Nginx – Varnish client.ip says 127.0.0.1

apache-2.2nginxUbuntuvarnishx-forwarded-for

So I have a setup like Nginx -> varnish -> apache2
If I get a request with a static file it is sent through nginx to varnish and back to nginx again since its a lot faster than letting apache2 server it. My problem is that when I do a

sub vcl_fetch {
    set beresp.http.X-Tabulex-Client = client.ip;

to see what the clients ip address is I am being told its 127.0.0.1 (X-Tabulex-Client 127.0.0.1) In the vcl_recv I have:

sub vcl_recv {
    if ((!req.url ~"^/typo3temp/*" && !req.url ~"^/typo3/*") &&req.url ~"\.(jpg|css|gif|png|js)(\?.*|)$"){
        set req.backend = aurum;
        set client.identity = req.http.X - Forwarded - For;
    } elseif(client.ip == "192.168.3.189") {
        /* Traffic from the other Varnish server, serve using real backends */
        set req.backend = balance;
        /* Set client.identity to the X-Forwarded-For (the real IP) */
        set client.identity = req.http.X - Forwarded - For;
    } else{
        /* Traffic coming from internet, use the other Varnish as backend */
        set req.backend = iridium;
    }
}

The nginx config contains

proxy_set_header  X-Real-IP  $remote_addr;
proxy_set_header Host $host;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_intercept_errors on;

when sending to varnish the first time and nothing when receiving from varnish again.

Im not sure where the problem is. I would expect the client.ip to contain the external ip address so I could use it for acl. Any ideas?

Best Answer

The value of client.ip is 127.0.0.1 because nginx is the client. It wouldn't make sense for Varnish to mask this value -- even in situations like yours where Varnish is sitting behind a front-end proxy, you often want to base decisions on the ip address of the thing actually making the connecting to Varnish.

What you really want to do is have nginx put the remote client ip address into a dedicated header (which you're already doing with X-Real-IP) and use that for making connection decisions. We do exactly this in our environment where we have Apache provided SSL connectivity in front of varnish, and then we use this header to make access decisions.

It's not as nice as using client.ip (you can't match it using acls), but it works. We do something like this:

if (! (
        req.http.X-Real-IP ~ "^10\." ||
        req.http.X-Real-IP ~ "^100\.100\." ||
        req.http.X-Real-IP ~ "^200\.200\."
)) {
        error 403 "Forbidden";
}

Varnish doesn't provide a native mechanism for overriding client.ip with a custom header, but it is possible to solve the problem anyway because you can insert arbitrary C code into your configuration.

Here is an example that exactly parallels your situation that includes an example of replacing client.ip with another value so that it can be used in Varnish ACLs.

Related Solutions

Nginx – Configure php5-fpm for many concurrent users

I suspect your varnish cache is not caching anywhere near enough of the hits

here's what I would do in your situation:

Lower php max children to 100 or even 50 (if varnish does its job properly you don't need them) also remove the max requests line to allow the php processes not to respawn too quickly and thus prevent APC from being cleared too quickly which is also bad

also IF is not good according to nginx - http://wiki.nginx.org/IfIsEvil

I would change this line:

            if (!-e $request_filename) {
                    rewrite ^(.+)$ /index.php?q=$1 last;
            }

to:

try_files $uri $uri/ /index.php?$args;

If your version of nginx supports it (pretty certain if your nginx version is > 0.7.51 then it supports it)

you should also look at inserting the w3tc nginx rules direct into your vhost file to enabled proper disk enhanced caching of pages (which is faster than APC caching with nginx)

Take a look at the following varnish vcl which I use for sites - you will need to read through and edit a few things for your website - it also assumes that its only WP sites on the server and only 1 site on the server, it can easily be modified for more sites (take a look at the cookie section)

generic vcl: https://gist.github.com/b7332971a848bcb7ecef

With this config I would argue to remove fastcgi_cache to prevent any possible issues with a cache-chain occurring whereby trying locate any stray stale cache entries is more difficult

also tell w3tc that varnish is at 127.0.0.1 and it will purge it for you ;)

I deployed this to a server on Wednesday evening (with a few domain specific modifications) that was handling 2500 active site visitors it reduced load to less than 1 and the approx number of running php children was around 10-20 (this number does depend on number of logged in users and other factors like cookies) this server did have much more ram but the principle is the same, you should be able to easily handle the number of visitors you get at peaks

Nginx – svn using nginx Commit failed: path not found

The request is being caught by your \.php$ location block, and being passed to PHP via FastCGI. You need to make sure that SVN requests are always proxied to Apache. If you don't need PHP on this virtual host, just remove that location directive. If you need PHP under specific paths, make the location block more specific, such as ^/phpstuff/.*\.php$. If that isn't possible, add an empty location block before the PHP one to catch .php files under the SVN repo paths, such as:

location ~ ^/elpis-repo/.*\.php$ {}

Best Answer

Related Solutions

Nginx – Configure php5-fpm for many concurrent users

Nginx – svn using nginx Commit failed: path not found

Related Topic