<div dir="ltr">Hi Stefan,<div><br></div><div>Yes - I have an ACL further up called purge:</div><div><br></div><div><div>acl purge {</div><div> "1.2.3.4"; </div><div> "2.3.4.5";</div><div> "3.4.5.6";</div>
<div> "4.5.6.7";</div><div>}</div></div><div><br></div><div>Of course, I've changed the IPs in the above example.</div><div><br></div><div>The PURGE seems to be accepted by IPs which should be disallowed according to the ACL - for example, I can perform a HTTP PURGE from 8.9.10.11 or whatever.</div>
<div><br></div><div>Thanks</div><div><br></div><div>Andrew</div></div><div class="gmail_extra"><br><br><div class="gmail_quote">On 25 February 2014 16:58, Stefan Caunter <span dir="ltr"><<a href="mailto:stef@scaleengine.com" target="_blank">stef@scaleengine.com</a>></span> wrote:<br>
<blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">It's not clear from your description, is there an acl defined called purge?<br>
<br>
Do logs show that the PURGE request actually came from the IP range you expect?<br>
<br>
----<br>
<br>
Stefan Caunter<br>
ScaleEngine Inc.<br>
<br>
E: <a href="mailto:stefan.caunter@scaleengine.com">stefan.caunter@scaleengine.com</a><br>
Skype: stefan.caunter<br>
Toll Free Direct: +1 800 280 6042<br>
Toronto Canada<br>
<div><div class="h5"><br>
<br>
On Tue, Feb 25, 2014 at 11:31 AM, Andrew Langhorn<br>
<<a href="mailto:andrew.langhorn@digital.cabinet-office.gov.uk">andrew.langhorn@digital.cabinet-office.gov.uk</a>> wrote:<br>
> Hi all,<br>
><br>
> I have joined this list hoping that someone can help me with an issue I have<br>
> with restricting Varnish HTTP purges to a defined ACL of IPs.<br>
><br>
> Our CDN provider use Varnish 2.x (not 3), so I've been following this<br>
> tutorial on implementing restrictions on HTTP Purges:<br>
> <a href="https://www.varnish-cache.org/docs/2.1/tutorial/purging.html" target="_blank">https://www.varnish-cache.org/docs/2.1/tutorial/purging.html</a>.<br>
><br>
> The section that Varnish seems to trip up on is:<br>
><br>
> if (req.request == "PURGE" ) {<br>
> if (!client.ip ~ purge) {<br>
> error 403 "Forbidden";<br>
> }<br>
> return (lookup);<br>
> }<br>
><br>
> When trying to purge the cache via the API from an IP outside of the ACL, it<br>
> is still accepted and purged. The second line of this block - if (!client.ip<br>
> ~ purge) { - seems to be the logic that isn't accepted properly. I thought<br>
> that including the bang outside of the brackets might fix the issue, but it<br>
> doesn't.<br>
><br>
> I've only used Varnish a few times beforehand, so would appreciate any<br>
> assistance anyone can provide.<br>
><br>
> Thanks in advance.<br>
><br>
> Kind regards,<br>
><br>
> Andrew Langhorn<br>
> Web Operations<br>
> Government Digital Service<br>
><br>
> e: <a href="mailto:andrew.langhorn@digital.cabinet-office.gov.uk">andrew.langhorn@digital.cabinet-office.gov.uk</a><br>
> t: +44 (0)7810 737375<br>
> a: 6th Floor, Aviation House, 125 Kingsway, London, WC2B 6NH<br>
><br>
</div></div>> _______________________________________________<br>
> varnish-misc mailing list<br>
> <a href="mailto:varnish-misc@varnish-cache.org">varnish-misc@varnish-cache.org</a><br>
> <a href="https://www.varnish-cache.org/lists/mailman/listinfo/varnish-misc" target="_blank">https://www.varnish-cache.org/lists/mailman/listinfo/varnish-misc</a><br>
</blockquote></div><br><br clear="all"><div><br></div>-- <br><div dir="ltr">Kind regards,<div><br></div><div>Andrew Langhorn</div><div>Web Operations</div><div>Government Digital Service</div><div><br></div><div>e: <a href="mailto:andrew.langhorn@digital.cabinet-office.gov.uk" target="_blank">andrew.langhorn@digital.cabinet-office.gov.uk</a></div>
<div>t: +44 (0)7810 737375</div><div>a: 6th Floor, Aviation House, 125 Kingsway, London, WC2B 6NH</div></div>
</div>