Allow/Reject IP at Varnish Level

I am using Varnish with Apache in one of my projects and i had a use case to allow admin panel only from few IPs. If you are using only Apache, You can easily do this by adding few rules in Apache and limit the access control, but in the case of Varnish, Apache will get only localhost IP instead of real client IP. You need to block these IPs at the varnish level. To allow/block IPs at varnish, you need to create a ACL (Access Control List) in the Varnish default configuration file and use this ACL for access control.

Whitelist : Add the following lines in the /etc/varnish/default.vcl

acl  Whitelist {
 "localhost";
 "11.22.33.44";
 }

It creates an ACL name Whitelist. You can specify the IPs in this block that you want to whitelist for your server.

sub vcl_recv {
 if ( req.url ~ "^/administrator" && !(client.ip ~ "Whitelist") ) {
 error 403 "Access denied";
 }

Add above block into the /etc/varnish/default.vcl  that will allow you to access the admin panel only for the IPs that are specified in the Whitelist ACL. Others will get the 403 error message. You can give your custom error or message too.

Blacklist : Add the following lines in the /etc/varnish/default.vcl

 acl  Blacklist {
 "11.11.11.11";
 }

It creates an ACL name Blacklist. You can specify the IPs in this block that you want to blacklist for your server.

sub vcl_recv {
 if ( req.url ~ "^/administrator" && (client.ip ~ "Blacklist") ) {
 error 403 "Access denied";
 }

Add above block into the /etc/varnish/default.vcl,  that will allow you to access the admin panel from all IPs except that are specified in the Blacklist ACL.