Varnish jails, priv-sep, packaging etc.
Rogier 'DocWilco' Mulhuijzen
varnish at bsdchicks.com
Wed Apr 15 18:20:25 CEST 2015
On Wed, Apr 15, 2015 at 6:18 AM Poul-Henning Kamp <phk at phk.freebsd.dk>
> That would make gid=varnish the general restrictor for acces, such that
> it could also be used for VCL files etc.
Yup, I think it's a very reasonable yet safe restriction.
> You can put the secret file wherever you like (and have as many copies
> as you like) this is only about when people do not give a -S.
> I think keeping it in the -n directory makes sense, and giving it the
> same privs (uid/gid) as varnishd was started with is a good place to start.
Yeah, I was thinking it might work well as a default, but if we go with
gid=varnish being needed for the tools, scratch making the default
So 640 + vadmin:varnish ? (_.vsm)
That would be consistent, but what does everybody else say ?
Quite. Anyone? :)
Dridi's suggestion of "vcache" is better than my "vrun".
I agree. It's way more recognizable as being varnish related than "vrun" or
-------------- next part --------------
An HTML attachment was scrubbed...
More information about the varnish-dev