I have been setting up CaddyServer to act as an SSL proxy for my Varnish cache servers, and would like to know if CaddyServer can be configured as an invisible proxy. The transparent template for proxy doesn’t seem do it, that just adds some more headers such as XFF.
We have a load-balancing Cisco Ace first in our stack, and that is set up in such a way so that CaddyServer sees the real IP in {remote} and not the Cisco’s IP:
What do you want Varnish to receive? A HTTP request that looks like it came directly from the client?
You can manipulate upstream and downstream headers, see: https://caddyserver.com/docs/proxy
I’m not sure on the exact terminology, but an example is the traffic the CaddyServer is getting from my Cisco Ace. Caddy just sees the client IP as being the “real” remote client IP, not the one from the actual next-upstream client, which is the internal Cisco server. I don’t know how it does this.
If I point my Cisco to my varnish servers, they also just see the “client ip” as being the actual remote client IP, as if the proxy wasn’t there. I can still see the headers it adds, like X-Forwarded-For and X-Forwarded-Proto, but to all intents and purposes, it thinks this is a direct connection from the client.
One possibility, because I know Varnish supports it, is the PROXY protocol, which seems to be something haproxy came up Proxy Protocol - HAProxy Technologies
The main advantage is that I don’t have to fill all my code with checks of the XFF header and the client IP, I can just assume the client IP is real.
Great, thanks. That makes me feel better about temporarily hacking in a bunch of “if upstream is Caddy then _dosomething_ else _dosomethingelse_” in my Varnish code.
Internal testing of the new CaddyServer and the major upgrade of Varnish will hopefully take long enough that this will come out before go-live, and I can put it in
