Varnish extensions for SSO support

Sam Crawford samcrawford at
Sat Jan 23 22:13:23 CET 2010

Evening all,

I've been an avid Varnish user both personally and at work for a
couple of years now. At work we use it to cache content across our
global intranet, handling a few million requests per day. At present,
we have the following logical setup...

F5 GTM (GSLB device) > F5 load balancer > Varnish > In-house Java
Reverse Proxy > Backend applications (hundreds)

Varnish and the in-house reverse proxy reside on the same servers,
with varnish having a single backend pointing at the in-house reverse
proxy (the F5s handle failover between instances).

The in-house Java reverse proxy performs a range of functions,
including (but certainly not limited to):

* Authenticating/authorising users via our Single Sign On service
* Header injection to help backend applications identify users
* Catching cookies from backend applications and delivering a single
pointer cookie back to clients

I've been wondering if we could write some C extensions to Varnish to
remove the need for the Java reverse proxy. This would help flatten
the infrastructure and save on latency (which is pretty important for
us). The standard Varnish VCL capabilities would meet many of our
requirements, but for some functions we'd certainly need to write
extensions (such as making an out-of-band HTTP request to an SSO
server in order to validate an SSO cookie (which we'd also need to

Whilst I know it's technically feasible for us to do this, I was
wondering (a) if anyone is already doing something similar and (b) if
the community thinks I'm completely mad for evening thinking about
doing it :-)



More information about the varnish-misc mailing list