Page MenuHomePhabricator
Create Task
Maniphest T233667

varnish-fe is handling X-Forwarded-For differently when ats is in front of it
Closed, ResolvedPublic
Actions

Description

varnish-fe handles X-Forwarded-For in a different way when ATS is doing the TLS termination instead of nginx.
a quick check with varnishlog shows the following:

nginx+varnish-fe
-   ReqUnset       X-Forwarded-For: USER_IP
-   ReqHeader      X-Forwarded-For: USER_IP, 10.132.0.102

VS

ats+varnish-fe
-   ReqUnset       X-Forwarded-For: USER_IP
-   ReqHeader      X-Forwarded-For: USER_IP, 127.0.0.1

I'm guessing it's related to the fact that nginx performs the connections to varnish using the NIC ip address (10.132.0.102 in the example used) and ATS is using the loopback interface

Details

SubjectRepoBranchLines +/-
ATS: Use the main NIC instead of the loopback interface to reach varnishoperations/puppetproduction+12 -11
Release 8.0.5-1wm9operations/debs/trafficservermaster+761 -0
Customize query in gerrit

Related Objects
Search...

Event Timeline

Vgutierrez created this task.Sep 23 2019, 9:58 PM
Restricted Application removed a project: Patch-For-Review. · View Herald TranscriptSep 23 2019, 9:58 PM
Vgutierrez triaged this task as High priority.Sep 23 2019, 9:58 PM
Vgutierrez added a parent task: T233657: Users editing from 127.0.0.1 (due to experimenting with ATS terminating TLS).
gerritbot added a comment.Sep 24 2019, 11:07 AM

Change 538857 had a related patch set uploaded (by Vgutierrez; owner: Vgutierrez):
[operations/debs/trafficserver@master] Release 8.0.5-1wm9

https://gerrit.wikimedia.org/r/538857

gerritbot added a project: Patch-For-Review.Sep 24 2019, 11:07 AM
gerritbot added a comment.Sep 25 2019, 7:59 AM

Change 538857 abandoned by Vgutierrez:
Release 8.0.5-1wm9

Reason:
not needed

https://gerrit.wikimedia.org/r/538857

gerritbot added a comment.Sep 25 2019, 8:12 AM

Change 539056 had a related patch set uploaded (by Vgutierrez; owner: Vgutierrez):
[operations/puppet@production] ATS: Use the main NIC instead of the loopback interface to reach varnish

https://gerrit.wikimedia.org/r/539056

gerritbot added a comment.Sep 25 2019, 8:24 AM

Change 539056 merged by Vgutierrez:
[operations/puppet@production] ATS: Use the main NIC instead of the loopback interface to reach varnish

https://gerrit.wikimedia.org/r/539056

Stashbot added a comment.Sep 25 2019, 8:44 AM

Mentioned in SAL (#wikimedia-operations) [2019-09-25T08:44:03Z] <vgutierrez> repooling cp4027 - T233667

Vgutierrez closed this task as Resolved.Sep 25 2019, 8:44 AM
Vgutierrez mentioned this in T242778: ATS strict round robin parent select policy doesn't work as expected.Jan 15 2020, 10:07 AM
Content licensed under Creative Commons Attribution-ShareAlike (CC BY-SA) 4.0 unless otherwise noted; code licensed under GNU General Public License (GPL) 2.0 or later and other open source licenses. By using this site, you agree to the Terms of Use, Privacy Policy, and Code of Conduct. · Wikimedia Foundation · Privacy Policy · Code of Conduct · Terms of Use · Disclaimer · CC-BY-SA · GPL