summaryrefslogtreecommitdiffabout
path: root/README
blob: ca814ba37d8463ac47bbd00807bf5ae01bb4a98c (plain)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
#+TITLE: vmod_remoteip: Deduce actial client IP address for Varnish Cache

* Overview

This module is for Varnish Cache what =mod_remoteip= is for Apache. It
determines the actual client IP address for the connection, using the
useragent IP address list presented by a proxy or load balancer
via the request headers and a preconfigred list of trusted IP
addresses.  For example, if your Varnish server works behind a load
balancer or yet another reverse proxy (such as pound or haproxy to
handle the TLS connection), you can use this module to get the real
incoming connection IP address from the =X-Forwarded-For= header.

* Example

The following example VCL uses the client address deduced from the
value of the =X-Forwarded-For= header to enable the code specific for
hosts from the ACL "allowed":

#+BEGIN_SRC vcl-script
  import std;
  import remoteip;
 
  sub vcl_init {
      // Register trusted proxy server addresses
      remoteip.init("192.0.2.1, 127.0.0.1");
  }

  acl allowed {
      "203.0.113.1";
      "192.0.2.10";
  }

  sub vcl_recv {
      set req.http.x-real-ip = remoteip.get(req.http.X-Forwarded-For);
      if (std.ip(req.http.x-real-ip) ~ allowed) {
          ...
      }
  }
#+END_SRC

* Installation

In order to compile the package you need the varnishd and varnishapi
packages.  The module has been tested with Varnish version 6.3.1 and
higher.  Python 3, [[https://sourceforge.net/projects/docutils][Docutils]] 
and [[http://sphinx-doc.org][Sphinx]] are needed to build documentation.
On Debian-based systems, this requires the =python3-docutils= and
=python3-sphinx= packages.

If these prerequisites are met, run:

#+BEGIN_SRC shell-script
   ./configure
#+END_SRC

If both Python versions 2.x and 3.x are installed on the system,
chances are version 2 is used by default.  In that case, require
version 3 explicitly, as shown in this example: 

#+BEGIN_SRC shell-script
   ./configure PYTHON=python3
#+END_SRC
   
Otherwise, the configure script should be able to automatically find
the necessary components.  In case it doesn't, tweak the configuration
variables as necessary.  The most important one is =PKG_CONFIG_PATH=,
which contains a path (in the UNIX sense) where the =.pc= files are
located.  It should contain a directory where the =varnishapi.pc= file
lives.  Example usage:

#+BEGIN_SRC shell-script
   ./configure PKG_CONFIG_PATH=/opt/varnish/lib/pkgconfig:$PKG_CONFIG_PATH
#+END_SRC

Please read the file =INSTALL= for a detailed discussion of available variables
and command line options.

Once configured, do
 
#+BEGIN_SRC shell-script
   make
#+END_SRC

This will build the module.  After this step you can optionally run
=make test= to test the package.

Finally, run the following command as root:

#+BEGIN_SRC shell-script
  make install
#+END_SRC

* Documentation

The manual page
[[http://man.gnu.org.ua/manpage/?3+vmod_remoteip][vmod_remoteip(3)]] will
be available after a successful install.  To read it without actually
installing the module, run =man src/vmod_remoteip.3= .

An online copy of the documentation is available from
http://ps.gnu.org.ua/software/vmod-remoteip.

* Downloads

Source tarballs can be downloaded from
https://download.gnu.org.ua/release/vmod-remoteip.

The git repository is available at
http://git.gnu.org.ua/cgit/vmod-remoteip.git.

The project home page is
https://puszcza.gnu.org.ua/projects/vmod-remoteip.

* Copyright

Copyright (C) 2020 Sergey Poznyakoff

Permission is granted to anyone to make or distribute verbatim copies
of this document as received, in any medium, provided that the
copyright notice and this permission notice are preserved,
thus giving the recipient permission to redistribute in turn.

Permission is granted to distribute modified versions
of this document, or of portions of it,
under the above conditions, provided also that they
carry prominent notices stating who last changed them.

* Bug reporting

Send bug reports and suggestions to <gray@gnu.org>

* Document settings :noexport:

Please ignore this section. It supplies the variables necessary for
proper rendering of this document.

:PROPERTIES:
:VISIBILITY: folded
:END:

#+STARTUP: showall
#+EXCLUDE_TAGS: noexport
#+HTML_HEAD: <link rel="stylesheet" type="text/css" href="style1.css" />
#+OPTIONS: ^:nil

# Local Variables:
# mode: org
# paragraph-separate: "[ 	]*$"
# version-control: never
# End:



Return to:

Send suggestions and report system problems to the System administrator.