6

I've configured Varnish 3 with Apache and it is running perfectly alright. However i'm unable to get the Client ip logged in Apache logs. I tried a few solutions googling around with no luck. Right now my Apache access log file is logging the server IP instead of client IP addresses.

Here are my configurations for your kind consideration:

Varnish VCL: (/etc/varnish/default.vlc): http://pastebin.com/PuBqZ6fx

Apache Config

/etc/httpd/conf/httpd.conf

LogFormat "%{X-Forwarded-For}i %l %u %t \"%r\" %>s %b \"%{Referer}i\" \"%{User-Agent}i\"" varnishcombined

Apache Virtual Host

...... Other Stuff ..... ErrorLog logs/fr-error-log CustomLog logs/fr-custom-log varnishcombined ...... Other Stuff .....

Note: Varnish Version installed is varnish-3.0.2-1.el5.x86_64

Thanks. Raheel

Raheel Dharolia
  • 203
  • 1
  • 4
  • 13

3 Answers3

12

I think you've had a working config in your pastebin example, this should actually do the trick:

if (req.restarts == 0) {
  if (req.http.X-Forwarded-For) {
    set req.http.X-Forwarded-For = req.http.X-Forwarded-For + ", " + client.ip;
  } else {
    set req.http.X-Forwarded-For = client.ip;
  }
}

In your vcl_recv{}.

Mojah
  • 1,373
  • 2
  • 12
  • 16
  • Uncommenting the code above gives me the actual client IP address in $_SERVER["HTTP_X_FORWARDED_FOR"] but $_SERVER["REMOTE_ADDR"] still show the server ip. Moreover, the Apache Access Log file still shows the server ip for each request. Any clues ? – Raheel Dharolia Apr 05 '12 at 12:32
  • After spending some time i've found the solution, it's the RPAF Apache Module. http://www.amgeekblog.com/mod_rpaf-in-ubuntu-and-centos/. After using this module, now i get proper client IP address in Apache Log File as well as in $_SERVER['REMOTE_ADDR'] global variable in PHP as well. Thanks! – Raheel Dharolia Apr 05 '12 at 13:26
  • 1
    Shouldn't the client IP come first? (i.e. `client.ip + ", " + req.http.X-Forwarded-For`) – Michael Mior Jun 01 '13 at 02:01
  • @MichaelMior I think the idea is you append an address to a list if there is already an X-Forwarded-For, so the new IP does go at the end, not the beginning. – chmac Jun 05 '13 at 11:10
  • @chmac Yes, I understand what the idea is. I previously thought adding at the beginning made sense, but you're right that it should be at the end. – Michael Mior Jun 05 '13 at 11:30
  • see chmac's answer, that should be the accepted one! the varnish configuration doesn't need to be edited. – caesarsol Mar 27 '14 at 14:21
10

As the OP mentioned in the comments, the solution is an Apache module. Varnish adds the X-Forwarded-For header by default.

Then an apache module like mod_rpaf (Apache 2.2) or mod_remoteip (Apache 2.4) will set the remote_ip value to the one passed in by the X-Forwarded-For header.

This provides a far more robust solution than simply logging the value of the X-Forwarded-For header into your apache logs. For example, it allows you to access the same site on 2 IPs, via Varnish or directly, and the site functions as you'd expect and is logged correctly.

caesarsol
  • 2,010
  • 1
  • 20
  • 21
chmac
  • 11,757
  • 3
  • 32
  • 36
  • Anyone had success with mod_remoteip? I haven't been able to get it working with Apache 2.4.7 + Varnish 4.0.1 and I haven't found anyone else who has. – curiouser Aug 22 '14 at 20:26
  • For anyone interested, I was able to get mod_remoteip to work. I posted it here: http://stackoverflow.com/questions/25455731/getting-apache-2-4-access-logs-to-show-client-ip-instead-of-127-0-0-1-with-varni – curiouser Aug 22 '14 at 21:25
9

Add this line to your vcl

sub vcl_recv {
  # Add a unique header containing the client address
  remove req.http.X-Forwarded-For;
  set    req.http.X-Forwarded-For = client.ip;

}

Then change the logformat of apache

LogFormat "%{X-Forwarded-For}i %l %u %t \"%r\" %>s %b \"%{Referer}i\" \"%{User-Agent}i\"" varnishcombined

And now in your Virtualhost

<VirtualHost *:8080>
  ServerName www.abc.com

  CustomLog /var/log/httpd/www.abc.com/access.log varnishcombined

</VirtualHost>
Kevin Nguyen
  • 1,759
  • 2
  • 16
  • 14