Add configurable IP forward header for Varnish purge ACL#114
Conversation
- Added ip_forward_header field in etc/adminhtml/system.xml - Set default value X-Forwarded-For in etc/config.xml - Added getIpForwardHeader() method to Model/Config.php - Updated Console/Command/GenerateVclCommand.php to include ipForwardHeader - Updated Model/Varnish/VCLGenerator.php to include ip_forward_header variable - Updated etc/varnish6.vcl to use std.ip() with the configurable header Co-authored-by: peterjaap <431360+peterjaap@users.noreply.github.com>
Co-authored-by: peterjaap <431360+peterjaap@users.noreply.github.com>
- Modified etc/varnish6.vcl to use regsub to extract first IP from comma-separated list - Added test case to verify IP forward header functionality - All existing tests still pass Co-authored-by: peterjaap <431360+peterjaap@users.noreply.github.com>
|
@toonvd did it get it right in one go?! I got mad prompt engineering skills. |
| # Set up ACL with a single whitelisted IP that is not the test client | ||
| shell { | ||
| export ACCESS_LIST="whitelisted" | ||
| export WHITELISTED_IP="10.0.0.1" |
There was a problem hiding this comment.
export SERVER1_IP="10.0.0.1"
| # Generate the VCL file based on included variables and write it to output.vcl | ||
| # Set up ACL with a single whitelisted IP that is not the test client | ||
| shell { | ||
| export ACCESS_LIST="whitelisted" |
There was a problem hiding this comment.
should not be set as SERVER1_IP overrides it
|
@peterjaap looks good, I have to add that this can be solved without a regex with Varnish in proxy mode. |
Huh, just noticed Guillaime also uses the 0.0.0.0 as a fallback there? |
|
In Belgium we say, if Guillaume jumps from a bridge... :3 |
|
I like this change. @toonvd is right, but I think this is also a good option to have. |
Adds backend configuration for specifying which HTTP header (e.g.,
X-Forwarded-For,X-Real-IP) to use when checking purge request authorization against the ACL.Changes
Configuration
ip_forward_headerfield in admin panel (defaults toX-Forwarded-For)getIpForwardHeader()method toModel/Config.phpVCL Template
Updated purge ACL checks to use configurable header with first-IP extraction:
The
regsub()extracts the first IP from comma-separated lists (common when requests traverse multiple proxies), falling back toclient.ipif header is absent or unparseable.Testing
ip_forward_header.vtctest caseOriginal prompt
💡 You can make Copilot smarter by setting up custom instructions, customizing its development environment and configuring Model Context Protocol (MCP) servers. Learn more Copilot coding agent tips in the docs.