Issues restricting HTTP purges based on an ACL

Andrew Langhorn andrew.langhorn at digital.cabinet-office.gov.uk
Wed Feb 26 17:13:22 CET 2014 

Hi Per,

Yes - our CDN currently runs 2.1. I've tried Thomas' suggestion out, and
I'm still able to purge from an IP I shouldn't be able to...

Andrew


On 26 February 2014 15:57, Per Buer <perbu at varnish-software.com> wrote:

> Hi,
>
> You're on 2.1. That ancient and I would not recommend running it. !~ was
> introduced in 3.0. Try the suggestion from Thomas if you must stay on 2.1.
>
>
>    if (req.request == "PURGE" ) {
>       if (client.ip ~ purge) {
>          return (lookup);
>       }
>       error 403 "Forbidden";
>    }
>
> Per.
>
>
> On Wed, Feb 26, 2014 at 4:46 PM, Andrew Langhorn <
> andrew.langhorn at digital.cabinet-office.gov.uk> wrote:
>
>> The VCC compiler doesn't like that syntax, I'm afraid, Per.
>>
>>
>>
>>
>> Message from VCC-compiler:
>> Invalid condition '!~' on IP number variable
>>   only '==', '!=' and '~' are legal
>> (input Line 121 Pos 21)
>>       if (client.ip !~ purge) {
>> --------------------##---------
>> Running VCC-compiler failed, exit 1VCL compilation failed
>>
>>
>>
>> On 26 February 2014 15:39, Andrew Langhorn <
>> andrew.langhorn at digital.cabinet-office.gov.uk> wrote:
>>
>>> Thanks Per. I'll give that a go.
>>> I was using a tutorial at
>>> https://www.varnish-cache.org/docs/2.1/tutorial/purging.html - maybe
>>> that needs to be updated if it's wrong?
>>>
>>> I'll let you all know how I get on.
>>>
>>>
>>> On 26 February 2014 15:33, Per Buer <perbu at varnish-software.com> wrote:
>>>
>>>> Hi,
>>>>
>>>> I see quite a lot of answers but for some reason noone has noticed the
>>>> obvious error here. :-)
>>>>
>>>> On Tue, Feb 25, 2014 at 5:31 PM, Andrew Langhorn <
>>>> andrew.langhorn at digital.cabinet-office.gov.uk> wrote:
>>>>
>>>>> Hi all,
>>>>>
>>>>>
>>>>>  The section that Varnish seems to trip up on is:
>>>>>
>>>>>   if (req.request == "PURGE" ) {
>>>>>      if (!client.ip ~ purge) {
>>>>>         error 403 "Forbidden";
>>>>>      }
>>>>>      return (lookup);
>>>>>   }
>>>>>
>>>>
>>>> What I'm guessing you are trying to say is
>>>>  if (client.ip !~ purge) {
>>>>         error 403 "Forbidden";
>>>>  }
>>>>
>>>> "!client.ip" doesn't make sense in my book as client.ip isn't boolean.
>>>>
>>>>
>>>> --
>>>>  <http://www.varnish-software.com/> *Per Buer*
>>>> CTO | Varnish Software
>>>> Phone: +47 958 39 117 | Skype: per.buer
>>>> We Make Websites Fly!
>>>>
>>>> Winner of the Red Herring Top 100 Global Award 2013
>>>>
>>>>
>>>>
>>>
>>>
>>> --
>>> Kind regards,
>>>
>>> Andrew Langhorn
>>> Web Operations
>>> Government Digital Service
>>>
>>> e: andrew.langhorn at digital.cabinet-office.gov.uk
>>> t: +44 (0)7810 737375
>>> a: 6th Floor, Aviation House, 125 Kingsway, London, WC2B 6NH
>>>
>>
>>
>>
>> --
>> Kind regards,
>>
>> Andrew Langhorn
>> Web Operations
>> Government Digital Service
>>
>> e: andrew.langhorn at digital.cabinet-office.gov.uk
>> t: +44 (0)7810 737375
>> a: 6th Floor, Aviation House, 125 Kingsway, London, WC2B 6NH
>>
>
>
>
> --
>  <http://www.varnish-software.com/> *Per Buer*
> CTO | Varnish Software
> Phone: +47 958 39 117 | Skype: per.buer
> We Make Websites Fly!
>
> Winner of the Red Herring Top 100 Global Award 2013
>
>
>


-- 
Kind regards,

Andrew Langhorn
Web Operations
Government Digital Service

e: andrew.langhorn at digital.cabinet-office.gov.uk
t: +44 (0)7810 737375
a: 6th Floor, Aviation House, 125 Kingsway, London, WC2B 6NH
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://www.varnish-cache.org/lists/pipermail/varnish-misc/attachments/20140226/742100a1/attachment-0001.html>

More information about the varnish-misc mailing list