Varnish extensions for SSO support
Sam Crawford
samcrawford at gmail.com
Tue Jan 26 10:33:46 CET 2010
Any thoughts anyone? Good idea / bad idea?
Thanks,
Sam
2010/1/23 Sam Crawford <samcrawford at gmail.com>:
> Evening all,
>
> I've been an avid Varnish user both personally and at work for a
> couple of years now. At work we use it to cache content across our
> global intranet, handling a few million requests per day. At present,
> we have the following logical setup...
>
> F5 GTM (GSLB device) > F5 load balancer > Varnish > In-house Java
> Reverse Proxy > Backend applications (hundreds)
>
> Varnish and the in-house reverse proxy reside on the same servers,
> with varnish having a single backend pointing at the in-house reverse
> proxy (the F5s handle failover between instances).
>
> The in-house Java reverse proxy performs a range of functions,
> including (but certainly not limited to):
>
> * Authenticating/authorising users via our Single Sign On service
> * Header injection to help backend applications identify users
> * Catching cookies from backend applications and delivering a single
> pointer cookie back to clients
>
> I've been wondering if we could write some C extensions to Varnish to
> remove the need for the Java reverse proxy. This would help flatten
> the infrastructure and save on latency (which is pretty important for
> us). The standard Varnish VCL capabilities would meet many of our
> requirements, but for some functions we'd certainly need to write
> extensions (such as making an out-of-band HTTP request to an SSO
> server in order to validate an SSO cookie (which we'd also need to
> cache!)).
>
> Whilst I know it's technically feasible for us to do this, I was
> wondering (a) if anyone is already doing something similar and (b) if
> the community thinks I'm completely mad for evening thinking about
> doing it :-)
>
> Thanks,
>
> Sam
>
More information about the varnish-misc
mailing list