Varnish: the outlook and X-mas and all that.

Damien Wetzel dwetzel at
Tue Dec 5 12:56:18 CET 2006

Poul-Henning Kamp writes:

 > I am also looking for intelligent suggestions to how to handle
 > cookies and authentication in Varnish, if you have experience or
 > ideas in this space, mail me your thoughts.

Having worked for multiple CDN providers here are some ideas about how
to deal with cookies and authentication :
The URLs that matches Cookies or Authentication rules are staticaly
defined (regexp) in Varnish or could be dynamically advertized by the
origin server via a specific HTTP header.

1) COOKIE check presence mode:
check if the named cookie is present on the requests from the end user,
and make a request to the origin if the cookie is missing.
All headers provided with the request are passed on the origin.
Any Set-Cookie received is then added to the headers of the response
varnish is doing to the enduser.

2) Authentication mode
 If an URL matches this mode, then before serving the cached ressource,
 a GET or HEAD request is done to the origin, passing the headers of
 the request.
 if response is :
 200: Varnish delivers the cached object
 302: Varnish returns it to the end user who attempts to retrieve it
 401: varnish returns it to the end user.


 > -- 
 > Poul-Henning Kamp       | UNIX since Zilog Zeus 3.20
 > phk at FreeBSD.ORG         | TCP/IP since RFC 956
 > FreeBSD committer       | BSD since 4.3-tahoe
 > Never attribute to malice what can adequately be explained by incompetence.
 > _______________________________________________
 > varnish-misc mailing list
 > varnish-misc at

More information about the varnish-misc mailing list