Varnish not passing user IP correctly to MediaWiki

Question

I'm running a setup with Nginx, FastCGI, APC, Memcache and Varnish to host a MediaWiki installation. I'm having some issues with recent changes showing up as coming from 127.0.0.1 in the case of anonymous users. I suspected the issue to be that Varnish doesn't pass on the user IP to Nginx properly, but I do have this in my vcl_recv:

# Set client IP
if (req.http.x-forwarded-for) {
    set req.http.X-Forwarded-For =
    req.http.X-Forwarded-For + ", " + client.ip;
} else {
    set req.http.X-Forwarded-For = client.ip;
}

Could anyone tell me what else I might need to verify that could cause this issue? Because I'm at a loss...

Does it require any specific config for Varnish? This is everything relating to caching I've configured: https://www.pastelock.com/paste.php?uid=8XAarnD8&key=SN2BJ90T1A5o6ViuduWkwdDFbeQCBu — FHannes, Feb 09 '13 at 00:49

score 3 · Accepted Answer · answered Feb 09 '13 at 01:22

3

You must configure MediaWiki so that it will actually obey the X-Forwarded-For header. Without these settings, MediaWiki will ignore it.

(For historical reasons all of these configuration options refer to Squid...)

At a minimum, these lines must be in your LocalSettings.php:

$wgUseSquid = true;
$wgSquidServers = array('127.0.0.1'); # IP address of your varnish server

answered Feb 09 '13 at 01:22

Michael Hampton

244,070
43
506
972

After adding this, pages do seem to respond a lot slower, even when I have Varnish ignore cookies. Is there any specific reason for that? – FHannes Feb 09 '13 at 02:00
Nope. Sounds like you have the makings of a new question... – Michael Hampton Feb 09 '13 at 02:03

score 0 · Answer 2 · answered Feb 09 '13 at 01:11

The lines you describe from your configuration, set the X-Forwarded-For header to the client IP. However, you still need to tell your web server (Nginx) to check and use that value as the IP address.

The easiest way to do this is probably with Nginx's Real IP module. Firstly, check that Nginx has been built with the real IP module:

Run nginx -V and look for --with-http_realip_module

Then modify your Nginx config (usually /etc/nginx.conf), adding the following to the http section:

#Upstream server address (i.e. Varnish address)
set_real_ip_from 127.0.0.1;
real_ip_header X-Forwarded-For;

Restart Nginx and the IP address in all locations (logs, values passed to php, etc.) should now be derived from the X-Forwarded-For header.

I'm sorry, I should've mentioned that I already have this set up in my Nginx configuration. I've been over it to confirm, the real ip module is present and these lines are in my Nginx config. — FHannes, Feb 09 '13 at 01:22

Varnish not passing user IP correctly to MediaWiki

2 Answers2