Issues restricting HTTP purges based on an ACL

Andrew Langhorn andrew.langhorn at digital.cabinet-office.gov.uk
Tue Feb 25 18:05:19 CET 2014


Hi Stefan,

Yes - I have an ACL further up called purge:

acl purge {
  "1.2.3.4";
  "2.3.4.5";
  "3.4.5.6";
  "4.5.6.7";
}

Of course, I've changed the IPs in the above example.

The PURGE seems to be accepted by IPs which should be disallowed according
to the ACL - for example, I can perform a HTTP PURGE from 8.9.10.11 or
whatever.

Thanks

Andrew


On 25 February 2014 16:58, Stefan Caunter <stef at scaleengine.com> wrote:

> It's not clear from your description, is there an acl defined called purge?
>
> Do logs show that the PURGE request actually came from the IP range you
> expect?
>
> ----
>
> Stefan Caunter
> ScaleEngine Inc.
>
> E: stefan.caunter at scaleengine.com
> Skype: stefan.caunter
> Toll Free Direct: +1 800 280 6042
> Toronto Canada
>
>
> On Tue, Feb 25, 2014 at 11:31 AM, Andrew Langhorn
> <andrew.langhorn at digital.cabinet-office.gov.uk> wrote:
> > Hi all,
> >
> > I have joined this list hoping that someone can help me with an issue I
> have
> > with restricting Varnish HTTP purges to a defined ACL of IPs.
> >
> > Our CDN provider use Varnish 2.x (not 3), so I've been following this
> > tutorial on implementing restrictions on HTTP Purges:
> > https://www.varnish-cache.org/docs/2.1/tutorial/purging.html.
> >
> > The section that Varnish seems to trip up on is:
> >
> >   if (req.request == "PURGE" ) {
> >      if (!client.ip ~ purge) {
> >         error 403 "Forbidden";
> >      }
> >      return (lookup);
> >   }
> >
> > When trying to purge the cache via the API from an IP outside of the
> ACL, it
> > is still accepted and purged. The second line of this block - if
> (!client.ip
> > ~ purge) { - seems to be the logic that isn't accepted properly. I
> thought
> > that including the bang outside of the brackets might fix the issue, but
> it
> > doesn't.
> >
> > I've only used Varnish a few times beforehand, so would appreciate any
> > assistance anyone can provide.
> >
> > Thanks in advance.
> >
> > Kind regards,
> >
> > Andrew Langhorn
> > Web Operations
> > Government Digital Service
> >
> > e: andrew.langhorn at digital.cabinet-office.gov.uk
> > t: +44 (0)7810 737375
> > a: 6th Floor, Aviation House, 125 Kingsway, London, WC2B 6NH
> >
> > _______________________________________________
> > varnish-misc mailing list
> > varnish-misc at varnish-cache.org
> > https://www.varnish-cache.org/lists/mailman/listinfo/varnish-misc
>



-- 
Kind regards,

Andrew Langhorn
Web Operations
Government Digital Service

e: andrew.langhorn at digital.cabinet-office.gov.uk
t: +44 (0)7810 737375
a: 6th Floor, Aviation House, 125 Kingsway, London, WC2B 6NH
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://www.varnish-cache.org/lists/pipermail/varnish-misc/attachments/20140225/48cd43a2/attachment.html>


More information about the varnish-misc mailing list