vcl_hash authentication questions
Laurence Rowe
l at lrowe.co.uk
Mon Oct 4 13:07:20 CEST 2010
On 4 October 2010 09:37, Tollef Fog Heen <tfheen at varnish-software.com> wrote:
> ]] Ron van der Vegt
>
> | What do you suggest? Are there other approaches that fit the use-case? How did
> | or would you solve this problem with Varnish?
>
> I'd set a cookie on the backend, sign it using a HMAC, include an expiry
> time in the cookie value and validate the HMAC signature + expiry value
> using inline C in Varnish. I don't think there's any examples of this,
> but it shouldn't be that hard to write something.
This sounds similar to the mod_auth_tkt scheme -
http://www.openfusion.com.au/labs/mod_auth_tkt/ - although this is C
code it relies heavily on the apache libraries and as such does not
look trivial to convert to inline C code in varnish.
I implemented an HMAC SHA-256 variant of mod_auth_tkt in plone.session
- http://pypi.python.org/pypi/plone.session - see tktauth.py for the
python code that generates and validates these cookies (usable outside
of Plone). http://dev.plone.org/plone/browser/plone.session/trunk/plone/session/tktauth.py
I think this is your best route, and I would certainly find it
interesting to see one of these authentication schemes implemented for
Varnish. You could then do token based authorization in vcl_deliver,
checking that the user has one of the tokens listed in a response
header.
Also take a look at the varnish-dev list. Nils Goroll has been working
on "Digests and data encoding in Varnish" and there is considerable
overlap there.
Laurence
More information about the varnish-misc
mailing list