Allow Location in NGINX Based on IP When Request Comes from Varnish

nginxvarnish

If Varnish is set as the default Cache in front of my NGINX backend, how can I check in the NGINX backend for the clients original IP and make a decision based on that?

I want to allow a certain directory only to certain IPs. Varnish being in front of NGINX, means that every request comes from 127.0.0.1. I'm thinking about setting some custom HTTP header, but how could I check that in conjunction with location ~ /folder/ {} section?

Best Answer

By default Varnish 4 would set X-Forwarded-For header as the client's real IP, but NGINX would ignore that unless you set it up explicitly.

Add these lines to your nginx configuration in the server block which makes use of the ngx_http_realip_module:

server {
    listen 80;
    set_real_ip_from   127.0.0.1;
    real_ip_header     X-Forwarded-For;
    <Other Server Options>
}

If you use Ubuntu, the module is already enabled by default. However for some linux distributions you might have to enable or install it manually. You can check the configured modules by:

nginx -V

Do not forget to reload nginx after you update the configuration:

sudo service nginx reload

Once nginx is able to get the client's real IP set by Varnish, you just need to place allow and deny options in the location blocks:

server {
    <Server Options>
    location ~ /folder/ {
        allow <IP to whitelist>;
        deny all;
        <Location Options>
    }
}

Related Solutions

Nginx – How to Set Up as a Caching Reverse Proxy

I don't think that there is a way to explicitly invalidate cached items, but here is an example of how to do the rest. Update: As mentioned by Piotr in another answer, there is a cache purge module that you can use. You can also force a refresh of a cached item using nginx's proxy_cache_bypass - see Cherian's answer for more information.

In this configuration, items that aren't cached will be retrieved from example.net and stored. The cached versions will be served up to future clients until they are no longer valid (60 minutes).

Your Cache-Control and Expires HTTP headers will be honored, so if you want to explicitly set an expiration date, you can do that by setting the correct headers in whatever you are proxying to.

There are lots of parameters that you can tune - see the nginx Proxy module documentation for more information about all of this including details on the meaning of the different settings/parameters: http://nginx.org/r/proxy_cache_path

http {
  proxy_cache_path  /var/www/cache levels=1:2 keys_zone=my-cache:8m max_size=1000m inactive=600m;
  proxy_temp_path /var/www/cache/tmp; 


  server {
    location / {
      proxy_pass http://example.net;
      proxy_cache my-cache;
      proxy_cache_valid  200 302  60m;
      proxy_cache_valid  404      1m;
    }
  }
}

Nginx – Varnish/Nginx/Apache

It really depends on the content of the site in question and the caching scheme you're using.

I looked at this scenario previously for a very high traffic site (1M+ uniques daily) and we ended up using Nginx and Apache, without Varnish. This was due to existing caching methods and the amount of dynamic content on page so we would have only been able to have Varnish cache images and static files like css and js. During testing it became an Nginx or Varnish question, since like you we wanted to keep Apache in the configuration. The benchmarking we did showed Nginx performed faster than Varnish at high volume so thats the way we went.

One thing that we could've done but didn't would be to load dynamic page sections in a separate request and then insert the content in browser, that would have allowed us to use Varnish to cache more objects, while passing the dynamic elements to Apache and serving static content via Nginx on cache misses.

As far as the logging issue, you will most likely need to write scripts that will parse/merge your logs together and then you can run your stats scripts against the merge logs. I believe there are some good log merging tools out there, but can' think of one at the moment.

Best Answer

Related Solutions

Nginx – How to Set Up as a Caching Reverse Proxy

Nginx – Varnish/Nginx/Apache

Related Topic