Real client IP from varnish in apache

September 23, 2015 10.4k views
LAMP Stack Apache WordPress

Hi DO Community,

I have 2 droplet,

serverA - varnish
serverB - LAMP (wordpress)

My LAMP show serverA private IP instead of real client IP. How I can get real client IP in this situation?

Thank you.

1 Answer

In order to have Varnish pass on the real client IP to your Apache access log, you'll need to edit your Varnish configuration (/etc/varnish/default.vcl on Ubuntu) to add an X-Forwarded-For header. Find the vcl_recv section and added the following:

sub vcl_recv {
  unset req.http.X-Forwarded-For;
  set req.http.X-Forwarded-For = client.ip;

(Note: If you are using Varnish < 4.0 change unset to remove as the syntax is different.)

Than, in your Apache Virtual Host, set a CustomLog format:

LogFormat "%{X-Forwarded-For}i %l %u %t \"%r\" %>s %b \"%{User-agent}i\"" varnishcombined
CustomLog ${APACHE_LOG_DIR}/access.log varnishcombined

Finally, restart both Apache and Varnish for the changes to take effect:

  • sudo service varnish restart
  • sudo service apache2 restart
  • Very useful, but...

    What about error.log? If I have to be more specific, what about basic authentication errors, such as: [auth_basic:error] [pid 23784] [client] AH01618: user foo not found: /phpmyadmin/

    They still show and fail2ban apache jail is useless.

Have another answer? Share your knowledge.