Named listen addresses in VCL
Dridi Boukelmoune
dridi at varni.sh
Mon Jul 4 18:01:11 CEST 2016
>>I don't understand, the use cases I'm suggesting are as "unsafe" as
>>relying on ACLs with either client.ip or server.ip.
>
> With your suggestion, any traffic coming through a particular
> listen address would be trusted, even if that traffic does not
> have anything to do on that particular subnet.
That's the point of providing the mechanism. If you trust your network
because you happen to have a trustworthy and competent team of network
engineers, why turn a networking problem into an application problem?
>>You have the same problem if anything matching one of your ACLs
>>trusted address is compromised.
>
> There is a big difference between hijacking the IP of a server in
> use, which is likely to trigger alarms, and being able to attack
> using any IP going in through a particular interface.
I don't see any difference between dealing with clunky VCL constructs
and using a label to achieve the same.
> Neither is watertight, but I don't see "convenience" as a valid argument
> for increasing the sizes of the holes.
The main goal is not *mere* convenience but actual decoupling between
the application layer and the networking nitty gritty. On my dev box
the "hitch" listen address might mean localhost:8888 while in
production the hitch server may be on a different host in front of a
Varnish cluster.
With named listen addresses I can write my VCL policy once and not
require changes between environments (dev, qa, prod...) instead of
using platform-dependent server.ip.
Dridi
More information about the varnish-dev
mailing list