Advanced
Mailing List Archive

Mailing List Archive

  1. Home >
  2. Varnish>
  3. Misc
Using ACL with non-IP fields
mark at hanfordonline
Mar 31, 2017, 2:44 AM
Post #1 of 6 (876 views)
Permalink
Hi folks.

Because my varnish nodes are behind two different proxies, I can't really
use client.ip within my VCL. What I have is a header "X-Real-Ip" instead,
which is populated automatically by one proxy, and by me derived from the
"X-Forwarded-For" for the other.

What this means is that where I would usually use ACL to block access to a
resource:

if (req.http.host == "test.mydomain.com") {
if (client.ip ~ trustedips) {
# allow access
} else {
return (synth(405, "Not allowed");
}
}

But this doesn't work if I replace client.ip with a non-IP typed field.

Message from VCC-compiler:
Expected CSTR got 'purgers'
(program line 1193), at
('default.vcl' Line 339 Pos 34)
if (req.http.X-Real-Ip ~ trustedips) {
---------------------------------##########---

Is there any way I can get the same result as this but without using
client.ip?

thanks,

Mark
Re: Using ACL with non-IP fields [ In reply to ]
guillaume at varnish-software
Mar 31, 2017, 2:59 AM
Post #2 of 6 (876 views)
Permalink
Hi Mark, you need to use std.ip() from the std vmod.

Also, I highly recommend using the PROXY protocol (Varnish, HAProxy and
Nginx, at least support it), it will allow you to use client.ip directly
and not bother with this.

--
Guillaume Quintard

On Fri, Mar 31, 2017 at 11:44 AM, Mark Hanford <mark@hanfordonline.co.uk>
wrote:

> Hi folks.
>
> Because my varnish nodes are behind two different proxies, I can't really
> use client.ip within my VCL. What I have is a header "X-Real-Ip" instead,
> which is populated automatically by one proxy, and by me derived from the
> "X-Forwarded-For" for the other.
>
> What this means is that where I would usually use ACL to block access to a
> resource:
>
> if (req.http.host == "test.mydomain.com") {
> if (client.ip ~ trustedips) {
> # allow access
> } else {
> return (synth(405, "Not allowed");
> }
> }
>
> But this doesn't work if I replace client.ip with a non-IP typed field.
>
> Message from VCC-compiler:
> Expected CSTR got 'purgers'
> (program line 1193), at
> ('default.vcl' Line 339 Pos 34)
> if (req.http.X-Real-Ip ~ trustedips) {
> ---------------------------------##########---
>
> Is there any way I can get the same result as this but without using
> client.ip?
>
> thanks,
>
> Mark
>
> _______________________________________________
> varnish-misc mailing list
> varnish-misc@varnish-cache.org
> https://www.varnish-cache.org/lists/mailman/listinfo/varnish-misc
>
Re: Using ACL with non-IP fields [ In reply to ]
dridi at varni
Mar 31, 2017, 3:05 AM
Post #3 of 6 (876 views)
Permalink
> Is there any way I can get the same result as this but without using
> client.ip?

Yes: std.ip(string, ip_fallback)

if (std.ip(req.http.X-Real-Ip, "some_address") ~ trustedips) {

See man vmod_std, or search the online docs.

Dridi

_______________________________________________
varnish-misc mailing list
varnish-misc@varnish-cache.org
https://www.varnish-cache.org/lists/mailman/listinfo/varnish-misc
Re: Using ACL with non-IP fields [ In reply to ]
mark at hanfordonline
Mar 31, 2017, 3:14 AM
Post #4 of 6 (876 views)
Permalink
Yeah, I'm looking into PROXY. We have up to two proxies in the way, the
first that all traffic has to go through is a Cisco Ace we use for load
balancing and SSL offloading, and the second is a CaddyServer that some
traffic will go through for LetsEncrypt certificates. It's getting both of
those setup to present similar data to the Varnish nodes that's the trick -
we don't have direct control of the Cisco gear either. Both should be able
to do it, I guess I just need to work out the wrinkles.

--
Mark

On 31 March 2017 at 10:59, Guillaume Quintard <
guillaume@varnish-software.com> wrote:

> Hi Mark, you need to use std.ip() from the std vmod.
>
> Also, I highly recommend using the PROXY protocol (Varnish, HAProxy and
> Nginx, at least support it), it will allow you to use client.ip directly
> and not bother with this.
>
> --
> Guillaume Quintard
>
> On Fri, Mar 31, 2017 at 11:44 AM, Mark Hanford <mark@hanfordonline.co.uk>
> wrote:
>
>> Hi folks.
>>
>> Because my varnish nodes are behind two different proxies, I can't really
>> use client.ip within my VCL. What I have is a header "X-Real-Ip" instead,
>> which is populated automatically by one proxy, and by me derived from the
>> "X-Forwarded-For" for the other.
>>
>> What this means is that where I would usually use ACL to block access to
>> a resource:
>>
>> if (req.http.host == "test.mydomain.com") {
>> if (client.ip ~ trustedips) {
>> # allow access
>> } else {
>> return (synth(405, "Not allowed");
>> }
>> }
>>
>> But this doesn't work if I replace client.ip with a non-IP typed field.
>>
>> Message from VCC-compiler:
>> Expected CSTR got 'purgers'
>> (program line 1193), at
>> ('default.vcl' Line 339 Pos 34)
>> if (req.http.X-Real-Ip ~ trustedips) {
>> ---------------------------------##########---
>>
>> Is there any way I can get the same result as this but without using
>> client.ip?
>>
>> thanks,
>>
>> Mark
>>
>> _______________________________________________
>> varnish-misc mailing list
>> varnish-misc@varnish-cache.org
>> https://www.varnish-cache.org/lists/mailman/listinfo/varnish-misc
>>
>
>
Re: Using ACL with non-IP fields [ In reply to ]
mark at hanfordonline
Mar 31, 2017, 3:14 AM
Post #5 of 6 (876 views)
Permalink
Aah, thanks for that. I thought I'd looked through std, but must've missed
that bit. Still getting the hang of the post-v3 way of doing things :)

thanks

--
Mark

On 31 March 2017 at 11:05, Dridi Boukelmoune <dridi@varni.sh> wrote:

> > Is there any way I can get the same result as this but without using
> > client.ip?
>
> Yes: std.ip(string, ip_fallback)
>
> if (std.ip(req.http.X-Real-Ip, "some_address") ~ trustedips) {
>
> See man vmod_std, or search the online docs.
>
> Dridi
>
Re: Using ACL with non-IP fields [ In reply to ]
hazarguney at gmail
Mar 31, 2017, 4:58 AM
Post #6 of 6 (876 views)
Permalink
From one of my production servers:

import std;

sub vcl_deliver {
if (std.ip(req.http.RIP,"0.0.0.0") ~ hitpass) {
....
}
}

"RIP" is the client ip value in header.

On Fri, Mar 31, 2017 at 1:05 PM, Dridi Boukelmoune <dridi@varni.sh> wrote:

> > Is there any way I can get the same result as this but without using
> > client.ip?
>
> Yes: std.ip(string, ip_fallback)
>
> if (std.ip(req.http.X-Real-Ip, "some_address") ~ trustedips) {
>
> See man vmod_std, or search the online docs.
>
> Dridi
>
> _______________________________________________
> varnish-misc mailing list
> varnish-misc@varnish-cache.org
> https://www.varnish-cache.org/lists/mailman/listinfo/varnish-misc
>

©2024 GT.net. A Gossamer Threads company.
5th Floor, 455 Granville St., Vancouver, BC V6C 1T1, Canada | Legal