504 errors with basic auth in varnish 4 vcl
Tim Dunphy
bluethundr at gmail.com
Thu Jul 30 04:18:02 CEST 2015
Hey all,
I'm having trouble getting basic auth to work under varnish 4. I'm setting
it up in front of a mediawiki site.
If I hit the page from either a web browser I get a 504 The server didn't
respond in time error. This doesn't happen when basic auth is not enabled
in either the apache config or the varnish config. Which makes me think I
may be handling basic auth wrong somewhere in my setup.
I am able to curl the health check file through varnish. I'm doing this on
the varnish server itself:
#time curl --user admin http://wiki.example.com/healthcheck.php
Enter host password for user 'admin':
good
real 0m3.080s
user 0m0.003s
sys 0m0.004s
The health check file contains only the word 'good'.
On the web server, the healthcheck.php file is in the doc root of the wiki
site and is readable by the apache user:
#ls -l /var/www/jf/wiki/healthcheck.php
-rw-r--r--. 1 apache ftpgroup 5 Jul 17 00:42
/var/www/jf/wiki/healthcheck.php
I've setup a no auth exception in the apache vhost for the site:
<VirtualHost *:80>
ServerName wiki.example.com
ServerAlias www.wiki.example.com
Options -Indexes +FollowSymlinks
LogLevel debug
ErrorLog logs/wiki-error.log
LogFormat "%h %l %u %t \"%r\" %>s %b" common
CustomLog logs/wiki-access_log common
DocumentRoot /var/www/jf/wiki
SetEnvIf Request_URI ^/healthcheck.php noauth=1
<Directory /var/www/jf/wiki>
Options -Indexes
AuthType Basic
AuthName "JF Wiki Page"
AuthUserFile /etc/httpd/auth
Require valid-user
#equire all granted
Allow from env=noauth
</Directory>
<Directory /var/www/jf/wiki/images>
Options -Indexes
</Directory>
</VirtualHost>
On the varnish end I installed the 'basicauth' vmod, and imported it. Then
set it up in the VCL. Here's how my VCL is looking:
#egrep -v '#|^$' default.vcl
vcl 4.0;
import std;
import directors;
import basicauth;
backend web1 {
.host = "10.10.10.25"; # <-- not a real IP
.port = "80";
.connect_timeout = 45s;
.first_byte_timeout = 45s;
.between_bytes_timeout = 45s;
.max_connections = 800;
.probe = {
.request =
"GET /healthcheck.php HTTP/1.1"
"Host: wiki.example.com"
"Authorization: Basic LongBasicAuthBase64Hash=="
"Connection: close";
.timeout = 10s;
.interval = 1s;
.window = 15;
.threshold = 8;
}
}
sub vcl_init {
new wiki = directors.round_robin();
wiki.add_backend(web1);
}
sub vcl_recv {
set req.backend_hint = wiki.backend();
if (!basicauth.match("/etc/httpd/auth", req.http.Authorization)) {
return(synth(401, "Authentication required"));
}
}
sub vcl_backend_response {
}
sub vcl_deliver {
}
sub vcl_synth {
if (resp.status == 401) {
set resp.http.WWW-Authenticate = "Basic";
}
}
You can see in my VCL that I'm attempting to pass basic auth headers to the
healthcheck .probe.
In varnishlog, when I'm getting the 504 errors in the browser, I'm seeing
the following:
- Timestamp Process: 1438220128.357217 5.381197 0.000029
- RespHeader Transfer-Encoding: chunked
- Debug "RES_MODE 8"
- RespHeader Connection: close
- RespHeader Accept-Ranges: bytes
- Debug "Write error, retval = -1, len = 14553, errno =
Connection reset by peer"
- Timestamp Resp: 1438220128.357317 5.381297 0.000101
- Debug "XXX REF 1"
- ReqAcct 506 0 506 0 0 0
- End
And in the apache error log for the site I'm seeing this authorization
error that corresponds with the time that I'm getting the 504 error:
[Thu Jul 30 01:37:43.197847 2015] [authz_core:debug] [pid 29441]
mod_authz_core.c(809): [client 10.10.10.19:47588] AH01626: authorization
result of Require valid-user : denied (no authenticated user yet)
I'm hoping to get some suggestions that will get this to work!
Thanks
Tim
--
GPG me!!
gpg --keyserver pool.sks-keyservers.net --recv-keys F186197B
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://www.varnish-cache.org/lists/pipermail/varnish-misc/attachments/20150729/046c3a1f/attachment.html>
More information about the varnish-misc
mailing list