Blocking ips with .htaccess behind varnish

.htaccessapache-2.2varnish

I have the following issue. I have a normal apache/varnish installation on a server with 5 IPs and varnish sends each request to apache using the local IP (which i think is normal since in the backend I can get the referrer with php's $_SERVER['HTTP_X_FORWARDED_FOR'].

I cannot use though the .htaccess file's blocks since apache gets only the local IP. Everything I deny from inside .htaccess is never applied. If i go to port :81 (apache's port), the block works normally.

What I need to do is find a way to either block the IP from varnish itself or send back to apache the original referrer ID and all this without restarting varnish (Of course, if this is not possible, I will have to do so…)

That specific IP I want to block, is getting very suspicious……

Thank you all in advance

Best Answer

You should install mod_rpaf on your apache server. This will update the remote address with the last IP address from the X-Forwarded-For header. On debian based systems:

sudo apt-get install libapache2-mod-rpaf

then restart apache.

Related Solutions

Iptables PREROUTING to redirect port 80 through varnish for selected IP

You can specify source address (or network) in an iptables redirect as follows:

iptables -A PREROUTING -t nat -i eth0 -p tcp --dport 80 -j REDIRECT --to-port 8080

The rules are read from top to bottom, and first match goes, so you might have to stick it in the right place.

Static file download from browser breaking in varnish but works fine in Apache

You are hitting the Varnish send_timeout limit. The default value for send_timeout was 600s, with Varnish 3.0 it was changed to 60s. This may intefere with downloads taking longer than 60s.

You can check the value of the send_timeout parameter with varnishadm:

varnishadm param.show send_timeout

This will output something like:

send_timeout           60 [seconds]
                       Default is 60
                       Send timeout for client connections. If the HTTP
                       response hasn't been transmitted in this many
                       seconds the session is closed. 
                       See setsockopt(2) under SO_SNDTIMEO for more
                       information.

                       NB: This parameter may take quite some time to
                       take (full) effect.

You can set it to 600s with:

varnishadm param.set send_timeout 600s

To make this setting persistent, you have to add "-p sendtimeout 600" to the startup parameters of Varnish. This depends on the distribution you are using. In case of Debian/Ubuntu yo may want to edit /etc/default/varnish.

Best Answer

Related Solutions

Iptables PREROUTING to redirect port 80 through varnish for selected IP

Static file download from browser breaking in varnish but works fine in Apache

Related Topic