varnish with apache mod_auth
Jason Price
japrice at gmail.com
Fri Mar 17 00:32:23 CET 2017
I don't believe there's a trivial way to do this.
Varnish will return the cached response to any IP address that comes
calling. Even if the first request comes from a valid IP, which gets
passed through via X-Forward or similar, and mod_auth is tweaked to respond
to that, any subsequent request will not be seen by either apache or
mod_auth at all.
You have a few options:
1) IP Whitelists are a rather poor means of authentication. Moving to
something else might be prudent. But that's not easy.
2) There are probably VMODs that do something similar. If not and if the
list of IPs isn't too long, you could limit the IPs in VCL rather than
mod_auth.
3) Push the list of IP addresses that can connect to the external port down
to IPTables or similar.
4) Push the list of IP addresses to external Firewall, or Security Group or
whatever.
On Thu, Mar 16, 2017 at 5:46 PM, Hernán Marsili <hernan at cmsmedios.com>
wrote:
> Hi,
>
> We are having an issue with VARNISH and apache mod_auth. Varnish is on
> port 80 serving users and Apache is the backend.
>
> We have servers restricting access only to authenticated users or certain
> IP addresses. Since we installed Varnish the issue is that we need to
> enable 127.0.0.1 as a permitted IP (required ip rule) so the Varnish can
> fetch content. The problem, is that the real IP is not used and all the
> other rules does not apply.
>
> Bottom line, how can we still control who is requesting using MOD_AUTH and
> having Varnish?
>
> Regards
> Hernán.
>
> _______________________________________________
> varnish-misc mailing list
> varnish-misc at varnish-cache.org
> https://www.varnish-cache.org/lists/mailman/listinfo/varnish-misc
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://www.varnish-cache.org/lists/pipermail/varnish-misc/attachments/20170316/314e356d/attachment.html>
More information about the varnish-misc
mailing list