cloak.vcl removes X-Forwarded-For and X-Varnish on uncached content

[dsommers]

I discovered that security.vcl's cloak.vcl removes X-Forwarded-For and X-Varnish.

I can understand the reasoning for doing this (making proxied connections more anonymous at the backend server), but it also creates a bigger burden when you are responsible for both backend and frontend servers (where the client won't be anonymous because you control the whole chain). It simply makes both debugging and logging harder.

The workaround solution for this is simple:

diff --git a/vcl/modules/cloak.vcl b/vcl/modules/cloak.vcl
index 5a7bda7..0988022 100644
--- a/vcl/modules/cloak.vcl
+++ b/vcl/modules/cloak.vcl
@@ -94,6 +94,6 @@ sub vcl_recv {
 # Try to obscure the client-to-backend comms as well
 sub vcl_miss {
    # remove bereq.http.User-agent;
-   remove bereq.http.X-Forwarded-For;
-   remove bereq.http.X-Varnish;
+   # remove bereq.http.X-Forwarded-For;
+   # remove bereq.http.X-Varnish;
 }

Please consider using this as a standard setup ... or at least more clearly document that these variables are removed and how to re-enable them.

[comotion]

Your patch kind of defeats the purpose of cloak.vcl. I would recommend disabling the cloak module in your setup. That might be the default in VSF, https://github.com/comotion/VSF