<div dir="ltr">Hi Dridi,<div><br></div><div>Unfortunately, I see no references to the purge method being actioned in the varnishlog. I would have thought I would see it there, but it appears not. Perhaps this means the purge isn't being completed successfully?</div>
<div><br></div><div>Andrew</div></div><div class="gmail_extra"><br><br><div class="gmail_quote">On 25 February 2014 17:05, Dridi Boukelmoune <span dir="ltr"><<a href="mailto:dridi.boukelmoune@zenika.com" target="_blank">dridi.boukelmoune@zenika.com</a>></span> wrote:<br>
<blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"><div class="">On Tue, Feb 25, 2014 at 5:31 PM, Andrew Langhorn<br>
<<a href="mailto:andrew.langhorn@digital.cabinet-office.gov.uk">andrew.langhorn@digital.cabinet-office.gov.uk</a>> wrote:<br>
> Hi all,<br>
><br>
> I have joined this list hoping that someone can help me with an issue I have<br>
> with restricting Varnish HTTP purges to a defined ACL of IPs.<br>
><br>
> Our CDN provider use Varnish 2.x (not 3), so I've been following this<br>
> tutorial on implementing restrictions on HTTP Purges:<br>
> <a href="https://www.varnish-cache.org/docs/2.1/tutorial/purging.html" target="_blank">https://www.varnish-cache.org/docs/2.1/tutorial/purging.html</a>.<br>
<br>
</div>Hi,<br>
<br>
If you issue an https request, the value of client.ip belongs to your<br>
ssl/tls endpoint, which may be allowed by your ACL. You should maybe<br>
rely on the X-Forwarded-For header instead (I believe you can trust<br>
the XFF header sent by your CDN provider).<br>
<br>
What do you see in varnishlog ?<br>
<br>
Best Regards,<br>
Dridi<br>
<div class="im HOEnZb"><br>
> The section that Varnish seems to trip up on is:<br>
><br>
> if (req.request == "PURGE" ) {<br>
> if (!client.ip ~ purge) {<br>
> error 403 "Forbidden";<br>
> }<br>
> return (lookup);<br>
> }<br>
><br>
> When trying to purge the cache via the API from an IP outside of the ACL, it<br>
> is still accepted and purged. The second line of this block - if (!client.ip<br>
> ~ purge) { - seems to be the logic that isn't accepted properly. I thought<br>
> that including the bang outside of the brackets might fix the issue, but it<br>
> doesn't.<br>
><br>
> I've only used Varnish a few times beforehand, so would appreciate any<br>
> assistance anyone can provide.<br>
><br>
> Thanks in advance.<br>
><br>
> Kind regards,<br>
><br>
> Andrew Langhorn<br>
> Web Operations<br>
> Government Digital Service<br>
><br>
> e: <a href="mailto:andrew.langhorn@digital.cabinet-office.gov.uk">andrew.langhorn@digital.cabinet-office.gov.uk</a><br>
> t: +44 (0)7810 737375<br>
> a: 6th Floor, Aviation House, 125 Kingsway, London, WC2B 6NH<br>
><br>
</div><div class="HOEnZb"><div class="h5">> _______________________________________________<br>
> varnish-misc mailing list<br>
> <a href="mailto:varnish-misc@varnish-cache.org">varnish-misc@varnish-cache.org</a><br>
> <a href="https://www.varnish-cache.org/lists/mailman/listinfo/varnish-misc" target="_blank">https://www.varnish-cache.org/lists/mailman/listinfo/varnish-misc</a><br>
</div></div></blockquote></div><br><br clear="all"><div><br></div>-- <br><div dir="ltr">Kind regards,<div><br></div><div>Andrew Langhorn</div><div>Web Operations</div><div>Government Digital Service</div><div><br></div><div>
e: <a href="mailto:andrew.langhorn@digital.cabinet-office.gov.uk" target="_blank">andrew.langhorn@digital.cabinet-office.gov.uk</a></div><div>t: +44 (0)7810 737375</div><div>a: 6th Floor, Aviation House, 125 Kingsway, London, WC2B 6NH</div>
</div>
</div>