Varnish extensions for SSO support

Sam Crawford samcrawford at
Tue Jan 26 23:27:15 CET 2010

Hi Laurence,

Caching personalised content that uses cookies for identification is
already possible with a bit of VCL magic. But, this is cached based
upon a hash of their cookies, so if they open lots of browser sessions
(with different cookies), then you get multiple copies of the content
per user, which is a bad thing!

So yes, if we could effectively put an SSO agent (that could validate
tokens/tickets and extract the authenticated username) then you could
cache on a per user basis (which would also be a use case I'd be
interested in). Or, perhaps even more preferably, cached based upon a
group or role basis (providing that data was made available).

Anyway, I think I'm going to give this a shot. I'll probably start by
trying to write a simple agent that makes calls against Sun's OpenSSO
REST services (as that's where I have the most experience).



2010/1/26 Laurence Rowe <l at>:
> I keep meaning to look into mod_auth_tkt
> ( support for varnish.
> It should be fairly easy to implement with inline C and doing so would
> allow us to cache pages that require authorisation (by matching tokens
> in the signed cookie to tokens in an obj header.)  So in principle I
> think it's a good idea.
> Laurence
> 2010/1/26 Sam Crawford <samcrawford at>:
>> Any thoughts anyone? Good idea / bad idea?
>> Thanks,
>> Sam
>> 2010/1/23 Sam Crawford <samcrawford at>:
>>> Evening all,
>>> I've been an avid Varnish user both personally and at work for a
>>> couple of years now. At work we use it to cache content across our
>>> global intranet, handling a few million requests per day. At present,
>>> we have the following logical setup...
>>> F5 GTM (GSLB device) > F5 load balancer > Varnish > In-house Java
>>> Reverse Proxy > Backend applications (hundreds)
>>> Varnish and the in-house reverse proxy reside on the same servers,
>>> with varnish having a single backend pointing at the in-house reverse
>>> proxy (the F5s handle failover between instances).
>>> The in-house Java reverse proxy performs a range of functions,
>>> including (but certainly not limited to):
>>> * Authenticating/authorising users via our Single Sign On service
>>> * Header injection to help backend applications identify users
>>> * Catching cookies from backend applications and delivering a single
>>> pointer cookie back to clients
>>> I've been wondering if we could write some C extensions to Varnish to
>>> remove the need for the Java reverse proxy. This would help flatten
>>> the infrastructure and save on latency (which is pretty important for
>>> us). The standard Varnish VCL capabilities would meet many of our
>>> requirements, but for some functions we'd certainly need to write
>>> extensions (such as making an out-of-band HTTP request to an SSO
>>> server in order to validate an SSO cookie (which we'd also need to
>>> cache!)).
>>> Whilst I know it's technically feasible for us to do this, I was
>>> wondering (a) if anyone is already doing something similar and (b) if
>>> the community thinks I'm completely mad for evening thinking about
>>> doing it :-)
>>> Thanks,
>>> Sam
>> _______________________________________________
>> varnish-misc mailing list
>> varnish-misc at

More information about the varnish-misc mailing list