Problem with varnish and cloudflare

I installed varnish version 5.2.1 / ubuntu 18.04 / nginx 1.21.6 and I have Cloudflare and I managed to get the real IP addresses if I open direct links through the browser or just with $_SERVER [‘REMOTE_ADDR’] using this;

if (req.http.cf-connecting-ip) {
set req.http.X-Forwarded-For = req.http.cf-connecting-ip;
} else {
set req.http.X-Forwarded-For = req.http.rlnclientipaddr;
}

and this code in vhost in nginx

set_real_ip_from 204.93.240.0/24;
set_real_ip_from 204.93.177.0/24;
set_real_ip_from 199.27.128.0/21;
set_real_ip_from 173.245.48.0/20;
set_real_ip_from 103.21.244.0/22;
set_real_ip_from 103.22.200.0/22;
set_real_ip_from 103.31.4.0/22;
set_real_ip_from 141.101.64.0/18;
set_real_ip_from 108.162.192.0/18;
set_real_ip_from 190.93.240.0/20;
set_real_ip_from 188.114.96.0/20;
set_real_ip_from 197.234.240.0/22;
set_real_ip_from 198.41.128.0/17;
set_real_ip_from 162.158.0.0/15;
set_real_ip_from 2400:cb00::/32;
set_real_ip_from 2606:4700::/32;
set_real_ip_from 2803:f800::/32;
set_real_ip_from 2405:b500::/32;
set_real_ip_from 2405:8100::/32;
set_real_ip_from 127.0.0.1;
#real_ip_header X-Real-IP;
#real_ip_header X-Forwarded-For;
real_ip_header CF-Connecting-IP;
real_ip_recursive on;

However, I have a problem with the logs in varnish (/var/log/varnishvarnishncsa.log)

I always receive the following IP addresses in the logs: 172.68.50.173, 172.68.50.67, 172.68.50.29

Can anyone help me how to make the logs appear with the real IP addresses of the users?

Kindly, I’d suggest you to add it inside the the nginx.conf file under the http { ... }, rather than the .vhost file of the website :wink:

Save and test your config file with nginx -t then restart service nginx.

Hm, I am not familiar with this :thinking:
Does it have some configuration file as far as it sits above Nginx?

I don’t think you understand me. I don’t have a problem with the IP addresses on my website, but I have a problem with the logs in the varnish itself and the display of the IP addresses.
Does anyone know the syntax for the logs for their output with valid ip addresses with Cloudflare?

Is Nginx configured as the TLS terminator for Varnish, or is Nginx sitting as a backend behind Varnish?

1 Like

nginx is a backend to varnish
nginx vhost has port 8088
varnish = port 80

In your Varnish NCSA config (perhaps /etc/systemd/system/varnishncsa.service) you probably have something like %%h. That needs to be %%{cf-connecting-ip}i.

Also, you should really install Hitch on your Varnish server (configure Varnish and Hitch to talk using the Proxy protocol using UDS for maximum performance), and then change your Cloudflare config from Flexible to Full Strict.

/etc/systemd/system/varnishncsa.service is blank right now.
Can you give me example code please?

This topic was automatically closed 15 days after the last reply. New replies are no longer allowed.