .... (other configuration)
}

sub vcl_pipe {
    set req.http.connection = "close";

    if (req.http.X-Forwarded-For) {
            set req.http.X-Forwarded-For = req.http.X-Forwarded-For;
    } else {
            set req.http.X-Forwarded-For = regsub(client.ip, ":.*", "");
    }
}

sub vcl_pass {
    set req.http.connection = "close";

    if (req.http.X-Forwarded-For) {
           set req.http.X-Forwarded-For = req.http.X-Forwarded-For;
    } else {
           set req.http.X-Forwarded-For = regsub(client.ip, ":.*", "");
    }
}

And I have installed mod_rpaf and related config settings on httpd.conf is:

RPAFenable On

RPAFsethostname On

RPAFproxy_ips 127.0.0.1 10.0.0.1 67.23.31.16

RPAFheader X-Forwarded-For

Now, I tried using $_SERVER["HTTP_X_FORWARDED_FOR"] inside my php to get the IP address. It works for first time and then I start getting blank. Again, if I try after some quick time, say after a minute, I get again for the first time.

So, basically it does not work consistently or works randomly or to be precise, works for only one time and does not for some more time and again works for one time. Very strange. I have a feeling that something is not configured properly. I have spent a quite a bit of time Googling. Everywhere people recommend adding x-forward-for and installing mod_rpaf module. As you see I have done that exactly.

Any help would be greatly appreciated.

Answer 1

Your code to set the X-Forwarded-For header should work if you have it only in the vcl_recv subroutine. See this Varnish flow chart of how a request will be processed by different subroutines.

You have set "RPAFsethostname" to "On". As far as I know this is for using the X-Host header instead of the Host header. Please check if this is required by your Varnish set-up. Usually the X-Host header will not be used/set.

Anyway the idea of using mod_rpaf is to replace the REMOTE_ADDR value of Apache with the X-Forwarded-For value. So you don't have to change your scripts, IP-based authentication or logging. For your PHP script I recommend to use the $_SERVER['REMOTE_ADDR'].

If this does not solve your problem, deactivate the mod_rpaf module. Beside from scripts using $_SERVER['REMOTE_ADDR'], IP-based authentication or logging everything else should work fine. If the problem isn't gone something else in your Varnish/Apache set-up doesn't fit together.