Varnish extensions for SSO support

Laurence Rowe l at
Tue Jan 26 15:48:41 CET 2010

I keep meaning to look into mod_auth_tkt
( support for varnish.
It should be fairly easy to implement with inline C and doing so would
allow us to cache pages that require authorisation (by matching tokens
in the signed cookie to tokens in an obj header.)  So in principle I
think it's a good idea.


2010/1/26 Sam Crawford <samcrawford at>:
> Any thoughts anyone? Good idea / bad idea?
> Thanks,
> Sam
> 2010/1/23 Sam Crawford <samcrawford at>:
>> Evening all,
>> I've been an avid Varnish user both personally and at work for a
>> couple of years now. At work we use it to cache content across our
>> global intranet, handling a few million requests per day. At present,
>> we have the following logical setup...
>> F5 GTM (GSLB device) > F5 load balancer > Varnish > In-house Java
>> Reverse Proxy > Backend applications (hundreds)
>> Varnish and the in-house reverse proxy reside on the same servers,
>> with varnish having a single backend pointing at the in-house reverse
>> proxy (the F5s handle failover between instances).
>> The in-house Java reverse proxy performs a range of functions,
>> including (but certainly not limited to):
>> * Authenticating/authorising users via our Single Sign On service
>> * Header injection to help backend applications identify users
>> * Catching cookies from backend applications and delivering a single
>> pointer cookie back to clients
>> I've been wondering if we could write some C extensions to Varnish to
>> remove the need for the Java reverse proxy. This would help flatten
>> the infrastructure and save on latency (which is pretty important for
>> us). The standard Varnish VCL capabilities would meet many of our
>> requirements, but for some functions we'd certainly need to write
>> extensions (such as making an out-of-band HTTP request to an SSO
>> server in order to validate an SSO cookie (which we'd also need to
>> cache!)).
>> Whilst I know it's technically feasible for us to do this, I was
>> wondering (a) if anyone is already doing something similar and (b) if
>> the community thinks I'm completely mad for evening thinking about
>> doing it :-)
>> Thanks,
>> Sam
> _______________________________________________
> varnish-misc mailing list
> varnish-misc at

More information about the varnish-misc mailing list