Varnish/Cloudflare/SSL and real IP addresses


#1

So, I have always had dreampress with SSL and cloudflare. Up until about late August I used to have real IP addresses of clients in my logs. Since then I only see the Cloudflare Addresses.

Now Dreampress includes Varnish (the awesome reverse proxy that caches pages in memory), now Varnish doesn’t natively Cache with SSL and it didn’t on my site until about late August Early September. I was very happy to see the varnish cache headers in my responses. But then I discovered the logging issue.

A popular way of getting Varnish cache to work with SSL is to put up nginx in front of Varnish to grab the HTTPS call, then send an HTTP request to varnish which then can handle caching the request.

I have a feeling that Dreampress added the nginx layer but didn’t set up the Module ngx_http_realip_module in nginx as shown here https://support.cloudflare.com/hc/en-us/articles/200170706-How-do-I-restore-original-visitor-IP-with-Nginx-.

I’ve had various support tickets about this and they keep blaming wordpress. I’ve written a php page that is outside the wordpress framework and that page still has the same issue. Considering wordpress isn’t at all involved with calling that page it completely eliminates wordpress from the equation. Support keeps trying to punt and I’m at a loss.

Anyone else have a similar problem or know how dreampress is set up to get SSL (https) to play with varnish? The nginx is just an assumption on my part.


#2

Sorry to reign in on your question with no answer but I would just like to point out that if your server does indeed use nginx then you should ask DreamHost if they’re willing to remove varnish and enable nginx’s own cache system - it provides superior performance and uses significantly less resources. You could potentially double or triple the number of hits per second your website can handle.


#3

Varnish is a core component of DreamPress, and cannot be disabled. If you don’t want it, you should move your site to a VPS or dedicated server.

@drestauro: The issue you’re referencing here is a bit weirder. Essentially, both CloudFlare and Varnish are setting an “origin IP” header on the requests they forward on, and the web server ends up checking the wrong one when both are present. We’re aware of the issue and are working on a solution; in the meantime, we recommend disabling CloudFlare for your site if this is posing a problem.