How to get varnish client.ip behind ELB
I needed to filter access by IP using varnish acl, but when your varnish is behind a Amazon ELB Load Balancer, by default it doesn’t work, so here is the solution! Tested using Linux Amazon Linux AMI release 2015.03
We will need to install a libvmod-ipcase
The installation can be a little harder then it seems, because it requires a varnish complied.
#Pre-Requiste Installs
yum install libtool pcre-devel libedit-devel.x86_64
#Compiling varnish
mkdir /root/sources && /root/sources
cd varnish-3.0.5/
./configure –prefix /root/sources/
#Finally installing the libvmod
wget ‘’
./configure VARNISHSRC=/root/sources/varnish-3.0.5/ VMODDIR=/usr/lib64/varnish/vmods/
make install
#Configuring varnish vcl
acl in {
“”; ### Embratel
sub vcl_recv {
set req.http.xff = regsub(req.http.X-Forwarded-For, “^(^[^,]+),?.*$”, “\1”);
if (ipcast.ip(req.http.xff, “”) == “”) {
error 400 “Bad request”;
if (ipcast.ip(req.http.xff, “”) !~ in) {
error 403 “Forbidden”;

Tags: , , , ,

Leave a Reply

Your email address will not be published. Required fields are marked *