Fixing REMOTE_ADDR when behind a proxy/varnish server

I had an annoyance where varnish proxy infront of a LAMP server and the LAMP server therefore thought all clients were from the varnish proxy – rather than the client’s real IP address – i.e. $_SERVER[‘REMOTE_ADDR’] was set to the IP address of the Varnish proxy and not that of the client’s actual IP address.

Obviously, Varnish adds the X_HTTP_FORWARDED_FOR HTTP header in when a connection comes through it; so my initial thought was to just overwrite PHP’s $_SERVER[‘REMOTE_ADDR’] setting. A bit of a hack and annoying – as I’d need to fix all sites, or have some sort of global prepend file (which is horrible).

I then discovered something which sorts the problem out  – RPAF

  • apt-get install libapache2-mod-rpaf
  • Edit /etc/apache2/mods-enabled/rpaf.conf and ensure your proxy server’s IP address is listed on the RPAFproxy_ips line (e.g. RPAFproxy_ips 127.0.0.1 89.16.176.x).
  • Restart Apache, and you’ll then find that the $_SERVER[‘REMOTE_ADDR’] value will be correct.

 

 


Posted

in

,

by

Tags:

Comments

7 responses to “Fixing REMOTE_ADDR when behind a proxy/varnish server”

  1. Yatin Avatar
    Yatin

    Hello

    I am planning to configure Varnish on my server to hide me server ip
    consider my server ip is 66.66.66.66 and I want to configure varnish in such a way, when anyone tries to locate my server ip using any dns checker tool, it should show 127.0.0.1
    to users.

    can you tell me how can i do this. I tried alot and alot but no result.

    help needed.

    Thanks
    Yatin

  2. David Goodwin Avatar

    127.0.0.1 is a bad example as it implies that you’re trying to hide the IP from the end user.

    If you take e.g.

    Web server IP is : 6.6.6.6
    Varnish box is : 7.7.7.7

    Then you’d configure DNS for your.domain.com to resolve to 7.7.7.7

    You’d configure Varnish on the Varnish box to listen on 7.7.7.7 and have 6.6.6.6 as a backend. You can either do this through the /etc/varnish/default.vcl file, or by editing e.g. /etc/default/varnish (on Debian) and specifying something in DAEMON_OPTS (the comments should be sufficient to give you an idea of what to do)

  3. Hassan Avatar
    Hassan

    for some reasons this solution is not working
    I did as explained but remote_addr is still my cache server ip.
    x forwarded is client ip though

  4. David Goodwin Avatar

    Hi Hassan,

    I suspect you’ve not modified (e.g. /etc/apache2/mods-enabled/rpaf.conf) and specified something like :

    RPAFenable On
    RPAFsethostname On
    RPAFproxy_ips your.proxy.ip.address

    Remember to restart Apache after doing the above.

  5. Kai Köpke Avatar

    Thanks for your blog post. Was working fine and helped to terminate some problems with payment providers in magento + varnish.

  6. vijay Avatar
    vijay

    Hello david,

    Like Yatin asked, I also want to hide my ip from hacker..

    can you help with the same. I gone through your answer which you gave to Yatin…
    “Web server IP is : 6.6.6.6
    Varnish box is : 7.7.7.7

    Then you’d configure DNS for your.domain.com to resolve to 7.7.7.7

    You’d configure Varnish on the Varnish box to listen on 7.7.7.7 and have 6.6.6.6 as a backend. You can either do this through the /etc/varnish/default.vcl file, or by editing e.g. /etc/default/varnish (on Debian) and specifying something in DAEMON_OPTS ”

    But as I am new to varnish, I am not sure how to configure this..
    Please help.

  7. David Goodwin Avatar

    Read/Edit the file /etc/default/varnish – on Debian there is sufficient documentation within the file and commented out examples to get you set on your way.

Leave a Reply

Your email address will not be published. Required fields are marked *