purge ACL not being enforced

Chad Austin chadaustin at outlook.com
Fri Apr 12 02:25:47 CEST 2013




We're running 3.0.3 and our config is set up to enforce an ACL for purges, but I recently discovered that it has no effect - purges are successful regardless of the origin IP. The config is using the example from the documentation and I've been unable to determine why it's not working. Any help would be appreciated; VCL is below.

Thanks,
Chad

acl purge {
    "localhost";
    "10.0.0.0"/16;
}

backend sc {
        .host = "39.22.194.41";
        .port = "80";
}

backend scstatic {
    .host = "10.0.2.109";
    .port = "80";
}

backend ecommerce_ext {
    .host = "39.22.194.40";
    .port = "80";
}

sub vcl_recv {

        if (req.request != "GET" &&
          req.request != "HEAD" &&
          req.request != "PUT" &&
          req.request != "POST" &&
          req.request != "TRACE" &&
          req.request != "OPTIONS" &&
          req.request != "PURGE" &&
          req.request != "DELETE") {
                /* Non-RFC2616 or CONNECT which is weird. */
                return (pipe);
        }

    if (req.request == "PURGE") {
        if (!client.ip ~ purge) {
            error 405 "Not allowed.";
        }
    } else if (req.request != "GET" && req.request != "HEAD") {
                /* We only deal with GET and HEAD by default */
                #return (pass);
                error 500 "Unknown method.";
        }
        #if (req.http.Authorization || req.http.Cookie) {
        #       /* Not cacheable by default */
        #       return (pass);
        #}

    if (req.url == "/sc_status.php") {
        error 200 "okay.";    
    }

    # remove cookies for all static content
    unset req.http.Cookie;

    if (req.http.Host == "static.pub-ecommerce.somecompany.com") {
        set req.backend = ecommerce_ext;
        set req.http.Host = "pub-ecommerce.somecompany.com";
    } else if (req.http.Host ~ "static.(.*\.)?somecompany.com") {
        set req.backend = scstatic;
        set req.http.Host = "www.somecompany.com";
    } else if (req.http.Host ~ "somecompany.com(:[0-9]+)?$") {
                set req.backend = sc;
                set req.http.Host = "www.somecompany.com";
    } else {
                error 404 "Unknown virtual host.";
        }

        return (lookup);
}

sub vcl_fetch {
        unset beresp.http.Set-Cookie;
    
    # cache 404's for 2 minutes
    if (beresp.status >= 400 && beresp.status < 500) {
        set beresp.ttl = 30s;
    } else if (beresp.status >=500 && beresp.status < 600) {
        set beresp.ttl = 30s;
    }
}

sub vcl_deliver {
    set resp.http.X-Backend = server.identity;
}

sub vcl_hit {
    if (req.request == "PURGE") {
        purge;
        error 200 "Purged HIT.";
    }
}

sub vcl_miss {
    if (req.request == "PURGE") {
        purge;
        error 200 "Purged MISS.";
    }
}


 		 	   		  
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://www.varnish-cache.org/lists/pipermail/varnish-misc/attachments/20130411/abdca4c6/attachment-0001.html>


More information about the varnish-misc mailing list