Issues restricting HTTP purges based on an ACL

Dridi Boukelmoune dridi.boukelmoune at zenika.com
Tue Feb 25 18:05:10 CET 2014


On Tue, Feb 25, 2014 at 5:31 PM, Andrew Langhorn
<andrew.langhorn at digital.cabinet-office.gov.uk> wrote:
> Hi all,
>
> I have joined this list hoping that someone can help me with an issue I have
> with restricting Varnish HTTP purges to a defined ACL of IPs.
>
> Our CDN provider use Varnish 2.x (not 3), so I've been following this
> tutorial on implementing restrictions on HTTP Purges:
> https://www.varnish-cache.org/docs/2.1/tutorial/purging.html.

Hi,

If you issue an https request, the value of client.ip belongs to your
ssl/tls endpoint, which may be allowed by your ACL. You should maybe
rely on the X-Forwarded-For header instead (I believe you can trust
the XFF header sent by your CDN provider).

What do you see in varnishlog ?

Best Regards,
Dridi

> The section that Varnish seems to trip up on is:
>
>   if (req.request == "PURGE" ) {
>      if (!client.ip ~ purge) {
>         error 403 "Forbidden";
>      }
>      return (lookup);
>   }
>
> When trying to purge the cache via the API from an IP outside of the ACL, it
> is still accepted and purged. The second line of this block - if (!client.ip
> ~ purge) { - seems to be the logic that isn't accepted properly. I thought
> that including the bang outside of the brackets might fix the issue, but it
> doesn't.
>
> I've only used Varnish a few times beforehand, so would appreciate any
> assistance anyone can provide.
>
> Thanks in advance.
>
> Kind regards,
>
> Andrew Langhorn
> Web Operations
> Government Digital Service
>
> e: andrew.langhorn at digital.cabinet-office.gov.uk
> t: +44 (0)7810 737375
> a: 6th Floor, Aviation House, 125 Kingsway, London, WC2B 6NH
>
> _______________________________________________
> varnish-misc mailing list
> varnish-misc at varnish-cache.org
> https://www.varnish-cache.org/lists/mailman/listinfo/varnish-misc



More information about the varnish-misc mailing list