Issues restricting HTTP purges based on an ACL
Dridi Boukelmoune
dridi.boukelmoune at zenika.com
Wed Feb 26 11:58:59 CET 2014
On Tue, Feb 25, 2014 at 6:32 PM, Andrew Langhorn
<andrew.langhorn at digital.cabinet-office.gov.uk> wrote:
> Hi Dridi,
>
> Unfortunately, I see no references to the purge method being actioned in the
> varnishlog. I would have thought I would see it there, but it appears not.
> Perhaps this means the purge isn't being completed successfully?
When in doubt, std.log :)
https://www.varnish-cache.org/docs/3.0/reference/vmod_std.html#log
> Andrew
>
>
> On 25 February 2014 17:05, Dridi Boukelmoune <dridi.boukelmoune at zenika.com>
> wrote:
>>
>> On Tue, Feb 25, 2014 at 5:31 PM, Andrew Langhorn
>> <andrew.langhorn at digital.cabinet-office.gov.uk> wrote:
>> > Hi all,
>> >
>> > I have joined this list hoping that someone can help me with an issue I
>> > have
>> > with restricting Varnish HTTP purges to a defined ACL of IPs.
>> >
>> > Our CDN provider use Varnish 2.x (not 3), so I've been following this
>> > tutorial on implementing restrictions on HTTP Purges:
>> > https://www.varnish-cache.org/docs/2.1/tutorial/purging.html.
>>
>> Hi,
>>
>> If you issue an https request, the value of client.ip belongs to your
>> ssl/tls endpoint, which may be allowed by your ACL. You should maybe
>> rely on the X-Forwarded-For header instead (I believe you can trust
>> the XFF header sent by your CDN provider).
>>
>> What do you see in varnishlog ?
>>
>> Best Regards,
>> Dridi
>>
>> > The section that Varnish seems to trip up on is:
>> >
>> > if (req.request == "PURGE" ) {
>> > if (!client.ip ~ purge) {
>> > error 403 "Forbidden";
>> > }
>> > return (lookup);
>> > }
>> >
>> > When trying to purge the cache via the API from an IP outside of the
>> > ACL, it
>> > is still accepted and purged. The second line of this block - if
>> > (!client.ip
>> > ~ purge) { - seems to be the logic that isn't accepted properly. I
>> > thought
>> > that including the bang outside of the brackets might fix the issue, but
>> > it
>> > doesn't.
>> >
>> > I've only used Varnish a few times beforehand, so would appreciate any
>> > assistance anyone can provide.
>> >
>> > Thanks in advance.
>> >
>> > Kind regards,
>> >
>> > Andrew Langhorn
>> > Web Operations
>> > Government Digital Service
>> >
>> > e: andrew.langhorn at digital.cabinet-office.gov.uk
>> > t: +44 (0)7810 737375
>> > a: 6th Floor, Aviation House, 125 Kingsway, London, WC2B 6NH
>> >
>> > _______________________________________________
>> > varnish-misc mailing list
>> > varnish-misc at varnish-cache.org
>> > https://www.varnish-cache.org/lists/mailman/listinfo/varnish-misc
>
>
>
>
> --
> Kind regards,
>
> Andrew Langhorn
> Web Operations
> Government Digital Service
>
> e: andrew.langhorn at digital.cabinet-office.gov.uk
> t: +44 (0)7810 737375
> a: 6th Floor, Aviation House, 125 Kingsway, London, WC2B 6NH
More information about the varnish-misc
mailing list