aboutsummaryrefslogtreecommitdiff
path: root/src/vmod_remoteip.vcc
diff options
context:
space:
mode:
Diffstat (limited to 'src/vmod_remoteip.vcc')
-rw-r--r--src/vmod_remoteip.vcc62
1 files changed, 62 insertions, 0 deletions
diff --git a/src/vmod_remoteip.vcc b/src/vmod_remoteip.vcc
new file mode 100644
index 0000000..b46aef5
--- /dev/null
+++ b/src/vmod_remoteip.vcc
@@ -0,0 +1,62 @@
+$Module remoteip 3 "Return probable IP address based on request headers"
+
+DESCRIPTION
+===========
+
+This modules is for Varnish Cache what mod_remoteip is for Apache. It
+determines the actual client IP address for the connection, using the
+useragent IP address list presented by a proxies or a load balancer
+via the request headers and a preconfigred list of trusted IP
+addresses. For example, if your Varnish server works behind a load
+balancer or yet another reverse proxy (such as pound or haproxy to
+handle the TLS connection), you can use this module to get the real
+incoming connection IP address from the **X-Forwarded-For** header.
+
+$Event remoteip_event
+
+$Function VOID init(PRIV_VCL, STRING trusted)
+
+Description
+ Initializes the module. The **trusted** argument is a string
+ containing comma-separated list of IP addresses of hosts which
+ are trusted to correctly set the value of the **X-Forwarded-For**
+ header (or other header whose value is used as argument in the
+ **remoteip.get** call, which is described below). Arbitrary
+ amount of whitespace is allowed to surround each address.
+ Each address cna be a valid IPv4 or IPv6 address, optionally
+ followed by a slash and the netmask or netmask length.
+
+$Function STRING get(PRIV_VCL, STRING header)
+
+Description
+ The **header** argument is the value of the **X-Forwarded-For**
+ or a similar header, i.e. a comma-delimited list of useragent
+ IP addresses with optional whitespace around them. The
+ function scans this list from right to left, comparing each
+ address with the trusted IP address list, configured with a
+ prior call to **init**. Processing halts when the IP address
+ is not found in that list or when the list is exhausted. In
+ the latter case, the first address from the **header** list is
+ returned.
+
+EXAMPLE
+=======
+ ::
+
+ sub vcl_init {
+ remoteip.init("192.0.2.1, 127.0.0.0/8");
+ }
+
+ sub vcl_recv {
+ set resp.http.x-real-ip = remoteip.get(resp.http.X-Forwarded-For);
+ ...
+ }
+
+COPYRIGHT
+=========
+
+| Copyright (C) Sergey Poznyakoff
+| License GPLv3+: GNU GPL version 3 or later
+| <http://gnu.org/licenses/gpl.html>
+| This is free software: you are free to change and redistribute it.
+| There is NO WARRANTY, to the extent permitted by law.

Return to:

Send suggestions and report system problems to the System administrator.