Varnish & Apache on SuSE - Using Module RemoteIP

Now that youv'e configured Varnish, are you having trouble seeing the Remote Addresses of the Clients? Here's how to configure Apache Mod RemoteIP in SuSE.

Ok, you got Varnish installed, its working great! Your'e tailing the logs and what do you notice? Your'e not getting the Client_IP anymore, then it hits you - you configured it like a transparent proxy and all requests to your backends are being sent from the Varnish Server and thus the IP will now be from that point. It sort of looks like what I have drawn below.

Never fear, all you have to do on Apache is some IP header reading and on Varnish some header forwarding . In order to have the real client IPs in your backend's access logs when using any proxy, your web server must be able to read X-Forwarded-For headers. Some web servers support this by default while on others you will need to configure additional resources. On Apache you can use either 'mod_rpaf' or 'mod_remoteip'. I'm not using 'mod_rpaf 'as it doesn't properly work with Classless Inter-Domain Routing. We will accomplish this task by using Apache's 'mod_remoteip'. Chances are you probably don't have it currently installed, so this article will focus on the configuration of Varnish and both the installation and configuration of "mod_remoteip" for Apache on SuSE.

Ok, no fluff here, these are the steps we will follow:

  • Get the "mod_remoteip" source
  • Compile and install the mod
  • Configure the mod in Apache
  • Configure Varnish to utililize the mod
  • & finally test it

Use the source Luke!

Download the source code for mod_remoteip

Here's where I got mine: wget https://raw.github.com/ttkzw/mod_remoteip-httpd22/master/mod_remoteip.c

Compile and install

Once you have the force, er, I mean source, extract it. Now before we go ahead and compile it, your more than likely going to need a couple of other packages for your version of SuSE. We wont be using 'gcc', were going to use 'apxs' to compile the module. APXS is a tool for building and installing extension modules in Apache. Prior to compiling the mod, begin by installing the follwing packages in the order listed.

  1. libapr1-devel
  2. libexpat-devel
  3. cyrus-sasl-devel
  4. zlib-devel
  5. libopenssl-devel
  6. openldap2-devel
  7. libdb-4_8-devel
  8. libapr-util1-devel
  9. apache2-devel (Needed for apxs2 command)

Next, after you have these installed in your environment, you can begin to compile and install 'mod_remoteip' for Apache like so:


# apxs2 -cia mod_remoteip.c

Now you need to configure Apache to load this new module. On SuSE you will need to edit the /etc/apache2/sysconfig.d/loadmodule.conf file and add this line:


#LoadModule remoteip_module /usr/lib/apache/mod_remoteip.so

Next create the following file /etc/apache2/mod_remoteip.conf and add the following:


<IfModule mod_remoteip.c>
        RemoteIPHeader X-Forwarded-For
</IfModule>

Then edit the file /etc/apache2/mod_log_config.conf and add this line:


LogFormat "%{X-Forwarded-For}i %l %u %t \"%r\" %>s %b \
\"%{Referer}i\" \"%{User-Agent}i\""                     varnishcombined

Depending on how you set up Apache logging for your sites, you will need to edit your sites configration files(usually in vhosts.d) and edit the variables for your 'combined' logs to 'varnishcombined'. Restart Apache when you are finished.

Configure Varnish

Now it's time to configure Varnish to pass the proper header to Apache. You'll need to edit the '/etc/varnish/vcl.conf' file and add the following lines to the 'sub vcl_recv{}' section:


sub vcl_recv {
      # Compatiblity with Apache log
       remove req.http.X-Forwarded-For;
       set req.http.X-Forwarded-For = client.ip;
}

Test

All you have to do now is wait for connections, scan your logs and see the results. Whatever you designated for your 'varnishcombined' logs should now show the remote client IP.

That's it!


Peace be unto you. Thank you for visiting!