504 errors with basic auth in varnish 4 vcl

Tim Dunphy bluethundr at gmail.com
Thu Jul 30 04:18:02 CEST 2015

Hey all,

I'm having trouble getting basic auth to work under varnish 4. I'm setting
it up in front of a mediawiki site.

If I hit the page from either a web browser I get a 504 The server didn't
respond in time error. This doesn't happen when basic auth is not enabled
in either the apache config or the varnish config. Which makes me think I
may be handling basic auth wrong somewhere in my setup.

I am able to curl the health check file through varnish. I'm doing this on
the varnish server itself:

    #time curl --user admin http://wiki.example.com/healthcheck.php
    Enter host password for user 'admin':

    real    0m3.080s
    user    0m0.003s
    sys     0m0.004s

The health check file contains only the word 'good'.

On the web server, the healthcheck.php file is in the doc root of the wiki
site and is readable by the apache user:

    #ls -l /var/www/jf/wiki/healthcheck.php
    -rw-r--r--. 1 apache ftpgroup 5 Jul 17 00:42

I've setup a no auth exception in the apache vhost for the site:

    <VirtualHost *:80>
       ServerName wiki.example.com
       ServerAlias www.wiki.example.com
       Options -Indexes +FollowSymlinks
       LogLevel debug
       ErrorLog logs/wiki-error.log
       LogFormat "%h %l %u %t \"%r\" %>s %b" common
       CustomLog logs/wiki-access_log common
       DocumentRoot /var/www/jf/wiki
       SetEnvIf Request_URI ^/healthcheck.php noauth=1

       <Directory /var/www/jf/wiki>
          Options -Indexes
          AuthType Basic
          AuthName "JF Wiki Page"
          AuthUserFile /etc/httpd/auth
          Require valid-user
          #equire all granted
          Allow from env=noauth

       <Directory /var/www/jf/wiki/images>
                    Options -Indexes

On the varnish end I installed the 'basicauth' vmod, and imported it. Then
set it up in the VCL. Here's how my VCL is looking:

    #egrep -v '#|^$' default.vcl
    vcl 4.0;
    import std;
    import directors;
    import basicauth;
    backend web1 {
      .host = ""; # <-- not a real IP
      .port = "80";
      .connect_timeout = 45s;
      .first_byte_timeout = 45s;
      .between_bytes_timeout = 45s;
      .max_connections = 800;
      .probe = {
                    .request =
                     "GET /healthcheck.php HTTP/1.1"
                     "Host: wiki.example.com"
                     "Authorization: Basic LongBasicAuthBase64Hash=="
                     "Connection: close";
                    .timeout = 10s;
                    .interval = 1s;
                    .window = 15;
                    .threshold = 8;
    sub vcl_init {
        new wiki = directors.round_robin();
    sub vcl_recv {
        set req.backend_hint = wiki.backend();
        if (!basicauth.match("/etc/httpd/auth",  req.http.Authorization)) {
            return(synth(401, "Authentication required"));
    sub vcl_backend_response {
    sub vcl_deliver {
    sub vcl_synth {
        if (resp.status == 401) {
                    set resp.http.WWW-Authenticate = "Basic";

You can see in my VCL that I'm attempting to pass basic auth headers to the
healthcheck .probe.

In varnishlog, when I'm getting the 504 errors in the browser, I'm seeing
the following:

    -   Timestamp      Process: 1438220128.357217 5.381197 0.000029
    -   RespHeader     Transfer-Encoding: chunked
    -   Debug          "RES_MODE 8"
    -   RespHeader     Connection: close
    -   RespHeader     Accept-Ranges: bytes
    -   Debug          "Write error, retval = -1, len = 14553, errno =
Connection reset by peer"
    -   Timestamp      Resp: 1438220128.357317 5.381297 0.000101
    -   Debug          "XXX REF 1"
    -   ReqAcct        506 0 506 0 0 0
    -   End

And in the apache error log for the site I'm seeing this authorization
error that corresponds with the time that I'm getting the 504 error:

    [Thu Jul 30 01:37:43.197847 2015] [authz_core:debug] [pid 29441]
mod_authz_core.c(809): [client] AH01626: authorization
result of Require valid-user : denied (no authenticated user yet)

I'm hoping to get some suggestions that will get this to work!

GPG me!!

gpg --keyserver pool.sks-keyservers.net --recv-keys F186197B
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://www.varnish-cache.org/lists/pipermail/varnish-misc/attachments/20150729/046c3a1f/attachment.html>

More information about the varnish-misc mailing list