Issues restricting HTTP purges based on an ACL

Andrew Langhorn andrew.langhorn at digital.cabinet-office.gov.uk
Tue Feb 25 18:32:23 CET 2014 

Hi Dridi,

Unfortunately, I see no references to the purge method being actioned in
the varnishlog. I would have thought I would see it there, but it appears
not. Perhaps this means the purge isn't being completed successfully?

Andrew


On 25 February 2014 17:05, Dridi Boukelmoune
<dridi.boukelmoune at zenika.com>wrote:

> On Tue, Feb 25, 2014 at 5:31 PM, Andrew Langhorn
> <andrew.langhorn at digital.cabinet-office.gov.uk> wrote:
> > Hi all,
> >
> > I have joined this list hoping that someone can help me with an issue I
> have
> > with restricting Varnish HTTP purges to a defined ACL of IPs.
> >
> > Our CDN provider use Varnish 2.x (not 3), so I've been following this
> > tutorial on implementing restrictions on HTTP Purges:
> > https://www.varnish-cache.org/docs/2.1/tutorial/purging.html.
>
> Hi,
>
> If you issue an https request, the value of client.ip belongs to your
> ssl/tls endpoint, which may be allowed by your ACL. You should maybe
> rely on the X-Forwarded-For header instead (I believe you can trust
> the XFF header sent by your CDN provider).
>
> What do you see in varnishlog ?
>
> Best Regards,
> Dridi
>
> > The section that Varnish seems to trip up on is:
> >
> >   if (req.request == "PURGE" ) {
> >      if (!client.ip ~ purge) {
> >         error 403 "Forbidden";
> >      }
> >      return (lookup);
> >   }
> >
> > When trying to purge the cache via the API from an IP outside of the
> ACL, it
> > is still accepted and purged. The second line of this block - if
> (!client.ip
> > ~ purge) { - seems to be the logic that isn't accepted properly. I
> thought
> > that including the bang outside of the brackets might fix the issue, but
> it
> > doesn't.
> >
> > I've only used Varnish a few times beforehand, so would appreciate any
> > assistance anyone can provide.
> >
> > Thanks in advance.
> >
> > Kind regards,
> >
> > Andrew Langhorn
> > Web Operations
> > Government Digital Service
> >
> > e: andrew.langhorn at digital.cabinet-office.gov.uk
> > t: +44 (0)7810 737375
> > a: 6th Floor, Aviation House, 125 Kingsway, London, WC2B 6NH
> >
> > _______________________________________________
> > varnish-misc mailing list
> > varnish-misc at varnish-cache.org
> > https://www.varnish-cache.org/lists/mailman/listinfo/varnish-misc
>



-- 
Kind regards,

Andrew Langhorn
Web Operations
Government Digital Service

e: andrew.langhorn at digital.cabinet-office.gov.uk
t: +44 (0)7810 737375
a: 6th Floor, Aviation House, 125 Kingsway, London, WC2B 6NH
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://www.varnish-cache.org/lists/pipermail/varnish-misc/attachments/20140225/0ed44eca/attachment.html>

More information about the varnish-misc mailing list