Workaround for Varnish X-Forwarded-For bug

Varnish currently has a bug that causes it to always add a new X-Forwarded-For header instead of appending when there is an existing one. This causes problems when Varnish is not the closest trusted server to every client. This workaround requires Pressflow 6.15.67 or later.

On the Varnish side

Add the following to your VCL and restart Varnish.

[...]

sub vcl_recv {
  // Pipe and backend configuration here.

  [...]

  // Rename the incoming XFF header to work around a Varnish bug.
  if (req.http.X-Forwarded-For) {
    // Append the client IP
    set req.http.X-Real-Forwarded-For = req.http.X-Forwarded-For ", " regsub(client.ip, ":.*", "");
    unset req.http.X-Forwarded-For;
  }
  else {
    // Simply use the client IP
    set req.http.X-Real-Forwarded-For = regsub(client.ip, ":.*", "");
  }

  [...]

  // Remaining configuration here.
}

[...]

On the Pressflow side

Add the following to the bottom of your settings.php file.

[...]

$conf['x_forwarded_for_header'] = 'X_REAL_FORWARDED_FOR';