For CATSA the real IP address is no longer being passed through so members are getting access denied on their contact reports.
Type access denied
Date Wednesday, October 12, 2022 - 09:02
User Anonymous (not verified)
Location https://www.catsa-acsta.gc.ca/en/admin/reports/catsa/contact/reports/1665576000?destination=admin/reports/catsa/contact/reports/1665576000
Referrer https://www.catsa-acsta.gc.ca/en/admin/reports/catsa/contact/reports/1665576000
Message admin/reports/catsa/contact/reports/1665576000
Severity warning
Hostname 127.0.0.6
This problem occurred due to the Istio upgrade of which the gateway IP address is now set to 127.0.0.6 by default.
We were only left shiting for 127.0.0.1 via an exact match in varnish which was no longer correct.
The following correction using a regex in the varnish configuration has fixed the problem and the correct IP address is now being sent.
# Don't add 127.0.0.x to X-Forwarded-For
set bereq.http.X-Forwarded-For = regsub(bereq.http.X-Forwarded-For, "(, )?127\.0\.0\.\d$", "");
Last updated: October 17, 2022 at 6:06 PM UTC