Crawler ACLs issue - X-forwarded-for

Question

Crawler ACLs issue - X-forwarded-for

Nuranto opened this issue 6 years ago · 2 comments

Hello,

In VCL templates, client.ip should be replaced by std.ip(regsub(req.http.X-Forwarded-For, "^(^[^,]+),?.*$", "\1"), client.ip) when checking ACLs.
Else it could use 127.0.0.1 as IP instead of real-user IP and cause troubles in softwares.
Of course, this issue occurs only if you have a proxy on front of varnish (which is almost always the case, at least for dealing with https).

Example :
Before :

if (client.ip ~ crawler_acl ||

After :

if (std.ip(regsub(req.http.X-Forwarded-For, "^(^[^,]+),?.*$", "\1"), client.ip) ~ crawler_acl ||

Answer 1 · 2018-08-29T09:54:59.000Z

To complete @Nuranto's point: when Varnish is behind a local reverse proxy, ACLs are checked against ::1 which is useless and leads to strange behaviors.

Answer 2 · 2018-08-29T11:45:28.000Z

Already spotted here : #1390