Real client IP from varnish in apache

Posted September 23, 2015 19.3k views
ApacheWordPressLAMP Stack

Hi DO Community,

I have 2 droplet,

serverA - varnish
serverB - LAMP (wordpress)

My LAMP show serverA private IP instead of real client IP. How I can get real client IP in this situation?

Thank you.

These answers are provided by our Community. If you find them useful, show some love by clicking the heart. If you run into issues leave a comment, or add your own answer to help others.

Submit an Answer
1 answer

In order to have Varnish pass on the real client IP to your Apache access log, you’ll need to edit your Varnish configuration (/etc/varnish/default.vcl on Ubuntu) to add an X-Forwarded-For header. Find the vcl_recv section and added the following:

sub vcl_recv {
  unset req.http.X-Forwarded-For;
  set req.http.X-Forwarded-For = client.ip;

(Note: If you are using Varnish < 4.0 change unset to remove as the syntax is different.)

Than, in your Apache Virtual Host, set a CustomLog format:

LogFormat "%{X-Forwarded-For}i %l %u %t \"%r\" %>s %b \"%{User-agent}i\"" varnishcombined
CustomLog ${APACHE_LOG_DIR}/access.log varnishcombined

Finally, restart both Apache and Varnish for the changes to take effect:

  • sudo service varnish restart
  • sudo service apache2 restart
  • Very useful, but…

    What about error.log? If I have to be more specific, what about basic authentication errors, such as: [auth_basic:error] [pid 23784] [client] AH01618: user foo not found: /phpmyadmin/

    They still show and fail2ban apache jail is useless.