Mailing List Archive

Hi,

I have the following test setup running at the moment:

Cloudflare -> HaProxy --> Varnish -> Haproxy -> Backend application.
|-------------------------------------------------|
|---------------------------------|
CDN API

Between the first HaProxy, Varnish and the second HaProxy I use the
proxy protocol to make sure that the requests that enter my environment
using the CDN are restricted using the same IP whitelist rules as they
would when accessing directly using the API. To get the external IP into
the request information and the proxy protocol I have the following
configuration in my first haproxy config:

acl FROM_CLOUDFLARE req.hdr(CF-Connecting-IP) -m found
http-request set-src hdr(CF-Connecting-IP) if FROM_CLOUDFLARE

Normal users connect to the API from the outside world and we use IP
whitelists to allow certain people access to this API.
I'm trying to setup an CDN in front of my application and to build this
I use CloudFlare, HaProxy (SSL Termination and some minimal rewrites)
and Varnish (to offload requests from my backend application)

This all works fine so far, but today I noticed that access using the
CDN is not restricted enough and I found out that it looks like the
connection between Varnish and my API is not using the proxy protocol,
or at least the information that should be available from the
CF-Connecting-IP is not visible in the HaProxy on the API backend. The
result is that all requests that enter the environment using the CDN
seem to be coming from the Varnish hosts instead of the external world.

My backend configuration in Varnish config looks like this:

import directors; # load the directors

backend blsproxy01 {
.host = "95.130.232.181";
.port = "81";
.proxy_header = 2;
.probe = {
.request =
"GET /haproxy_test HTTP/1.1"
"Host: leaseservices.eu"
"Connection: close";
}
}

backend blsproxy02 {
.host = "95.130.232.182";
.port = "81";
.proxy_header = 2;
.probe = {
.request =
"GET /haproxy_test HTTP/1.1"
"Host: leaseservices.eu"
"Connection: close";
}
}


backend blsproxy03 {
.host = "95.130.232.183";
.port = "81";
.proxy_header = 2;
.probe = {
.request =
"GET /haproxy_test HTTP/1.1"
"Host: leaseservices.eu"
"Connection: close";
}
}

sub vcl_init {
# new blsproxy = directors.round_robin();
new blsproxy = directors.random();
blsproxy.add_backend(blsproxy01,10);
blsproxy.add_backend(blsproxy02,10);
blsproxy.add_backend(blsproxy03,10);
}

I upgraded to Varnish 5.1 a little while back and I think the problem
might have started at that time, but I'm not sure at the moment. It's
all a test setup, so this was only noticed because I was doing some
tests from my home where my home should not be able to request any CDN
content at the moment.



--
Kind regards

Jan Hugo Prins
/DevOps Engineer/
<https://betterbe.com>
Auke Vleerstraat 140 E
7547 AN Enschede
CC no. 08097527
<https://www.kvk.nl/orderstraat/product-kiezen/?kvknummer=080975270000>
*T* +31 (0) 53 48 00 694 <tel:+31534800694>
*E* jprins@betterbe.com <mailto:jprins@betterbe.com>
*M* +31 (0)6 263 58 951 <tel:+31%20%280%296%20263%2058%20951>
www.betterbe.com <https://www.betterbe.com>
BetterBe accepts no liability for the content of this email, or for the
consequences of any actions taken on the basis
of the information provided, unless that information is subsequently
confirmed in writing. If you are not the intended
recipient you are notified that disclosing, copying, distributing or
taking any action in reliance on the contents of this
information is strictly prohibited.