Apache - Setup basic authentication when Apache is behind a cache server?

To set a basic authentication for a directory in Apache, add the following lines to your Apache config file (usually in /etc/apache2/site-available/default):

        <Directory "/var/www/myapp/">
                Order deny,allow
                Allow from 172.0.0.0/8
                Deny from all   

                AuthType Basic
                AuthName "Authentication Required"
                AuthUserFile "/etc/apache2/pwd-reset.conf"
                Require valid-user
        </Directory>

With the above setting, apache will only allow internal IP address access /var/www/myapp/ directory, and deny all request from outside that IP range (172.0.0.0/8).

For more options, read the Apache documentation: http://httpd.apache.org/docs/2.2/mod/mod_auth_basic.html


But, the question is:

what if Apache stands behind a cache server (e.g. Varnish)?

If there is a proxy or cache server placed between users and the apache, all the requests come to apache will be recognized as proxy/cache server requests (proxy/cache server IP). It means that the above setting will not function as desired.

So, thing we have to do here is to make Apache recognize the real IP addresses of clients from http requests instead of  proxy/cache server IP. And with the real IP addresses, Apache authentication filter IP range base can function correctly.

I will make a simulation demo and update this blog post later when I have chance.

For now, you can read the following links:
http://serverfault.com/questions/340500/varnish-forward-client-ip-address-to-backend
http://easyos.net/articles/bsd/freebsd/getting_real_ip_through_varnish_for_apache_and_php