proxy_pass to backend (varnish): delivered ip?
Francis Daly
francis at daoine.org
Wed Jan 30 16:20:03 UTC 2013
On Wed, Jan 30, 2013 at 11:13:38AM -0500, revirii wrote:
Hi there,
> > The connection to varnish comes from the address 127.0.0.1. That's
> > what it logs here.
>
> > The connection to varnish comes from the address 192.168.0.1. That's
> > what it logs here.
>
> But why? The only difference is the proxy_pass statement:
>
> proxy_pass http://127.0.0.1:80;
> vs.
> proxy_pass http://192.168.0.1:80;
>
> No other changes were done, and no changes in varnish config.
Look at the routing table on your nginx server.
If it connects *to* 127.0.0.1, it will connect *from* 127.0.0.1 (which
is one of the nginx server's addresses).
If it connects *to* 192.168.0.1, it will connect *from* 192.168.0.1
(which is one of the nginx server's addresses).
(Probably, if it connects *to* 192.168.0.2 (which is on a different
machine), it will connect *from* 192.168.0.1.)
> Hm, would be interesting which param varnish checks. It can't be
> $remote_addr, so it has to be the address nginx proxies to (127.0.01 or
> 192.168.0.1).
No, it is the address that the connection to varnish comes *from*. Because
of your specific setup, that happens to match the address that nginx
connects to. But try connecting to varnish from some other machine and
you'll see the difference.
> Very strange. So it seems to be a varnish problem? :-/
It's usually considered a feature that the source address of a connection
is logged. There is nothing nginx can do to hide its source address.
What you want is something non-standard. Possibly there's a varnish
configuration to allow it.
f
--
Francis Daly francis at daoine.org
More information about the nginx
mailing list