Varnish extensions for SSO support

Laurence Rowe l at lrowe.co.uk
Tue Jan 26 15:48:41 CET 2010


I keep meaning to look into mod_auth_tkt
(http://www.openfusion.com.au/labs/mod_auth_tkt/) support for varnish.
It should be fairly easy to implement with inline C and doing so would
allow us to cache pages that require authorisation (by matching tokens
in the signed cookie to tokens in an obj header.)  So in principle I
think it's a good idea.

Laurence

2010/1/26 Sam Crawford <samcrawford at gmail.com>:
> Any thoughts anyone? Good idea / bad idea?
>
> Thanks,
>
> Sam
>
>
> 2010/1/23 Sam Crawford <samcrawford at gmail.com>:
>> Evening all,
>>
>> I've been an avid Varnish user both personally and at work for a
>> couple of years now. At work we use it to cache content across our
>> global intranet, handling a few million requests per day. At present,
>> we have the following logical setup...
>>
>> F5 GTM (GSLB device) > F5 load balancer > Varnish > In-house Java
>> Reverse Proxy > Backend applications (hundreds)
>>
>> Varnish and the in-house reverse proxy reside on the same servers,
>> with varnish having a single backend pointing at the in-house reverse
>> proxy (the F5s handle failover between instances).
>>
>> The in-house Java reverse proxy performs a range of functions,
>> including (but certainly not limited to):
>>
>> * Authenticating/authorising users via our Single Sign On service
>> * Header injection to help backend applications identify users
>> * Catching cookies from backend applications and delivering a single
>> pointer cookie back to clients
>>
>> I've been wondering if we could write some C extensions to Varnish to
>> remove the need for the Java reverse proxy. This would help flatten
>> the infrastructure and save on latency (which is pretty important for
>> us). The standard Varnish VCL capabilities would meet many of our
>> requirements, but for some functions we'd certainly need to write
>> extensions (such as making an out-of-band HTTP request to an SSO
>> server in order to validate an SSO cookie (which we'd also need to
>> cache!)).
>>
>> Whilst I know it's technically feasible for us to do this, I was
>> wondering (a) if anyone is already doing something similar and (b) if
>> the community thinks I'm completely mad for evening thinking about
>> doing it :-)
>>
>> Thanks,
>>
>> Sam
>>
> _______________________________________________
> varnish-misc mailing list
> varnish-misc at projects.linpro.no
> http://projects.linpro.no/mailman/listinfo/varnish-misc
>



More information about the varnish-misc mailing list