Differences

This shows you the differences between two versions of the page.

@@ Line 1: / Line 1: @@
+====== Use Disk Cache ======
+To use the disk cache instead of the memory cache, edit the Varnish command line and locate the ''-s'' argument and change it from:
+<code>
+-s malloc,256m
+</code>
+which uses memory storage of 256MiB, to:
+<code>
+-s file,/var/cache/varnish/varnish_storage.bin,10G
+</code>
+where:
+  * ''/var/cache/varnish'' is a directory where the ''varnish_storage.bin'' file will be placed.
+  * ''10G'' means 10GiB of storage.
+====== Passing the Real IP Address to Apache from Cloudflare ======
+The following are some notes on getting the real IP address passed to Apache when Varnish and Cloudflare sit in front of Apache. For this to work, all other "real IP" Apache modules must be disabled, such as "rpaf" or "remoteip", and only Varnish left to pass the real IP address to Apache. In other words, this works for the following configuration:
+<ditaa>
+            v
+            |
+            |
+      +-----+------+
+      | Cloudflare |
+      +-----+------+
+            |
+            |
+      +-----+------+
+      |  Varnish   |
+      +-----+------+
+            |
+            |
+      +-----+------+
+      |   Apache2  |
+      +------------+
+</ditaa>
+If Cloudflare is proxying requests for Apache, then Cloudflare passes the real IP address of the hit to Apache via the ''CF-CONNECTING-IP'' header. The following code will remap the real ip address to the ''X-FORWARDED-FOR'' header, typically used for proxying.
+<code>
+    if (req.http.cf-connecting-ip) {
+        set req.http.X-Forwarded-For = req.http.cf-connecting-ip;
+    } else {
+        set req.http.X-Forwarded-For = client.ip;
+    }
+</code>
+The code is written to account for the case where the client IP address is passed directly without Cloudflare in the second part of the conditional block.
+Lastly, the varnish logging facility, "varnishncsa" must also be changed in order to log the real IP address. varnishncsa acts after varnish such that the log-format of varnishncsa must be changed in order to make varnishncsa log the ''X-FORWARDED-FOR'' as the IP address. Here is a SystemD service file that should be copied from ''/lib/systemd/system/varnishncsa.service'' to ''/etc/systemd/system/'', then modified to match the content below, and then started via ''systemctl'':
+<code>
+[Unit]
+Description=Varnish HTTP accelerator log daemon
+Documentation=https://www.varnish-cache.org/docs/6.1/ man:varnishncsa
+After=varnish.service
+[Service]
+Type=forking
+PIDFile=/run/varnishncsa/varnishncsa.pid
+RuntimeDirectory=varnishncsa
+User=varnishlog
+Group=varnish
+ExecStart=/usr/bin/varnishncsa -a -w /var/log/varnish/varnishncsa.log -D -P /run/varnishncsa/varnishncsa.pid -F '%%{X-Forwarded-For}i %%l %%u %%t "%%r" %%s %%b "%%{Referer}i" "%%{User-agent}i"'
+ExecReload=/bin/kill -HUP $MAINPID
+PrivateDevices=true
+PrivateTmp=true
+ProtectHome=true
+ProtectSystem=full
+[Install]
+WantedBy=multi-user.target
+</code>
+The change here is the formatting line of the log files produced by varnishncsa passed to the ''-F'' parameters, namely:
+<code>
+-F '%%{X-Forwarded-For}i %%l %%u %%t "%%r" %%s %%b "%%{Referer}i" "%%{User-agent}i"'
+</code>
+====== CloudFlare IPv6 and Blocking with Varnish ======
+Project Honeypot [[/security/services/cloudflare#you_vill_get_ze_ipv6_and_ze_vill_be_appy|decided to pass IPv6 addresses to webservers]] when a client connects via IPv6 to Cloudflare and makes a request to a webserver behind Cloudflare. The consequence is that if the webserver is not configured for IPv6, then the request might end up bypassing any protections or throttling.
+Unfortunately, the only fix is to block IPv6 "customers" with a ''400'' and "Bad Request" HTTP error message. This can be done via the following stanza:
+<code>
+    if(req.http.cf-connecting-ip ~ "([a-f0-9:]+:+)+[a-f0-9]+") {
+        return(synth(400, "Bad Request"));
+    }
+</code>
+in the Varnish configuration.