4. IP-based ACLs
# Who is allowed to purge....
acl local {
"localhost";
"192.168.1.0"/24; /* and everyone on the local network */
! "192.168.1.23"; /* except for the dialin router */
}
sub vcl_recv {
if (req.method == "PURGE") {
if (client.ip ~ local) {
return(purge);
} else {
return(synth(403, "Access denied."));
}
}
}
6. Cookie based auth
• Generate random cookie
• Issue a cookie to a client
• Authenticate the user that has the cookie
7. Crypto-signed cookies
• Sign the cookie
• Issue to the client
• Cookie is now tamperproof
• You can also verify it’s origin
• Problem: Now the format of the cookie is
defined in two places
8. Silly crypto access
example
sub vcl_recv {
unset req.http.authstatus;
if (req.http.signature) {
set req.http.sig-verf = digest.hmac_sha256("secret", req.http.username + req.url);
if (req.http.sig-verf == req.http.signature) {
set req.http.authstatus = "ok";
}
}
if (req.http.authstatus == "ok") {
return(synth(200, "ok"));
} else {
return(synth(401, "Not ok"));
}
}
10. Points to remember
• If you add a random string your crypto
cookie becomes really hard to crack
• Client side scripting required to manipulate
the cookies
13. Best of both worlds
• Login-service does auth and issues cookie
• Varnish verifies cookie against API
• Varnish issues it’s own cookies to track
state
16. Key design decisions
• Access control is either metered or
subscription based
• Products IDs - different subscription
offerings
• Article IDs - unique article ID for metering
• Auth through cookie and API
17. How is it built?
• DigestVMOD - Crypto
• HeaderVMOD - Managing multiple headers
w/same name
• VariableVMOD - configuration and state
• PaywallVMOD - misc
• Opt. MemcachedVMOD - store quota data
in Memcached