Page MenuHomePhabricator

varnish-fe is handling X-Forwarded-For differently when ats is in front of it
Closed, ResolvedPublic

Description

varnish-fe handles X-Forwarded-For in a different way when ATS is doing the TLS termination instead of nginx.
a quick check with varnishlog shows the following:

nginx+varnish-fe
-   ReqUnset       X-Forwarded-For: USER_IP
-   ReqHeader      X-Forwarded-For: USER_IP, 10.132.0.102

VS

ats+varnish-fe
-   ReqUnset       X-Forwarded-For: USER_IP
-   ReqHeader      X-Forwarded-For: USER_IP, 127.0.0.1

I'm guessing it's related to the fact that nginx performs the connections to varnish using the NIC ip address (10.132.0.102 in the example used) and ATS is using the loopback interface

Event Timeline

Restricted Application removed a project: Patch-For-Review. · View Herald TranscriptMon, Sep 23, 9:58 PM

Change 538857 had a related patch set uploaded (by Vgutierrez; owner: Vgutierrez):
[operations/debs/trafficserver@master] Release 8.0.5-1wm9

https://gerrit.wikimedia.org/r/538857

Change 538857 abandoned by Vgutierrez:
Release 8.0.5-1wm9

Reason:
not needed

https://gerrit.wikimedia.org/r/538857

Change 539056 had a related patch set uploaded (by Vgutierrez; owner: Vgutierrez):
[operations/puppet@production] ATS: Use the main NIC instead of the loopback interface to reach varnish

https://gerrit.wikimedia.org/r/539056

Change 539056 merged by Vgutierrez:
[operations/puppet@production] ATS: Use the main NIC instead of the loopback interface to reach varnish

https://gerrit.wikimedia.org/r/539056

Mentioned in SAL (#wikimedia-operations) [2019-09-25T08:44:03Z] <vgutierrez> repooling cp4027 - T233667

Vgutierrez closed this task as Resolved.Wed, Sep 25, 8:44 AM