vcl_hash authentication questions

Laurence Rowe l at
Mon Oct 4 13:07:20 CEST 2010

On 4 October 2010 09:37, Tollef Fog Heen <tfheen at> wrote:
> ]] Ron van der Vegt
> | What do you suggest? Are there other approaches that fit the use-case? How did
> | or would you solve this problem with Varnish?
> I'd set a cookie on the backend, sign it using a HMAC, include an expiry
> time in the cookie value and validate the HMAC signature + expiry value
> using inline C in Varnish.  I don't think there's any examples of this,
> but it shouldn't be that hard to write something.

This sounds similar to the mod_auth_tkt scheme - - although this is C
code it relies heavily on the apache libraries and as such does not
look trivial to convert to inline C code in varnish.

I implemented an HMAC SHA-256 variant of mod_auth_tkt in plone.session
- - see for the
python code that generates and validates these cookies (usable outside
of Plone).

I think this is your best route, and I would certainly find it
interesting to see one of these authentication schemes implemented for
Varnish. You could then do token based authorization in vcl_deliver,
checking that the user has one of the tokens listed in a response

Also take a look at the varnish-dev list. Nils Goroll has been working
on "Digests and data encoding in Varnish" and there is considerable
overlap there.


More information about the varnish-misc mailing list