Real client IP from varnish in apache

September 23, 2015 13.4k views
Apache WordPress LAMP Stack

Hi DO Community,

I have 2 droplet,

serverA - varnish
serverB - LAMP (wordpress)

My LAMP show serverA private IP instead of real client IP. How I can get real client IP in this situation?

Thank you.

1 Answer

In order to have Varnish pass on the real client IP to your Apache access log, you’ll need to edit your Varnish configuration (/etc/varnish/default.vcl on Ubuntu) to add an X-Forwarded-For header. Find the vcl_recv section and added the following:

sub vcl_recv {
  unset req.http.X-Forwarded-For;
  set req.http.X-Forwarded-For = client.ip;
}

(Note: If you are using Varnish < 4.0 change unset to remove as the syntax is different.)

Than, in your Apache Virtual Host, set a CustomLog format:

LogFormat "%{X-Forwarded-For}i %l %u %t \"%r\" %>s %b \"%{User-agent}i\"" varnishcombined
CustomLog ${APACHE_LOG_DIR}/access.log varnishcombined

Finally, restart both Apache and Varnish for the changes to take effect:

  • sudo service varnish restart
  • sudo service apache2 restart
  • Very useful, but…

    What about error.log? If I have to be more specific, what about basic authentication errors, such as: [auth_basic:error] [pid 23784] [client 127.0.0.1:46904] AH01618: user foo not found: /phpmyadmin/

    They still show 127.0.0.1 and fail2ban apache jail is useless.

Have another answer? Share your knowledge.

You can type !ref in this text area to quickly search our full set of tutorials, documentation & marketplace offerings and insert the link!