Varnish – Apache and client-ip reporting for mod_spamhaus

Environment:

varnishd (varnish-3.0.6 revision 1899836)
Server version: Apache/2.2.27 (Unix)
CentOS release 6.6 (Final)

When you install Varnish (cache server), all your websites will be served first by varnish. Apache logs will see client ip as 127.0.0.1.

Concerns:
Modules that depend on client ip / filtering breaks. eg. mod_spamhaus

Solution:
There is this module mod_extract_forwarded. This has been build for Apache 2.0 but it works for Apache 2.2.17 of CWP too.

Instructions:

1. Download & Unzip
mkdir /mod_extract_tmpdir
cd /mod_extract_tmpdir
wget http://www.openinfo.co.uk/apache/extract_forwarded-2.0.2.tar.gz
tar -xzvf extract_forwarded-2.0.2.tar.gz
cd extract_forwarded

2.Step ONLY for users who donot have mod_proxy module installed in Apache
Open the file mod_extract_forwarded.c in vi or nano and search for the line below
#define USING_proxy_http_module 1

and hash it out, it should look like
/* #define USING_proxy_http_module 1 */

3.Install Module
/usr/local/apache/bin/apxs -c -i -a mod_extract_forwarded.c
The module is installed.

Goto your cwp control panel
Make sure your Varnish Settings are as below
Apache IP (recommended: your Shared IP, or 127.0.0.1): set as your public ip / shared ip
Apache Port (recommended: 82): 82
Varnish IP (recommended: Shared IP or all): all
Varnish Port (recommended: 80): 80

Goto CWP Settings > Edit Settings and ensure Shared IP: is set as your public ip / shared ip and not 127.0.0.1

Goto Apache Settings -> Apache vHosts Template
Add these lines just before the virtualhost tag is closed (dont forget to replace with your servers shared ip)

MEForder refuse,accept
MEFrefuse all
MEFaccept 127.0.0.1

Once you add, your template ending would look like
MEForder refuse,accept
MEFrefuse all
MEFaccept 127.0.0.1
# vhost_end %domain_name%

Once done, go ahead and rebuild all your virtualhosts
Apache Settings > Rebuild Apache vHosts

If you are seeing centos page, check

Goto CWP Settings > Edit Settings and ensure Shared IP: is set as your public ip / shared ip and not 127.0.0.1 and do Apache Settings > Rebuild Apache vHosts

 

Warning: Please take backup of your configuration and settings before your try any changes based on this. Try this at your own risk!!

Be First to Comment

Leave a Reply