Overview
By default, after installing Varnish you may notice that the client IP address listed in the Apache log files is 127.0.0.1. If you have configured Varnish to listen for traffic on port 80 and forward all non-cached traffic onto Apache. Apache sees this a local request so the IP address will appear to be 127.0.0.1. This can prove to be annoying when debugging your site or if you ever have the need to block requests made by a particular IP address. To solve this problem we will need to enable vcl_rev in our default.vcl file and configure it to forward the client IP address. Then we will need to configure apache to support a new LogFormat, and then we will need to modify our virtual hosts to support the new format. This tutorial assumes that you already have Varnish configured with Apache and it is working as expected.
Note: For this tutorial, I am using Debian 6.0 Squeeze, Varnish 2.1.3, Apache 2.2.16, and I am logged in as root.
Update vcl_recv /etc/varnish/default.vcl:
sub vcl_recv {
# Rename the incoming XFF header to work around a Varnish bug.
if (req.http.X-Forwarded-For) {
# Append the client IP
set req.http.X-Real-Forwarded-For = req.http.X-Forwarded-For ", " regsub(client.ip, ":.*", "");
unset req.http.X-Forwarded-For;
}
else {
// Simply use the client IP
set req.http.X-Real-Forwarded-For = regsub(client.ip, ":.*", "");
}
}Apache to support new Varnish LogFormat
echo 'LogFormat "%{X-Forwarded-For}i %l %u %t \"%r\" %>s %b \"%{Referer}i\" \"%{User-Agent}i\"" varnishcombined' > /etc/apache2/conf.d/varnish-logModify default and virtualhosts to use the new format
From:
CustomLog /var/log/apache2/domain.com-access.log combined
To:
CustomLog /var/log/apache2/domain.com-access.log varnishcombinedRestart Varnish and Apache
$ service apache2 restart && service varnish restartDisable/Re-enable default and all virtualhosts for new log format
$ a2dissite default example.com www.example.com example2.com www.example2.com
$ a2ensite default example.com www.example.com example2.com www.example2.comThat’s it! We’re done! Just have to check your log files to see if the client IP Addresses are being forwarded.