Varnish: filter by Source IP using Varnishlog (in Varnish 2.x, 3.x and 4.x)

Want to help support this blog? Try out Oh Dear, the best all-in-one monitoring tool for your entire website, co-founded by me (the guy that wrote this blogpost). Start with a 10-day trial, no strings attached.

We offer uptime monitoring, SSL checks, broken links checking, performance & cronjob monitoring, branded status pages & so much more. Try us out today!

Profile image of Mattias Geniar

Mattias Geniar, November 26, 2011

Follow me on Twitter as @mattiasgeniar

This is a small follow-up for the varnishlog-oneliners post, on how to use the varnishlog to show you only the logs being caused by a specific source IP. Very useful if you want to debug your own traffic on a Varnish machine that is in production. You can filter on IPv4 and IPv6 IPs.

Varnish 2.x

The layout looks like this, for the client requests (-c) parameter.

# varnishlog -c -o SessionOpen $IP
# varnishlog -c -o SessionOpen 10.0.1.5

To see the backend requests, you can match on the TxHeader.

# varnishlog -b -o TxHeader $IP
# varnishlog -b -o TxHeader 10.0.1.5

Varnish 3.x

For Varnish 3.x, use something like this.

# varnishlog -c -m ReqStart:$IP
# varnishlog -c -m ReqStart:10.0.1.5
# varnishlog -c -m ReqStart:2a03:2880:10:cf07:face:b00c::1

To see the backend requests, match on the TxHeader.

# varnishlog -b -m TxHeader:$IP
# varnishlog -b -m TxHeader:10.0.1.5
# varnishlog -b -m TxHeader:2a03:2880:10:cf07:face:b00c::1

If you want to filter on an X-Forwarded-For header, instead of the IP directly connecting (because there may be another load balancer in between), you can filter using the RxHeader.

# varnishlog -c -m RxHeader:$IP
# varnishlog -b -m RxHeader:10.0.1.5
# varnishlog -b -m RxHeader:2a03:2880:10:cf07:face:b00c::1

For IPv6 IP addresses, there is no need to encapsulate in [] square brackets.

Varnish 4.x

The varnishlog syntax and inner workings changed significantly in Varnish 4, and all examples from Varnishlog 3.x are no longer valid.

Here’s how you can filter based on a single connecting IP.

# varnishlog -q "ReqStart ~ '10.0.1.5'"

And here’s how you can use an arbitrary header, like an X-Forwarded-For.

# varnishlog -q "ReqHeader eq 'X-Forwarded-For: 10.0.1.5'"

That’s it.



Want to subscribe to the cron.weekly newsletter?

I write a weekly-ish newsletter on Linux, open source & webdevelopment called cron.weekly.

It features the latest news, guides & tutorials and new open source projects. You can sign up via email below.

No spam. Just some good, practical Linux & open source content.