magento-turpentine icon indicating copy to clipboard operation
magento-turpentine copied to clipboard

Published 20 hours ago verified publisher icon nexcess

Crawler ACLs issue - X-forwarded-for

Open Nuranto opened this issue 7 years ago • 2 comments

Hello,

In VCL templates, client.ip should be replaced by std.ip(regsub(req.http.X-Forwarded-For, "^(^[^,]+),?.*$", "\1"), client.ip) when checking ACLs. Else it could use 127.0.0.1 as IP instead of real-user IP and cause troubles in softwares. Of course, this issue occurs only if you have a proxy on front of varnish (which is almost always the case, at least for dealing with https).

Example : Before :

if (client.ip ~ crawler_acl ||

After :

if (std.ip(regsub(req.http.X-Forwarded-For, "^(^[^,]+),?.*$", "\1"), client.ip) ~ crawler_acl ||

Nuranto avatar Aug 29 '18 09:08 Nuranto

To complete @Nuranto's point: when Varnish is behind a local reverse proxy, ACLs are checked against ::1 which is useless and leads to strange behaviors.

bmalynovytch avatar Aug 29 '18 09:08 bmalynovytch

Already spotted here : https://github.com/nexcess/magento-turpentine/issues/1390

Nuranto avatar Aug 29 '18 11:08 Nuranto