Hi, guys.
I have been reading the documentation of Caddy v2 and I have not found anything truly helpful about manipulating headers in reverse_proxy directive, besides this:
header_up Sets, adds, removes, or performs a replacement in a request header going upstream to the backend.
header_down Sets, adds, removes, or performs a replacement in a response header coming downstream from the backend.
Is there any documentation about this? I need to learn more about this subject to solve a problem I’m having with the reverse_proxy directive in Caddy v2.
The only thing I think is not explained here is the [+|-] syntax. + before a header (e.g. +Server) tells Caddy to add it as a new header rather than setting an existing instance of the header (this can result in two Server headers being sent). - before a header instructs Caddy to strip the header entirely (and renders the [<value|regexp> [<replacement>]] fields fairly redundant, I believe).
I’m probably looking in the wrong place how to solve my problem.
Basically: Caddy → Varnish → Node.js application
In varnish default.vcl there is an acl that does not work, because to varnish all hosts have the ip 127.0.0.1. That’s why I was asking you guys for documentation about header_up and header_down; I thought the issue may be related to headers. I don’t know if the issue is related to varnish.
Oh, sorry – did you mean that this is the actual (X) problem?
By default, Caddy 2 sends all (non-hop-by-hop) incoming headers to the upstream as they are. But it depends, where is Varnish getting the IP “127.0.0.1” from?
Yes, I get that, but where is it getting that number? What does “sees it as” really mean? Is it looking at a connection’s remote address? or a Host header? or another header? Is it getting that from some configuration? I don’t know how Varnish works, so we’ll need more details. You might consider asking on the Varnish forums if you need help finding out.
You need to tell Varnish to use X-Forwarded-For to determine its client IP addresses instead of the remote IP. That header is the standard for proxies communicating the origin IP of the client.
Not sure how to do this in VCL, sorry.
It’s not possible, realistically, to spoof the actual remote IP address. Doing so would involve having return traffic go directly to the spoofed IP address, for one problem.