Configure Varnish to Forward Client IP Addresses in the Apache Logs

Submitted by Will Jackson on Sun, 07/22/2012 - 4:13am

Overview

By default, after installing Varnish you may notice that the client IP address listed in the Apache log files is 127.0.0.1.  If you have configured Varnish to listen for traffic on port 80 and forward all non-cached traffic onto Apache.  Apache sees this a local request so the IP address will appear to be 127.0.0.1.  This can prove to be annoying when debugging your site or if you ever have the need to block requests made by a particular IP address.  To solve this problem we will need to enable vcl_rev  in our default.vcl file and configure it to forward the client IP address.  Then we will need to configure apache to support a new LogFormat, and then we will need to modify our virtual hosts to support the new format.  This tutorial assumes that you already have Varnish configured with Apache and it is working as expected.

Note: For this tutorial, I am using Debian 6.0 Squeeze, Varnish 2.1.3, Apache 2.2.16, and I am logged in as root.

 

Update vcl_recv /etc/varnish/default.vcl


sub vcl_recv {
#       Rename the incoming XFF header to work around a Varnish bug.
if (req.http.X-Forwarded-For) {
#       Append the client IP
  set req.http.X-Real-Forwarded-For = req.http.X-Forwarded-For ", " regsub(client.ip, ":.*", "");
  unset req.http.X-Forwarded-For;
}
else {
  // Simply use the client IP
  set req.http.X-Real-Forwarded-For = regsub(client.ip, ":.*", "");
}
}

Apache to support new Varnish LogFormat


echo 'LogFormat "%{X-Forwarded-For}i %l %u %t \"%r\" %>s %b \"%{Referer}i\" \"%{User-Agent}i\"" varnishcombined' > /etc/apache2/conf.d/varnish-log

Modify default and virtualhosts to use the new format


From: 
​CustomLog /var/log/apache2/domain.com-access.log combined

To:
​CustomLog /var/log/apache2/domain.com-access.log varnishcombined

Restart Varnish and Apache


$ service apache2 restart && service varnish restart

Disable/Re-enable default and all virtualhosts for new log format


$ a2dissite default example.com www.example.com example2.com www.example2.com
$ a2ensite default example.com www.example.com example2.com www.example2.com

 

That’s it!  We’re done!  Just have to check your log files to see if the client IP Addresses are being forwarded.


Sources: