forbid access to certain URLs in VCL

Tim Dunphy bluethundr at
Fri Jan 30 19:35:10 CET 2015

Hey Sam,

 We have a request to block access to certain URLs from outside the
 network using Varnish. I came up with a way that I think will work. But
I’d like to bounce my method off you and see what you think. This is just
for staging right now. Production will probably be soon, but they haven’t
asked yet.

 I started by setting up an ACL that included all the IPs and networks that
I know of (so far) that constitute our internal network:

acl localnetwork {




And then, down in vcl_recv I put the following:

 if( ~ "^origin\.test-stage\.ourcompany\.com$" && req.url ~
"(^/user|^/user/|^/user/*)" && client.ip !~ localnetwork) {

           error 403 "Forbidden";


Here, I’m basically saying if you’re hitting this http host and these
following URLs and you don’t belong to any of the IPs mentioned in the
localhost ACL, you’ll receive an 403 forbidden error.

I’m only unsure of a couple of things, that I’d like your opinion on. Would
I need to have the error handled by a call to a separate vcl_error ?

Also for the phrase  "^origin\.test-stage\.nbcuni\.com$”  will I need to
escape the dash in in order for this to work?

OR do you think what I have here will do the trick? I think it might be
good as is.

Thanks for your help!


GPG me!!

gpg --keyserver --recv-keys F186197B
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <>

More information about the varnish-misc mailing list