0

I have an Apache web server hosting a number of sites. On some sites there is HTTP Basic Authentication. I allow some hosts access to the site effectively bypassing the HTTP Auth.

For example:

Allow from 10.10.

I am now placing a Varnish caching server in front of the web server and now all requests to the web server appear as they have come from the varnish server (192.168.1.101).

The white-listed IP addresses that used to be allowed to access the sites without HTTP authentication are now being prompted for HTTP authorization.

I cant set allow from 192.168 as this effectively allows the entire web access. So my question is. Is there any way I can get varnish to pass the client IP address to the backend server to prevent this from occurring? Or does anyone know another way around this issue? Thanks in advance.

thepearson
  • 870
  • 10
  • 18

1 Answers1

3

Configure Varnish to send X-Real-IP and use mod_rpaf for Apache2 .
IP address will be set to X-Forwarded-For (which varnish adds automagicly)

Also disable Varnish caching content with Http Auth by adding 

if (req.http.Authorization) { 
   pass;
}

in vlc_fetch, because otherwise unauthorized clients could bypass auth.

Kristaps
  • 2,985
  • 17
  • 22
  • Thanks; works a charm. However, the version of mod_rpaf in Debian doesn't currently support "RPAFheader X-Real-IP" so am replacing the X-Forwarded-For header and using that. – thepearson Nov 17 '10 at 01:54