Apache-2.4

與 Apache ProxyPass 一起使用時,Varnish 正在刪除 X-Forwarded-For 標頭

  • March 25, 2020

我正在使用 Varnish 4 和 Apache 的ProxyPass指令來嘗試在 HTTPS 網站(執行 Magento 電子商務軟體)上記憶體內容。

Varnish 監聽 80 埠,Apache 監聽 8080(HTTP)和 443(HTTPS)埠。

在我的 SSL vhost 中,我有一個 ProxyPass 指令來將 HTTPS 請求代理到 Varnish 伺服器,如下所示:

   # Reverse proxy configuration for Varnish
   ProxyPreserveHost On
   ProxyPass         / http://127.0.0.1:80/
   RequestHeader     set X-Forwarded-Port "443"
   RequestHeader     set X-Forwarded-Proto "https"

我的問題是這些代理請求似乎沒有X-Forwarded-For標頭(或我能看到的任何其他標頭)。我做到了LogLevel trace4,這是通過 Varnish 代理後到達埠 8080 伺服器的內容:

http_request.c(437): [client 127.0.0.1:44580] Headers received from client:
http_request.c(441): [client 127.0.0.1:44580]   Host: 127.0.0.1
http_request.c(441): [client 127.0.0.1:44580]   Connection: close

Magento 提供的 Varnish 配置文件如下。

它似乎沒有刪除標題,當我通過添加std.syslog(0, req.http.X-Forwarded-For);到 VCL 文件進行一些調試時,我能夠在日誌輸出中看到標題。

有任何想法嗎?

vcl 4.0;

import std;
# The minimal Varnish version is 4.0
# For SSL offloading, pass the following header in your proxy server or load balancer: 'X-Forwarded-Proto: https'

backend default {
   .host = "127.0.0.1";
   .port = "8080";
   .first_byte_timeout = 600s;
   .probe = {
       .url = "/pub/health_check.php";
       .timeout = 2s;
       .interval = 5s;
       .window = 10;
       .threshold = 5;
  }
}

acl purge {
   "localhost";
}

sub vcl_recv {
   if (req.method == "PURGE") {
       if (client.ip !~ purge) {
           return (synth(405, "Method not allowed"));
       }
       # To use the X-Pool header for purging varnish during automated deployments, make sure the X-Pool header
       # has been added to the response in your backend server config. This is used, for example, by the
       # capistrano-magento2 gem for purging old content from varnish during it's deploy routine.
       if (!req.http.X-Magento-Tags-Pattern && !req.http.X-Pool) {
           return (synth(400, "X-Magento-Tags-Pattern or X-Pool header required"));
       }
       if (req.http.X-Magento-Tags-Pattern) {
         ban("obj.http.X-Magento-Tags ~ " + req.http.X-Magento-Tags-Pattern);
       }
       if (req.http.X-Pool) {
         ban("obj.http.X-Pool ~ " + req.http.X-Pool);
       }
       return (synth(200, "Purged"));
   }

   if (req.method != "GET" &&
       req.method != "HEAD" &&
       req.method != "PUT" &&
       req.method != "POST" &&
       req.method != "TRACE" &&
       req.method != "OPTIONS" &&
       req.method != "DELETE") {
         /* Non-RFC2616 or CONNECT which is weird. */
         return (pipe);
   }

   # We only deal with GET and HEAD by default
   if (req.method != "GET" && req.method != "HEAD") {
       return (pass);
   }

   # Bypass shopping cart, checkout and search requests
   if (req.url ~ "/checkout" || req.url ~ "/catalogsearch") {
       return (pass);
   }

   # Bypass health check requests
   if (req.url ~ "/pub/health_check.php") {
       return (pass);
   }

   # Set initial grace period usage status
   set req.http.grace = "none";

   # normalize url in case of leading HTTP scheme and domain
   set req.url = regsub(req.url, "^http[s]?://", "");

   # collect all cookies
   std.collect(req.http.Cookie);

   # Compression filter. See https://www.varnish-cache.org/trac/wiki/FAQ/Compression
   if (req.http.Accept-Encoding) {
       if (req.url ~ "\.(jpg|jpeg|png|gif|gz|tgz|bz2|tbz|mp3|ogg|swf|flv)$") {
           # No point in compressing these
           unset req.http.Accept-Encoding;
       } elsif (req.http.Accept-Encoding ~ "gzip") {
           set req.http.Accept-Encoding = "gzip";
       } elsif (req.http.Accept-Encoding ~ "deflate" && req.http.user-agent !~ "MSIE") {
           set req.http.Accept-Encoding = "deflate";
       } else {
           # unknown algorithm
           unset req.http.Accept-Encoding;
       }
   }

   # Remove all marketing get parameters to minimize the cache objects
   if (req.url ~ "(\?|&)(gclid|cx|ie|cof|siteurl|zanpid|origin|fbclid|mc_[a-z]+|utm_[a-z]+|_bta_[a-z]+)=") {
       set req.url = regsuball(req.url, "(gclid|cx|ie|cof|siteurl|zanpid|origin|fbclid|mc_[a-z]+|utm_[a-z]+|_bta_[a-z]+)=[-_A-z0-9+()%.]+&?", "");
       set req.url = regsub(req.url, "[?|&]+$", "");
   }

   # Static files caching
   if (req.url ~ "^/(pub/)?(media|static)/") {
       # Static files should not be cached by default
       return (pass);

       # But if you use a few locales and don't use CDN you can enable caching static files by commenting previous line (#return (pass);) and uncommenting next 3 lines
       #unset req.http.Https;
       #unset req.http.X-Forwarded-Proto;
       #unset req.http.Cookie;
   }

   return (hash);
}

sub vcl_hash {
   if (req.http.cookie ~ "X-Magento-Vary=") {
       hash_data(regsub(req.http.cookie, "^.*?X-Magento-Vary=([^;]+);*.*$", "\1"));
   }

   # For multi site configurations to not cache each other's content
   if (req.http.host) {
       hash_data(req.http.host);
   } else {
       hash_data(server.ip);
   }

   if (req.url ~ "/graphql") {
       call process_graphql_headers;
   }

   # To make sure http users don't see ssl warning
   if (req.http.X-Forwarded-Proto) {
       hash_data(req.http.X-Forwarded-Proto);
   }
   if (req.http.user-agent ~ "(?i)theme_blank") {
       hash_data("1");
   } elsif (req.http.user-agent ~ "(?i)theme_luma") {
       hash_data("3");
   }
}

sub process_graphql_headers {
   if (req.http.Store) {
       hash_data(req.http.Store);
   }
   if (req.http.Content-Currency) {
       hash_data(req.http.Content-Currency);
   }
}

sub vcl_backend_response {

   set beresp.grace = 3d;

   if (beresp.http.content-type ~ "text") {
       set beresp.do_esi = true;
   }

   if (bereq.url ~ "\.js$" || beresp.http.content-type ~ "text") {
       set beresp.do_gzip = true;
   }

   if (beresp.http.X-Magento-Debug) {
       set beresp.http.X-Magento-Cache-Control = beresp.http.Cache-Control;
   }

   # cache only successfully responses and 404s
   if (beresp.status != 200 && beresp.status != 404) {
       set beresp.ttl = 0s;
       set beresp.uncacheable = true;
       return (deliver);
   } elsif (beresp.http.Cache-Control ~ "private") {
       set beresp.uncacheable = true;
       set beresp.ttl = 86400s;
       return (deliver);
   }

   # validate if we need to cache it and prevent from setting cookie
   if (beresp.ttl > 0s && (bereq.method == "GET" || bereq.method == "HEAD")) {
       unset beresp.http.set-cookie;
   }

  # If page is not cacheable then bypass varnish for 2 minutes as Hit-For-Pass
  if (beresp.ttl <= 0s ||
      beresp.http.Surrogate-control ~ "no-store" ||
      (!beresp.http.Surrogate-Control &&
      beresp.http.Cache-Control ~ "no-cache|no-store") ||
      beresp.http.Vary == "*") {
      # Mark as Hit-For-Pass for the next 2 minutes
       set beresp.ttl = 120s;
       set beresp.uncacheable = true;
   }

   return (deliver);
}

sub vcl_deliver {
   if (resp.http.X-Magento-Debug) {
       if (resp.http.x-varnish ~ " ") {
           set resp.http.X-Magento-Cache-Debug = "HIT";
           set resp.http.Grace = req.http.grace;
       } else {
           set resp.http.X-Magento-Cache-Debug = "MISS";
       }
   } else {
       unset resp.http.Age;
   }

   # Not letting browser to cache non-static files.
   if (resp.http.Cache-Control !~ "private" && req.url !~ "^/(pub/)?(media|static)/") {
       set resp.http.Pragma = "no-cache";
       set resp.http.Expires = "-1";
       set resp.http.Cache-Control = "no-store, no-cache, must-revalidate, max-age=0";
   }

   unset resp.http.X-Magento-Debug;
   unset resp.http.X-Magento-Tags;
   unset resp.http.X-Powered-By;
   unset resp.http.Server;
   unset resp.http.X-Varnish;
   unset resp.http.Via;
   unset resp.http.Link;
}

sub vcl_hit {
   if (obj.ttl >= 0s) {
       # Hit within TTL period
       return (deliver);
   }
   if (std.healthy(req.backend_hint)) {
       if (obj.ttl + 300s > 0s) {
           # Hit after TTL expiration, but within grace period
           set req.http.grace = "normal (healthy server)";
           return (deliver);
       } else {
           # Hit after TTL and grace expiration
           return (fetch);
       }
   } else {
       # server is not healthy, retrieve from cache
       set req.http.grace = "unlimited (unhealthy server)";
       return (deliver);
   }
}

Varnish 自動設置X-Forwarded-For標題。它應該一直在那裡。

varnishlog讓我們嘗試通過執行命令來確定是否是這種情況。

假設我們想看一下首頁,那麼您將執行以下命令:

varnishlog -g request -q "ReqUrl eq '/'"

請發送輸出,我會幫你弄清楚發生了什麼。

如果您只想弄清楚X-Forwarded-For標頭髮生了什麼,您可以對所有 URL 執行以下命令:

varnishlog -g request -I ReqHeader:X-Forwarded-For

希望這會有所幫助,如果您需要更多幫助,請發送輸出。

別忘了:Varnish 4 已停產,請考慮升級到 Varnish 6

引用自:https://serverfault.com/questions/1008284