diff options
Diffstat (limited to 'src/vmod_remoteip.vcc')
-rw-r--r-- | src/vmod_remoteip.vcc | 62 |
1 files changed, 62 insertions, 0 deletions
diff --git a/src/vmod_remoteip.vcc b/src/vmod_remoteip.vcc new file mode 100644 index 0000000..b46aef5 --- /dev/null +++ b/src/vmod_remoteip.vcc @@ -0,0 +1,62 @@ +$Module remoteip 3 "Return probable IP address based on request headers" + +DESCRIPTION +=========== + +This modules is for Varnish Cache what mod_remoteip is for Apache. It +determines the actual client IP address for the connection, using the +useragent IP address list presented by a proxies or a load balancer +via the request headers and a preconfigred list of trusted IP +addresses. For example, if your Varnish server works behind a load +balancer or yet another reverse proxy (such as pound or haproxy to +handle the TLS connection), you can use this module to get the real +incoming connection IP address from the **X-Forwarded-For** header. + +$Event remoteip_event + +$Function VOID init(PRIV_VCL, STRING trusted) + +Description + Initializes the module. The **trusted** argument is a string + containing comma-separated list of IP addresses of hosts which + are trusted to correctly set the value of the **X-Forwarded-For** + header (or other header whose value is used as argument in the + **remoteip.get** call, which is described below). Arbitrary + amount of whitespace is allowed to surround each address. + Each address cna be a valid IPv4 or IPv6 address, optionally + followed by a slash and the netmask or netmask length. + +$Function STRING get(PRIV_VCL, STRING header) + +Description + The **header** argument is the value of the **X-Forwarded-For** + or a similar header, i.e. a comma-delimited list of useragent + IP addresses with optional whitespace around them. The + function scans this list from right to left, comparing each + address with the trusted IP address list, configured with a + prior call to **init**. Processing halts when the IP address + is not found in that list or when the list is exhausted. In + the latter case, the first address from the **header** list is + returned. + +EXAMPLE +======= + :: + + sub vcl_init { + remoteip.init("192.0.2.1, 127.0.0.0/8"); + } + + sub vcl_recv { + set resp.http.x-real-ip = remoteip.get(resp.http.X-Forwarded-For); + ... + } + +COPYRIGHT +========= + +| Copyright (C) Sergey Poznyakoff +| License GPLv3+: GNU GPL version 3 or later +| <http://gnu.org/licenses/gpl.html> +| This is free software: you are free to change and redistribute it. +| There is NO WARRANTY, to the extent permitted by law. |