Categories
linux php

Fixing REMOTE_ADDR when behind a proxy/varnish server

I had an annoyance where varnish proxy infront of a LAMP server and the LAMP server therefore thought all clients were from the varnish proxy – rather than the client’s real IP address – i.e. $_SERVER[‘REMOTE_ADDR’] was set to the IP address of the Varnish proxy and not that of the client’s actual IP address.

Obviously, Varnish adds the X_HTTP_FORWARDED_FOR HTTP header in when a connection comes through it; so my initial thought was to just overwrite PHP’s $_SERVER[‘REMOTE_ADDR’] setting. A bit of a hack and annoying – as I’d need to fix all sites, or have some sort of global prepend file (which is horrible).

I then discovered something which sorts the problem out  – RPAF

  • apt-get install libapache2-mod-rpaf
  • Edit /etc/apache2/mods-enabled/rpaf.conf and ensure your proxy server’s IP address is listed on the RPAFproxy_ips line (e.g. RPAFproxy_ips 127.0.0.1 89.16.176.x).
  • Restart Apache, and you’ll then find that the $_SERVER[‘REMOTE_ADDR’] value will be correct.

 

 

7 replies on “Fixing REMOTE_ADDR when behind a proxy/varnish server”

Hello

I am planning to configure Varnish on my server to hide me server ip
consider my server ip is 66.66.66.66 and I want to configure varnish in such a way, when anyone tries to locate my server ip using any dns checker tool, it should show 127.0.0.1
to users.

can you tell me how can i do this. I tried alot and alot but no result.

help needed.

Thanks
Yatin

127.0.0.1 is a bad example as it implies that you’re trying to hide the IP from the end user.

If you take e.g.

Web server IP is : 6.6.6.6
Varnish box is : 7.7.7.7

Then you’d configure DNS for your.domain.com to resolve to 7.7.7.7

You’d configure Varnish on the Varnish box to listen on 7.7.7.7 and have 6.6.6.6 as a backend. You can either do this through the /etc/varnish/default.vcl file, or by editing e.g. /etc/default/varnish (on Debian) and specifying something in DAEMON_OPTS (the comments should be sufficient to give you an idea of what to do)

for some reasons this solution is not working
I did as explained but remote_addr is still my cache server ip.
x forwarded is client ip though

Hi Hassan,

I suspect you’ve not modified (e.g. /etc/apache2/mods-enabled/rpaf.conf) and specified something like :

RPAFenable On
RPAFsethostname On
RPAFproxy_ips your.proxy.ip.address

Remember to restart Apache after doing the above.

Hello david,

Like Yatin asked, I also want to hide my ip from hacker..

can you help with the same. I gone through your answer which you gave to Yatin…
“Web server IP is : 6.6.6.6
Varnish box is : 7.7.7.7

Then you’d configure DNS for your.domain.com to resolve to 7.7.7.7

You’d configure Varnish on the Varnish box to listen on 7.7.7.7 and have 6.6.6.6 as a backend. You can either do this through the /etc/varnish/default.vcl file, or by editing e.g. /etc/default/varnish (on Debian) and specifying something in DAEMON_OPTS ”

But as I am new to varnish, I am not sure how to configure this..
Please help.

Read/Edit the file /etc/default/varnish – on Debian there is sufficient documentation within the file and commented out examples to get you set on your way.

Leave a Reply

Your email address will not be published. Required fields are marked *