purge ACL not being enforced

Chad Austin chadaustin at outlook.com
Fri Apr 12 03:19:05 CEST 2013


Urg, can't believe I didn't figure this out originally... my varnish server is behind an LB and it wasn't seeing the true IP of the client request.

--
Chad

From: chadaustin at outlook.com
To: varnish-misc at varnish-cache.org
Subject: purge ACL not being enforced
Date: Thu, 11 Apr 2013 17:25:47 -0700







We're running 3.0.3 and our config is set up to enforce an ACL for purges, but I recently discovered that it has no effect - purges are successful regardless of the origin IP. The config is using the example from the documentation and I've been unable to determine why it's not working. Any help would be appreciated; VCL is below.

Thanks,
Chad

acl purge {
    "localhost";
    "10.0.0.0"/16;
}

backend sc {
        .host = "39.22.194.41";
        .port = "80";
}

backend scstatic {
    .host = "10.0.2.109";
    .port = "80";
}

backend ecommerce_ext {
    .host = "39.22.194.40";
    .port = "80";
}

sub vcl_recv {

        if (req.request != "GET" &&
          req.request != "HEAD" &&
          req.request != "PUT" &&
          req.request != "POST" &&
          req.request != "TRACE" &&
          req.request != "OPTIONS" &&
          req.request != "PURGE" &&
          req.request != "DELETE") {
                /* Non-RFC2616 or CONNECT which is weird. */
                return (pipe);
        }

    if (req.request == "PURGE") {
        if (!client.ip ~ purge) {
            error 405 "Not allowed.";
        }
    } else if (req.request != "GET" && req.request != "HEAD") {
                /* We only deal with GET and HEAD by default */
                #return (pass);
                error 500 "Unknown method.";
        }
        #if (req.http.Authorization || req.http.Cookie) {
        #       /* Not cacheable by default */
        #       return (pass);
        #}

    if (req.url == "/sc_status.php") {
        error 200 "okay.";    
    }

    # remove cookies for all static content
    unset req.http.Cookie;

    if (req.http.Host == "static.pub-ecommerce.somecompany.com") {
        set req.backend = ecommerce_ext;
        set req.http.Host = "pub-ecommerce.somecompany.com";
    } else if (req.http.Host ~ "static.(.*\.)?somecompany.com") {
        set req.backend = scstatic;
        set req.http.Host = "www.somecompany.com";
    } else if (req.http.Host ~ "somecompany.com(:[0-9]+)?$") {
                set req.backend = sc;
                set req.http.Host = "www.somecompany.com";
    } else {
                error 404 "Unknown virtual host.";
        }

        return (lookup);
}

sub vcl_fetch {
        unset beresp.http.Set-Cookie;
    
    # cache 404's for 2 minutes
    if (beresp.status >= 400 && beresp.status < 500) {
        set beresp.ttl = 30s;
    } else if (beresp.status >=500 && beresp.status < 600) {
        set beresp.ttl = 30s;
    }
}

sub vcl_deliver {
    set resp.http.X-Backend = server.identity;
}

sub vcl_hit {
    if (req.request == "PURGE") {
        purge;
        error 200 "Purged HIT.";
    }
}

sub vcl_miss {
    if (req.request == "PURGE") {
        purge;
        error 200 "Purged MISS.";
    }
}


 		 	   		  

_______________________________________________
varnish-misc mailing list
varnish-misc at varnish-cache.org
https://www.varnish-cache.org/lists/mailman/listinfo/varnish-misc 		 	   		  
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://www.varnish-cache.org/lists/pipermail/varnish-misc/attachments/20130411/cad7715b/attachment.html>


More information about the varnish-misc mailing list