Creating ACLs in Varnish

Mon Jul 26 10:29:09 UTC 2021

Hi all,

I'm wondering if there's a better way to handle defining ACLs in Varnish. Currently I have an AWS ALB fronting a set of web servers hosting several related sites. However, one of the sites (previously two, hence the two examples here) has a more restrictive ACL requirement than the others, but since an ALB can only use a single Security Group, I've had to implement the tighter ACL in Varnish. Basically it looks like this, assuming our main sites are in example.com and the special ones are under example.net:

acl specialsite1_acl {
    "127.0.0.1/32";
    "10.0.0.0/8";
    "60.70.80.0/24"; # this is made up for example purposes
}

acl specialsite2_acl {
    "127.0.0.1/32";
    "10.0.0.0/8";
    "12.34.56.0/24"; # this is made up for example purposes
}

# I know the two if-statements could be joined, but this is programmatically generated from a Jinja template in Salt,
# so it was cleaner to do it this way.
sub check_acls {
    if (req.http.host ~ "^specialsite1.example.net$" && !std.ip(regsub(req.http.X-Forwarded-For, ",.*$", "")) ~ specialsite1_acl) {
        return (synth(403, "Access Forbidden"));
    }
    if (req.http.host ~ "^specialsite2.example.net$" && !std.ip(regsub(req.http.X-Forwarded-For, ",.*$", "")) ~ specialsite2_acl) {
        return (synth(403, "Access Forbidden"));
    }
}

sub vcl_recv {
...
    # Check the site-specific ACLs.
    if (req.http.host ~ "\.example\.net$") {
        call check_acls;
    }
...
}

Is there a better approach to this in Varnish Cache? We're also going to be evaluating Varnish Enterprise, so if there's something in VE, that would also be good to know.

Thanks,
Justin
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://www.varnish-cache.org/lists/pipermail/varnish-misc/attachments/20210726/067f63a4/attachment.html>