Issues restricting HTTP purges based on an ACL

Wed Feb 26 16:12:35 CET 2014

On Tue, Feb 25, 2014 at 04:31:34PM +0000, Andrew Langhorn wrote:
> The section that Varnish seems to trip up on is:
> 
>   if (req.request == "PURGE" ) {
>      if (!client.ip ~ purge) {
>         error 403 "Forbidden";
>      }
>      return (lookup);
>   }
> 
> When trying to purge the cache via the API from an IP outside of the ACL,
> it is still accepted and purged. The second line of this block - if
> (!client.ip ~ purge) { - seems to be the logic that isn't accepted
> properly. I thought that including the bang outside of the brackets might
> fix the issue, but it doesn't.

Hello,

Have you tried doing it the other way?

i.e.:

   if (req.request == "PURGE" ) {
      if (client.ip ~ purge) {
         return (lookup);
      }
      error 403 "Forbidden";
   }

Regards,

-- 
Thomas Lecomte / +33 4 86 13 48 65
Sysadmin / Virtual Expo / Marseille