purge ACL not being enforced
Chad Austin
chadaustin at outlook.com
Fri Apr 12 03:19:05 CEST 2013
Urg, can't believe I didn't figure this out originally... my varnish server is behind an LB and it wasn't seeing the true IP of the client request.
--
Chad
From: chadaustin at outlook.com
To: varnish-misc at varnish-cache.org
Subject: purge ACL not being enforced
Date: Thu, 11 Apr 2013 17:25:47 -0700
We're running 3.0.3 and our config is set up to enforce an ACL for purges, but I recently discovered that it has no effect - purges are successful regardless of the origin IP. The config is using the example from the documentation and I've been unable to determine why it's not working. Any help would be appreciated; VCL is below.
Thanks,
Chad
acl purge {
"localhost";
"10.0.0.0"/16;
}
backend sc {
.host = "39.22.194.41";
.port = "80";
}
backend scstatic {
.host = "10.0.2.109";
.port = "80";
}
backend ecommerce_ext {
.host = "39.22.194.40";
.port = "80";
}
sub vcl_recv {
if (req.request != "GET" &&
req.request != "HEAD" &&
req.request != "PUT" &&
req.request != "POST" &&
req.request != "TRACE" &&
req.request != "OPTIONS" &&
req.request != "PURGE" &&
req.request != "DELETE") {
/* Non-RFC2616 or CONNECT which is weird. */
return (pipe);
}
if (req.request == "PURGE") {
if (!client.ip ~ purge) {
error 405 "Not allowed.";
}
} else if (req.request != "GET" && req.request != "HEAD") {
/* We only deal with GET and HEAD by default */
#return (pass);
error 500 "Unknown method.";
}
#if (req.http.Authorization || req.http.Cookie) {
# /* Not cacheable by default */
# return (pass);
#}
if (req.url == "/sc_status.php") {
error 200 "okay.";
}
# remove cookies for all static content
unset req.http.Cookie;
if (req.http.Host == "static.pub-ecommerce.somecompany.com") {
set req.backend = ecommerce_ext;
set req.http.Host = "pub-ecommerce.somecompany.com";
} else if (req.http.Host ~ "static.(.*\.)?somecompany.com") {
set req.backend = scstatic;
set req.http.Host = "www.somecompany.com";
} else if (req.http.Host ~ "somecompany.com(:[0-9]+)?$") {
set req.backend = sc;
set req.http.Host = "www.somecompany.com";
} else {
error 404 "Unknown virtual host.";
}
return (lookup);
}
sub vcl_fetch {
unset beresp.http.Set-Cookie;
# cache 404's for 2 minutes
if (beresp.status >= 400 && beresp.status < 500) {
set beresp.ttl = 30s;
} else if (beresp.status >=500 && beresp.status < 600) {
set beresp.ttl = 30s;
}
}
sub vcl_deliver {
set resp.http.X-Backend = server.identity;
}
sub vcl_hit {
if (req.request == "PURGE") {
purge;
error 200 "Purged HIT.";
}
}
sub vcl_miss {
if (req.request == "PURGE") {
purge;
error 200 "Purged MISS.";
}
}
_______________________________________________
varnish-misc mailing list
varnish-misc at varnish-cache.org
https://www.varnish-cache.org/lists/mailman/listinfo/varnish-misc
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://www.varnish-cache.org/lists/pipermail/varnish-misc/attachments/20130411/cad7715b/attachment.html>
More information about the varnish-misc
mailing list