Issues restricting HTTP purges based on an ACL
Stefan Caunter
stef at scaleengine.com
Tue Feb 25 17:58:28 CET 2014
It's not clear from your description, is there an acl defined called purge?
Do logs show that the PURGE request actually came from the IP range you expect?
----
Stefan Caunter
ScaleEngine Inc.
E: stefan.caunter at scaleengine.com
Skype: stefan.caunter
Toll Free Direct: +1 800 280 6042
Toronto Canada
On Tue, Feb 25, 2014 at 11:31 AM, Andrew Langhorn
<andrew.langhorn at digital.cabinet-office.gov.uk> wrote:
> Hi all,
>
> I have joined this list hoping that someone can help me with an issue I have
> with restricting Varnish HTTP purges to a defined ACL of IPs.
>
> Our CDN provider use Varnish 2.x (not 3), so I've been following this
> tutorial on implementing restrictions on HTTP Purges:
> https://www.varnish-cache.org/docs/2.1/tutorial/purging.html.
>
> The section that Varnish seems to trip up on is:
>
> if (req.request == "PURGE" ) {
> if (!client.ip ~ purge) {
> error 403 "Forbidden";
> }
> return (lookup);
> }
>
> When trying to purge the cache via the API from an IP outside of the ACL, it
> is still accepted and purged. The second line of this block - if (!client.ip
> ~ purge) { - seems to be the logic that isn't accepted properly. I thought
> that including the bang outside of the brackets might fix the issue, but it
> doesn't.
>
> I've only used Varnish a few times beforehand, so would appreciate any
> assistance anyone can provide.
>
> Thanks in advance.
>
> Kind regards,
>
> Andrew Langhorn
> Web Operations
> Government Digital Service
>
> e: andrew.langhorn at digital.cabinet-office.gov.uk
> t: +44 (0)7810 737375
> a: 6th Floor, Aviation House, 125 Kingsway, London, WC2B 6NH
>
> _______________________________________________
> varnish-misc mailing list
> varnish-misc at varnish-cache.org
> https://www.varnish-cache.org/lists/mailman/listinfo/varnish-misc
More information about the varnish-misc
mailing list