https -> SSL Temination (nginx) -> Cache (varnish) -> web (nginx)
http -> Cache (varnish) -> web (nginx)
Varnish は HTTPS バックエンドをサポートしてない
Accessing HTTPS backends in Varnish isn't supported. Varnish speaks HTTP to the backends.
http://stackoverflow.com/questions/16840673/using-varnish-with-saas-https-backend-servers
Cache (varnish) -> https backend はダメ
real_ip_recursive nginx
web (nginx) で real_ip_recursive on が必要
For example, with this config:
set_real_ip_from 127.0.0.1; set_real_ip_from 192.168.2.1; real_ip_header X-Forwarded-For; real_ip_recursive on;http://serverfault.com/questions/314574/nginx-real-ip-header-and-x-forwarded-for-seems-wrong
mod_remoteip X-Forwarded-For apache
https://httpd.apache.org/docs/2.4/mod/mod_remoteip.html
[client ip] -> | [cache server ip] https SSL Temination (nginx) -> Cache (varnish) | -> web (apache)
REMOTE_ADDR [cache server ip]
X-Forwarded-For は "[client ip], 127.0.0.1"
LoadModule remoteip_module libexec/apache24/mod_remoteip.so RemoteIPHeader X-Forwarded-For RemoteIPInternalProxy [cache server ip] RemoteIPTrustedProxy 127.0.0.1 LogFormat の %h を %a に変更
REMOTE_ADDR [client ip] で %a に[client ip]が入る
mod_remoteipの解説
purge 制御
acl purge { 192.168.0.0/24; 127.0.0.1; } import std; sub vcl_recv { if (req.method == "PURGE") { if (std.ip(req.http.x-real-ip, "0.0.0.0") ~ purge) { return (purge); } else { return (synth(403)); } } }https://info.varnish-software.com/blog/failure-to-purge-a-story-about-client.ip-and-proxies
https://stackoverflow.com/questions/20349943/varnish-nginx-ssl-ip-detection-issue
