清漆 - 绕过 IP 地址缓存 [英] Varnish - Bypass Cache for IP Address

问题描述

我们使用的是 Varnish 3.0.3.Varnish 位于负载均衡器的后面.

We're using Varnish 3.0.3. Varnish is behind a load balancer.

我们希望绕过特定 IP 地址的 Varnish 缓存.经过研究，我发现了以下内容.不幸的是，它不起作用.

We would like to bypass the Varnish cache for a particular IP address. After doing research, I found the following. Unfortunately, it is not working.

    acl passem { "7x.xxx.xxx.xxx"; }
    sub vcl_recv {
    if (!(client.ip ~ passem)) {
    return (pass);
            }
    }

这出现在varnishlog 6 VCL_acl c NO_MATCH passem"

我不确定出了什么问题.我唯一能想到的是 Varnish 没有看到传入的 IP 地址.这是我在 varnishlog 中看到的.

I'm not sure what is wrong. The only thing I can think of is Varnish is not seeing the incoming IP address. This is what I see in varnishlog.

    6 RxHeader     c X-Real-IP: "7x.xxx.xxx.xxx"
    6 RxHeader     c X-Forwarded-For: "7x.xxx.xxx.xxx"

    6 SessionOpen  c 10.10.10.4 58143 0.0.0.0:80
    6 ReqStart     c 10.10.10.4 58143 1026834560

RxHeader 正在接收正确的 IP 并匹配 acl passem，但我不知道 acl passem 是否引用了 SessionOpen> IP 地址，即负载均衡器的 IP 地址.

The RxHeader is receiving the correct IP and matches the acl passem, but I don't know if acl passemis instead referencing the SessionOpen IP address, which is the IP address of the load balancer.

推荐答案

在 Varnish 中，"X-Real-IP" 和 "http.x-forwarded-for" 是字符串，"client.ip" 是一个对象.

In Varnish, "X-Real-IP" and "http.x-forwarded-for" are strings and "client.ip" is an object.

需要额外的代码将 "X-Forwarded-For" 标头中的 IP 地址复制到 Varnish 的 client_ip 结构中.

Extra code is required to copy the IP address from the "X-Forwarded-For" header into Varnish's client_ip structure.

以下是使其工作所需的条件.这工作成功.归功于 http://zcentric.com/2012/03/16/varnish-acl-with-x-forwarded-for-header/

Below is what was required to make it work. This worked successfully. Credit goes to http://zcentric.com/2012/03/16/varnish-acl-with-x-forwarded-for-header/

    C{
    #include <netinet/in.h>
    #include <string.h>
    #include <sys/socket.h>
    #include <arpa/inet.h>
    }C
    acl passem { "7x.xxx.xxx.xxx"; }
    sub vcl_recv {
    C{
    struct sockaddr_storage *client_ip_ss = VRT_r_client_ip(sp);
    struct sockaddr_in *client_ip_si = (struct sockaddr_in *) client_ip_ss;
    struct in_addr *client_ip_ia = &(client_ip_si->sin_addr);
    char *xff_ip = VRT_GetHdr(sp, HDR_REQ, "\020X-Forwarded-For:");

    if (xff_ip != NULL) {
    inet_pton(AF_INET, xff_ip, client_ip_ia);
    }
    }C
    if (!(client.ip ~ passem)) {
    return (pass);
            }
    }

这篇关于清漆 - 绕过 IP 地址缓存的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！