Query for authorization username

Justin Lloyd justinl at arena.net
Tue Oct 26 19:01:32 UTC 2021

Hi Guillaume,

Thanks for the feedback! I’m hesitant about adding the external modules just due to the additional complexity of building and maintaining them via my configuration management system (SaltStack) right now.

Here’s what works for me by changing to blob.transcode() while still using regsub():

set req.http.X-Auth-User = regsub(blob.transcode(
                                      encoded=regsub(req.http.Authorization, "^Basic (.*)", "\1")),


From: Guillaume Quintard <guillaume.quintard at gmail.com>
Sent: Monday, October 25, 2021 2:58 PM
To: Justin Lloyd <justinl at arena.net>
Cc: varnish-misc at varnish-cache.org
Subject: Re: Query for authorization username

I think it's close to optimal, given the current tools. I would probably try to move away from regsub() and use vmod_str (https://github.com/varnish/varnish-modules/blob/master/src/vmod_str.vcc#L42), and maaaaaaybe use multiple assignments rather than on big expressions, but that's a personal preference at this point.

It would look like something like this in my mind (highly untested, don't sue me if your computer explodes):

import var;
import str;
import blob;

sub vcl_recv {
    if (str.split(req.http.Authorization, 0) == "Basic") {
        var.set("b64", str.split(req.http.Authorization, 1));
        var.set("decoded", bob.transcode(encoding = BASE64URL, encoded = var.get("b64")));
        set req.http.X-Auth-User = str.split(var.get("decoded"), 0, ":");

everything in one expression:

set req.http.X-Auth-User = str.split(
                                   encoding = BASE64URL,
                                   encoded = str.split(req.http.Authorization, 1))

You should possibly use blob.transcode() anyway.

Guillaume Quintard

On Mon, Oct 25, 2021 at 11:25 AM Justin Lloyd <justinl at arena.net<mailto:justinl at arena.net>> wrote:
In my dev environment, I have a few users configured to use Basic authorization (configured in the Nginx backend) and I’d like to be able to perform VSL queries based on the auth user. This is what I was able to come up with, but I’m wondering if there is a simpler way that I’m just not seeing.

require blob;
if (req.http.Authorization) {
    set req.http.X-Auth-User = regsub(blob.encode(IDENTITY,
                                                                   encoded=regsub(req.http.Authorization, "^Basic (.*)", "\1"))),
                                      ":.*$", "");

varnishtop -I ReqHeader:X-Auth-User
varnishlog -i ReqURL -q 'ReqHeader:X-Auth-User ~ “someuser”'


varnish-misc mailing list
varnish-misc at varnish-cache.org<mailto:varnish-misc at varnish-cache.org>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://www.varnish-cache.org/lists/pipermail/varnish-misc/attachments/20211026/934589f9/attachment-0001.html>

More information about the varnish-misc mailing list