Fixing REMOTE_ADDR when behind a proxy/varnish server

I had an annoyance where varnish proxy infront of a LAMP server and the LAMP server therefore thought all clients were from the varnish proxy – rather than the client’s real IP address – i.e. $_SERVER['REMOTE_ADDR'] was set to the IP address of the Varnish proxy and not that of the client’s actual IP address.

Obviously, Varnish adds the X_HTTP_FORWARDED_FOR HTTP header in when a connection comes through it; so my initial thought was to just overwrite PHP’s $_SERVER['REMOTE_ADDR'] setting. A bit of a hack and annoying – as I’d need to fix all sites, or have some sort of global prepend file (which is horrible).

I then discovered something which sorts the problem out  - RPAF

  • apt-get install libapache2-mod-rpaf
  • Edit /etc/apache2/mods-enabled/rpaf.conf and ensure your proxy server’s IP address is listed on the RPAFproxy_ips line (e.g. RPAFproxy_ips 127.0.0.1 89.16.176.x).
  • Restart Apache, and you’ll then find that the $_SERVER['REMOTE_ADDR'] value will be correct.

 

 

7 thoughts on “Fixing REMOTE_ADDR when behind a proxy/varnish server”

  1. Hello

    I am planning to configure Varnish on my server to hide me server ip
    consider my server ip is 66.66.66.66 and I want to configure varnish in such a way, when anyone tries to locate my server ip using any dns checker tool, it should show 127.0.0.1
    to users.

    can you tell me how can i do this. I tried alot and alot but no result.

    help needed.

    Thanks
    Yatin

  2. 127.0.0.1 is a bad example as it implies that you’re trying to hide the IP from the end user.

    If you take e.g.

    Web server IP is : 6.6.6.6
    Varnish box is : 7.7.7.7

    Then you’d configure DNS for your.domain.com to resolve to 7.7.7.7

    You’d configure Varnish on the Varnish box to listen on 7.7.7.7 and have 6.6.6.6 as a backend. You can either do this through the /etc/varnish/default.vcl file, or by editing e.g. /etc/default/varnish (on Debian) and specifying something in DAEMON_OPTS (the comments should be sufficient to give you an idea of what to do)

  3. for some reasons this solution is not working
    I did as explained but remote_addr is still my cache server ip.
    x forwarded is client ip though

  4. Hi Hassan,

    I suspect you’ve not modified (e.g. /etc/apache2/mods-enabled/rpaf.conf) and specified something like :

    RPAFenable On
    RPAFsethostname On
    RPAFproxy_ips your.proxy.ip.address

    Remember to restart Apache after doing the above.

  5. Hello david,

    Like Yatin asked, I also want to hide my ip from hacker..

    can you help with the same. I gone through your answer which you gave to Yatin…
    “Web server IP is : 6.6.6.6
    Varnish box is : 7.7.7.7

    Then you’d configure DNS for your.domain.com to resolve to 7.7.7.7

    You’d configure Varnish on the Varnish box to listen on 7.7.7.7 and have 6.6.6.6 as a backend. You can either do this through the /etc/varnish/default.vcl file, or by editing e.g. /etc/default/varnish (on Debian) and specifying something in DAEMON_OPTS ”

    But as I am new to varnish, I am not sure how to configure this..
    Please help.

  6. Read/Edit the file /etc/default/varnish – on Debian there is sufficient documentation within the file and commented out examples to get you set on your way.

Leave a Reply

Your email address will not be published. Required fields are marked *

You may use these HTML tags and attributes: <a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <strike> <strong>