varnish with apache mod_auth

Andrei lagged at gmail.com
Fri Mar 17 08:43:29 CET 2017


Authenticated requests should typically bypass cache, unless you want to
hash the related session id(s), however that can get "interesting". I
suggest using an Apache module such as rpaf or remoteip in order for Apache
to set the client IP from the X-Forwarded-For header set by Varnish. This
way, you will not need to worry about whitelisting localhost, or other
cucumbersome iptables rules, and your IP restrictions will work as intended.

On Fri, Mar 17, 2017 at 1:32 AM, Jason Price <japrice at gmail.com> wrote:

> I don't believe there's a trivial way to do this.
>
> Varnish will return the cached response to any IP address that comes
> calling.  Even if the first request comes from a valid IP, which gets
> passed through via X-Forward or similar, and mod_auth is tweaked to respond
> to that, any subsequent request will not be seen by either apache or
> mod_auth at all.
>
> You have a few options:
> 1) IP Whitelists are a rather poor means of authentication.  Moving to
> something else might be prudent.  But that's not easy.
> 2) There are probably VMODs that do something similar.  If not and if the
> list of IPs isn't too long, you could limit the IPs in VCL rather than
> mod_auth.
> 3) Push the list of IP addresses that can connect to the external port
> down to IPTables or similar.
> 4) Push the list of IP addresses to external Firewall, or Security Group
> or whatever.
>
>
>
> On Thu, Mar 16, 2017 at 5:46 PM, Hernán Marsili <hernan at cmsmedios.com>
> wrote:
>
>> Hi,
>>
>> We are having an issue with VARNISH and apache mod_auth. Varnish is on
>> port 80 serving users and Apache is the backend.
>>
>> We have servers restricting access only to authenticated users or certain
>> IP addresses. Since we installed Varnish the issue is that we need to
>> enable 127.0.0.1 as a permitted IP (required ip rule) so the Varnish can
>> fetch content. The problem, is that the real IP is not used and all the
>> other rules does not apply.
>>
>> Bottom line, how can we still control who is requesting using MOD_AUTH
>> and having Varnish?
>>
>> Regards
>> Hernán.
>>
>> _______________________________________________
>> varnish-misc mailing list
>> varnish-misc at varnish-cache.org
>> https://www.varnish-cache.org/lists/mailman/listinfo/varnish-misc
>>
>
>
> _______________________________________________
> varnish-misc mailing list
> varnish-misc at varnish-cache.org
> https://www.varnish-cache.org/lists/mailman/listinfo/varnish-misc
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://www.varnish-cache.org/lists/pipermail/varnish-misc/attachments/20170317/c64a5032/attachment-0001.html>


More information about the varnish-misc mailing list