504 errors with basic auth in varnish 4 vcl
Tim Dunphy
bluethundr at gmail.com
Sun Aug 2 20:34:32 CEST 2015
Guys,
I know I've been a pain in the ass about this. Sorry about that. But I
just wanted to let you know that I got this problem sorted out. The problem
was in fact that the web servers were too damn far away from the varnish
caches. I spun up a few VMs in the new york data center where the varnish
machines were located. And voila! Everything fell into place.
My setup is and always has been a little odd. I have two haproxy load
balancers in AWS / northern Virginia. And I have two databases in the same
location. Everything is done on the free tier.
But vanish would have trouble running on a t2 micro instance so I sprung
for two low cost $10 a month hosts at digital ocean to be the varnish
cashes. The web servers remained at amazon using the free tier until I
could work out that the distance was the problem.
So now I've sprung for 3 low cost $5 a month web servers that only have
512MB of ram. But are definitely fine as web servers.
So even tho my LB's and Databases are in northern virginia on AWS and my
web servers and varnish are in New York on Digital Ocean, everything turned
out fine. The distance between the load balancers and the databases don't
appear to be an issue the way it was for the varnish cache.
And another reason I had put varnish in New York at D.O. was because that's
where I'm developing my app. On a 2GB web server in that location. But I
also have a wiki that I wanted to cache on varnish. And that's what this
project was about.
I'm glad that everything's resolved.
I appreciated your input and advice as always.
Thanks,
Tim
On Wed, Jul 29, 2015 at 10:18 PM, Tim Dunphy <bluethundr at gmail.com> wrote:
> Hey all,
>
> I'm having trouble getting basic auth to work under varnish 4. I'm setting
> it up in front of a mediawiki site.
>
> If I hit the page from either a web browser I get a 504 The server didn't
> respond in time error. This doesn't happen when basic auth is not enabled
> in either the apache config or the varnish config. Which makes me think I
> may be handling basic auth wrong somewhere in my setup.
>
> I am able to curl the health check file through varnish. I'm doing this on
> the varnish server itself:
>
> #time curl --user admin http://wiki.example.com/healthcheck.php
> Enter host password for user 'admin':
> good
>
> real 0m3.080s
> user 0m0.003s
> sys 0m0.004s
>
> The health check file contains only the word 'good'.
>
> On the web server, the healthcheck.php file is in the doc root of the wiki
> site and is readable by the apache user:
>
> #ls -l /var/www/jf/wiki/healthcheck.php
> -rw-r--r--. 1 apache ftpgroup 5 Jul 17 00:42
> /var/www/jf/wiki/healthcheck.php
>
> I've setup a no auth exception in the apache vhost for the site:
>
> <VirtualHost *:80>
> ServerName wiki.example.com
> ServerAlias www.wiki.example.com
> Options -Indexes +FollowSymlinks
> LogLevel debug
> ErrorLog logs/wiki-error.log
> LogFormat "%h %l %u %t \"%r\" %>s %b" common
> CustomLog logs/wiki-access_log common
> DocumentRoot /var/www/jf/wiki
> SetEnvIf Request_URI ^/healthcheck.php noauth=1
>
> <Directory /var/www/jf/wiki>
> Options -Indexes
> AuthType Basic
> AuthName "JF Wiki Page"
> AuthUserFile /etc/httpd/auth
> Require valid-user
> #equire all granted
> Allow from env=noauth
> </Directory>
>
> <Directory /var/www/jf/wiki/images>
> Options -Indexes
> </Directory>
> </VirtualHost>
>
>
> On the varnish end I installed the 'basicauth' vmod, and imported it. Then
> set it up in the VCL. Here's how my VCL is looking:
>
> #egrep -v '#|^$' default.vcl
> vcl 4.0;
> import std;
> import directors;
> import basicauth;
> backend web1 {
> .host = "10.10.10.25"; # <-- not a real IP
> .port = "80";
> .connect_timeout = 45s;
> .first_byte_timeout = 45s;
> .between_bytes_timeout = 45s;
> .max_connections = 800;
> .probe = {
> .request =
> "GET /healthcheck.php HTTP/1.1"
> "Host: wiki.example.com"
> "Authorization: Basic LongBasicAuthBase64Hash=="
> "Connection: close";
> .timeout = 10s;
> .interval = 1s;
> .window = 15;
> .threshold = 8;
> }
> }
> sub vcl_init {
> new wiki = directors.round_robin();
> wiki.add_backend(web1);
> }
> sub vcl_recv {
> set req.backend_hint = wiki.backend();
> if (!basicauth.match("/etc/httpd/auth", req.http.Authorization)) {
> return(synth(401, "Authentication required"));
> }
> }
> sub vcl_backend_response {
> }
> sub vcl_deliver {
> }
> sub vcl_synth {
> if (resp.status == 401) {
> set resp.http.WWW-Authenticate = "Basic";
> }
> }
>
>
> You can see in my VCL that I'm attempting to pass basic auth headers to
> the healthcheck .probe.
>
> In varnishlog, when I'm getting the 504 errors in the browser, I'm seeing
> the following:
>
> - Timestamp Process: 1438220128.357217 5.381197 0.000029
> - RespHeader Transfer-Encoding: chunked
> - Debug "RES_MODE 8"
> - RespHeader Connection: close
> - RespHeader Accept-Ranges: bytes
> - Debug "Write error, retval = -1, len = 14553, errno =
> Connection reset by peer"
> - Timestamp Resp: 1438220128.357317 5.381297 0.000101
> - Debug "XXX REF 1"
> - ReqAcct 506 0 506 0 0 0
> - End
>
> And in the apache error log for the site I'm seeing this authorization
> error that corresponds with the time that I'm getting the 504 error:
>
> [Thu Jul 30 01:37:43.197847 2015] [authz_core:debug] [pid 29441]
> mod_authz_core.c(809): [client 10.10.10.19:47588] AH01626: authorization
> result of Require valid-user : denied (no authenticated user yet)
>
> I'm hoping to get some suggestions that will get this to work!
>
> Thanks
> Tim
> --
> GPG me!!
>
> gpg --keyserver pool.sks-keyservers.net --recv-keys F186197B
>
>
--
GPG me!!
gpg --keyserver pool.sks-keyservers.net --recv-keys F186197B
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://www.varnish-cache.org/lists/pipermail/varnish-misc/attachments/20150802/b6300e03/attachment.html>
More information about the varnish-misc
mailing list