Varnish extensions for SSO support

Sam Crawford samcrawford at
Tue Jan 26 10:33:46 CET 2010

Any thoughts anyone? Good idea / bad idea?



2010/1/23 Sam Crawford <samcrawford at>:
> Evening all,
> I've been an avid Varnish user both personally and at work for a
> couple of years now. At work we use it to cache content across our
> global intranet, handling a few million requests per day. At present,
> we have the following logical setup...
> F5 GTM (GSLB device) > F5 load balancer > Varnish > In-house Java
> Reverse Proxy > Backend applications (hundreds)
> Varnish and the in-house reverse proxy reside on the same servers,
> with varnish having a single backend pointing at the in-house reverse
> proxy (the F5s handle failover between instances).
> The in-house Java reverse proxy performs a range of functions,
> including (but certainly not limited to):
> * Authenticating/authorising users via our Single Sign On service
> * Header injection to help backend applications identify users
> * Catching cookies from backend applications and delivering a single
> pointer cookie back to clients
> I've been wondering if we could write some C extensions to Varnish to
> remove the need for the Java reverse proxy. This would help flatten
> the infrastructure and save on latency (which is pretty important for
> us). The standard Varnish VCL capabilities would meet many of our
> requirements, but for some functions we'd certainly need to write
> extensions (such as making an out-of-band HTTP request to an SSO
> server in order to validate an SSO cookie (which we'd also need to
> cache!)).
> Whilst I know it's technically feasible for us to do this, I was
> wondering (a) if anyone is already doing something similar and (b) if
> the community thinks I'm completely mad for evening thinking about
> doing it :-)
> Thanks,
> Sam

More information about the varnish-misc mailing list