SlideShare une entreprise Scribd logo

Varnish access control

Varnish Software
Varnish Software

Varnish Summit, 2016

Technologie
1  sur  21
Télécharger pour lire hors ligne
Access Control
Access Control • IP-based access • Basic auth • Various cookie based access controls
IP-based ACLs # Who is allowed to purge.... acl local { "localhost"; "192.168.1.0"/24; /* and everyone on the local network */ ! "192.168.1.23"; /* except for the dialin router */ } sub vcl_recv { if (req.method == "PURGE") { if (client.ip ~ local) { return(purge); } else { return(synth(403, "Access denied.")); } } }
Basic Auth • Not really used • There is aVMOD for that
Cookie based auth • Generate random cookie • Issue a cookie to a client • Authenticate the user that has the cookie
Crypto-signed cookies • Sign the cookie • Issue to the client • Cookie is now tamperproof • You can also verify it’s origin • Problem: Now the format of the cookie is defined in two places
Silly crypto access example sub vcl_recv { unset req.http.authstatus; if (req.http.signature) { set req.http.sig-verf = digest.hmac_sha256("secret", req.http.username + req.url); if (req.http.sig-verf == req.http.signature) { set req.http.authstatus = "ok"; } } if (req.http.authstatus == "ok") { return(synth(200, "ok")); } else { return(synth(401, "Not ok")); } }
demo
Points to remember • If you add a random string your crypto cookie becomes really hard to crack • Client side scripting required to manipulate the cookies
Example 2
“Sharing cookie formats across services is bad"
Best of both worlds • Login-service does auth and issues cookie • Varnish verifies cookie against API • Varnish issues it’s own cookies to track state
Architecture client varnish auth content
Varnish auth toolkit aka Varnish Paywall
Key design decisions • Access control is either metered or subscription based • Products IDs - different subscription offerings • Article IDs - unique article ID for metering • Auth through cookie and API
How is it built? • DigestVMOD - Crypto • HeaderVMOD - Managing multiple headers w/same name • VariableVMOD - configuration and state • PaywallVMOD - misc • Opt. MemcachedVMOD - store quota data in Memcached
Backend header ex • X-Access-Control: subscription,metered • X-Aid: 1234 • X-Auth-Failed: /login.html • X-Pids: 23,55
Auth server interface • Input: vpw_id (cookie from SSO) • VPW-Allowed-Pids: 75,23 • VPW-TTL: 30
Demo
Q&A

Recommandé

Client certificate validation in windows 8
Client certificate validation in windows 8Client certificate validation in windows 8
Client certificate validation in windows 8
Ashish Agrawal
 
What are JSON Web Tokens and Why Should I Care?
What are JSON Web Tokens and Why Should I Care?What are JSON Web Tokens and Why Should I Care?
What are JSON Web Tokens and Why Should I Care?
Derek Edwards
 
web3j overview
web3j overviewweb3j overview
web3j overview
Conor Svensson
 
Micro Web Service - Slim and JWT
Micro Web Service - Slim and JWTMicro Web Service - Slim and JWT
Micro Web Service - Slim and JWT
Tuyen Vuong
 
web3j 1.0 update
web3j 1.0 updateweb3j 1.0 update
web3j 1.0 update
Conor Svensson
 
Securing Single Page Applications with Token Based Authentication
Securing Single Page Applications with Token Based AuthenticationSecuring Single Page Applications with Token Based Authentication
Securing Single Page Applications with Token Based Authentication
Stefan Achtsnit
 
Authentication: Cookies vs JWTs and why you’re doing it wrong
Authentication: Cookies vs JWTs and why you’re doing it wrongAuthentication: Cookies vs JWTs and why you’re doing it wrong
Authentication: Cookies vs JWTs and why you’re doing it wrong
Derek Perkins
 
Building Secure User Interfaces With JWTs
Building Secure User Interfaces With JWTsBuilding Secure User Interfaces With JWTs
Building Secure User Interfaces With JWTs
robertjd
 

Recommandé

Client certificate validation in windows 8
Client certificate validation in windows 8Client certificate validation in windows 8
Client certificate validation in windows 8
Ashish Agrawal
 
What are JSON Web Tokens and Why Should I Care?
What are JSON Web Tokens and Why Should I Care?What are JSON Web Tokens and Why Should I Care?
What are JSON Web Tokens and Why Should I Care?
Derek Edwards
 
web3j overview
web3j overviewweb3j overview
web3j overview
Conor Svensson
 
Micro Web Service - Slim and JWT
Micro Web Service - Slim and JWTMicro Web Service - Slim and JWT
Micro Web Service - Slim and JWT
Tuyen Vuong
 
web3j 1.0 update
web3j 1.0 updateweb3j 1.0 update
web3j 1.0 update
Conor Svensson
 
Securing Single Page Applications with Token Based Authentication
Securing Single Page Applications with Token Based AuthenticationSecuring Single Page Applications with Token Based Authentication
Securing Single Page Applications with Token Based Authentication
Stefan Achtsnit
 
Authentication: Cookies vs JWTs and why you’re doing it wrong
Authentication: Cookies vs JWTs and why you’re doing it wrongAuthentication: Cookies vs JWTs and why you’re doing it wrong
Authentication: Cookies vs JWTs and why you’re doing it wrong
Derek Perkins
 
Building Secure User Interfaces With JWTs
Building Secure User Interfaces With JWTsBuilding Secure User Interfaces With JWTs
Building Secure User Interfaces With JWTs
robertjd
 
Allegato bando collegi_ universitari_2014_2015
Allegato bando collegi_ universitari_2014_2015 Allegato bando collegi_ universitari_2014_2015
Allegato bando collegi_ universitari_2014_2015
Fabio Bolo
 
TSHEPO PAPISO (BGCSE)
TSHEPO PAPISO (BGCSE)TSHEPO PAPISO (BGCSE)
TSHEPO PAPISO (BGCSE)
Tshepo Papiso
 
Review of Evidence on Drylands Pastoral Systems and Climate Change
Review of Evidence on Drylands Pastoral Systems and Climate ChangeReview of Evidence on Drylands Pastoral Systems and Climate Change
Review of Evidence on Drylands Pastoral Systems and Climate Change
BeefPoint
 
日日是好日時時是好時
日日是好日時時是好時日日是好日時時是好時
日日是好日時時是好時
Jaing Lai
 
曼妙青海
曼妙青海曼妙青海
曼妙青海
Jaing Lai
 
SUMMER VACATIONAL TRAINING REPORT
SUMMER VACATIONAL TRAINING REPORTSUMMER VACATIONAL TRAINING REPORT
SUMMER VACATIONAL TRAINING REPORT
Subhajit Majumdar
 
Oneworld2 12
Oneworld2 12Oneworld2 12
Oneworld2 12
oneofsomany
 
Cogan's Syndrome - a very rare disorder that I was fortunate to see
Cogan's Syndrome - a very rare disorder that I was fortunate to seeCogan's Syndrome - a very rare disorder that I was fortunate to see
Cogan's Syndrome - a very rare disorder that I was fortunate to see
meducationdotnet
 
Yearbook 2009 - Satuala Faulalo
Yearbook 2009 - Satuala FaulaloYearbook 2009 - Satuala Faulalo
Yearbook 2009 - Satuala Faulalo
Tamaki
 
001 sociedade colonial do brasil adaptado
001 sociedade colonial do brasil adaptado001 sociedade colonial do brasil adaptado
001 sociedade colonial do brasil adaptado
andrecarlosocosta
 
Chapter 4 Ahs 104
Chapter 4 Ahs 104Chapter 4 Ahs 104
Chapter 4 Ahs 104
tammy vickers
 
The griesly wife analysis
The griesly wife analysisThe griesly wife analysis
The griesly wife analysis
jonesjrah1973
 
Brosura de prezentare
Brosura de prezentareBrosura de prezentare
Brosura de prezentare
SSIF Romcapital SA
 
Sahejpreet SEO basics
Sahejpreet SEO basicsSahejpreet SEO basics
Sahejpreet SEO basics
Sahej Preet Singh Kohli
 
Application of Bioinformatics in different fields of sciences
Application of Bioinformatics in different fields of sciencesApplication of Bioinformatics in different fields of sciences
Application of Bioinformatics in different fields of sciences
Sobia
 
Secure all things with CBSecurity 3
Secure all things with CBSecurity 3Secure all things with CBSecurity 3
Secure all things with CBSecurity 3
Ortus Solutions, Corp
 
Hashitalks 2021 - How the Dynamic Duo of Vault and Puppet Tame SSL Certificates
Hashitalks 2021 - How the Dynamic Duo of Vault and Puppet Tame SSL CertificatesHashitalks 2021 - How the Dynamic Duo of Vault and Puppet Tame SSL Certificates
Hashitalks 2021 - How the Dynamic Duo of Vault and Puppet Tame SSL Certificates
Nick Maludy
 
Spring4 security
Spring4 securitySpring4 security
Spring4 security
Sang Shin
 
Powering Remote Developers with Amazon Workspaces
Powering Remote Developers with Amazon WorkspacesPowering Remote Developers with Amazon Workspaces
Powering Remote Developers with Amazon Workspaces
Amazon Web Services
 
DDD Melbourne 2014 security in ASP.Net Web API 2
DDD Melbourne 2014 security in ASP.Net Web API 2DDD Melbourne 2014 security in ASP.Net Web API 2
DDD Melbourne 2014 security in ASP.Net Web API 2
Pratik Khasnabis
 
Wireless Hotspot: The Hackers Playground
Wireless Hotspot: The Hackers PlaygroundWireless Hotspot: The Hackers Playground
Wireless Hotspot: The Hackers Playground
Jim Geovedi
 
Access control
Access controlAccess control
Access control
Varnish Software
 

Contenu connexe

En vedette

TSHEPO PAPISO (BGCSE)
TSHEPO PAPISO (BGCSE)TSHEPO PAPISO (BGCSE)
TSHEPO PAPISO (BGCSE)
Tshepo Papiso
 
SUMMER VACATIONAL TRAINING REPORT
SUMMER VACATIONAL TRAINING REPORTSUMMER VACATIONAL TRAINING REPORT
SUMMER VACATIONAL TRAINING REPORT
Subhajit Majumdar
 
Cogan's Syndrome - a very rare disorder that I was fortunate to see
Cogan's Syndrome - a very rare disorder that I was fortunate to seeCogan's Syndrome - a very rare disorder that I was fortunate to see
Cogan's Syndrome - a very rare disorder that I was fortunate to see
meducationdotnet
 
Yearbook 2009 - Satuala Faulalo
Yearbook 2009 - Satuala FaulaloYearbook 2009 - Satuala Faulalo
Yearbook 2009 - Satuala Faulalo
Tamaki
 

En vedette (15)

Allegato bando collegi_ universitari_2014_2015
Allegato bando collegi_ universitari_2014_2015 Allegato bando collegi_ universitari_2014_2015
Allegato bando collegi_ universitari_2014_2015
 
TSHEPO PAPISO (BGCSE)
TSHEPO PAPISO (BGCSE)TSHEPO PAPISO (BGCSE)
TSHEPO PAPISO (BGCSE)
 
Review of Evidence on Drylands Pastoral Systems and Climate Change
Review of Evidence on Drylands Pastoral Systems and Climate ChangeReview of Evidence on Drylands Pastoral Systems and Climate Change
Review of Evidence on Drylands Pastoral Systems and Climate Change
 
日日是好日時時是好時
日日是好日時時是好時日日是好日時時是好時
日日是好日時時是好時
 
曼妙青海
曼妙青海曼妙青海
曼妙青海
 
SUMMER VACATIONAL TRAINING REPORT
SUMMER VACATIONAL TRAINING REPORTSUMMER VACATIONAL TRAINING REPORT
SUMMER VACATIONAL TRAINING REPORT
 
Oneworld2 12
Oneworld2 12Oneworld2 12
Oneworld2 12
 
Cogan's Syndrome - a very rare disorder that I was fortunate to see
Cogan's Syndrome - a very rare disorder that I was fortunate to seeCogan's Syndrome - a very rare disorder that I was fortunate to see
Cogan's Syndrome - a very rare disorder that I was fortunate to see
 
Yearbook 2009 - Satuala Faulalo
Yearbook 2009 - Satuala FaulaloYearbook 2009 - Satuala Faulalo
Yearbook 2009 - Satuala Faulalo
 
001 sociedade colonial do brasil adaptado
001 sociedade colonial do brasil adaptado001 sociedade colonial do brasil adaptado
001 sociedade colonial do brasil adaptado
 
Chapter 4 Ahs 104
Chapter 4 Ahs 104Chapter 4 Ahs 104
Chapter 4 Ahs 104
 
The griesly wife analysis
The griesly wife analysisThe griesly wife analysis
The griesly wife analysis
 
Brosura de prezentare
Brosura de prezentareBrosura de prezentare
Brosura de prezentare
 
Sahejpreet SEO basics
Sahejpreet SEO basicsSahejpreet SEO basics
Sahejpreet SEO basics
 
Application of Bioinformatics in different fields of sciences
Application of Bioinformatics in different fields of sciencesApplication of Bioinformatics in different fields of sciences
Application of Bioinformatics in different fields of sciences
 

Similaire à Varnish access control

Hashitalks 2021 - How the Dynamic Duo of Vault and Puppet Tame SSL Certificates
Hashitalks 2021 - How the Dynamic Duo of Vault and Puppet Tame SSL CertificatesHashitalks 2021 - How the Dynamic Duo of Vault and Puppet Tame SSL Certificates
Hashitalks 2021 - How the Dynamic Duo of Vault and Puppet Tame SSL Certificates
Nick Maludy
 
Wireless Hotspot: The Hackers Playground
Wireless Hotspot: The Hackers PlaygroundWireless Hotspot: The Hackers Playground
Wireless Hotspot: The Hackers Playground
Jim Geovedi
 
VM Console Enhancements
VM Console EnhancementsVM Console Enhancements
VM Console Enhancements
ShapeBlue
 
I denti wall_3.0_final
I denti wall_3.0_finalI denti wall_3.0_final
I denti wall_3.0_final
Ilan Meller
 

Similaire à Varnish access control (20)

Secure all things with CBSecurity 3
Secure all things with CBSecurity 3Secure all things with CBSecurity 3
Secure all things with CBSecurity 3
 
Hashitalks 2021 - How the Dynamic Duo of Vault and Puppet Tame SSL Certificates
Hashitalks 2021 - How the Dynamic Duo of Vault and Puppet Tame SSL CertificatesHashitalks 2021 - How the Dynamic Duo of Vault and Puppet Tame SSL Certificates
Hashitalks 2021 - How the Dynamic Duo of Vault and Puppet Tame SSL Certificates
 
Spring4 security
Spring4 securitySpring4 security
Spring4 security
 
Powering Remote Developers with Amazon Workspaces
Powering Remote Developers with Amazon WorkspacesPowering Remote Developers with Amazon Workspaces
Powering Remote Developers with Amazon Workspaces
 
DDD Melbourne 2014 security in ASP.Net Web API 2
DDD Melbourne 2014 security in ASP.Net Web API 2DDD Melbourne 2014 security in ASP.Net Web API 2
DDD Melbourne 2014 security in ASP.Net Web API 2
 
Wireless Hotspot: The Hackers Playground
Wireless Hotspot: The Hackers PlaygroundWireless Hotspot: The Hackers Playground
Wireless Hotspot: The Hackers Playground
 
Access control
Access controlAccess control
Access control
 
VM Console Enhancements
VM Console EnhancementsVM Console Enhancements
VM Console Enhancements
 
Advance java session 7
Advance java session 7Advance java session 7
Advance java session 7
 
Mobile Authentication - Onboarding, best practices & anti-patterns
Mobile Authentication - Onboarding, best practices & anti-patternsMobile Authentication - Onboarding, best practices & anti-patterns
Mobile Authentication - Onboarding, best practices & anti-patterns
 
JWT Authentication with AngularJS
JWT Authentication with AngularJSJWT Authentication with AngularJS
JWT Authentication with AngularJS
 
Java Session
Java SessionJava Session
Java Session
 
Keycloak for Science Gateways - SGCI Technology Sampler Webinar
Keycloak for Science Gateways - SGCI Technology Sampler WebinarKeycloak for Science Gateways - SGCI Technology Sampler Webinar
Keycloak for Science Gateways - SGCI Technology Sampler Webinar
 
Spring4 security oauth2
Spring4 security oauth2Spring4 security oauth2
Spring4 security oauth2
 
OAuth 2.0 – A standard is coming of age by Uwe Friedrichsen
OAuth 2.0 – A standard is coming of age by Uwe FriedrichsenOAuth 2.0 – A standard is coming of age by Uwe Friedrichsen
OAuth 2.0 – A standard is coming of age by Uwe Friedrichsen
 
I denti wall_3.0_final
I denti wall_3.0_finalI denti wall_3.0_final
I denti wall_3.0_final
 
FIWARE Wednesday Webinars - How to Secure IoT Devices
FIWARE Wednesday Webinars - How to Secure IoT DevicesFIWARE Wednesday Webinars - How to Secure IoT Devices
FIWARE Wednesday Webinars - How to Secure IoT Devices
 
OAuth 2.0
OAuth 2.0OAuth 2.0
OAuth 2.0
 
Techdays Finland 2018 - Building secure cloud applications with Azure Key Vault
Techdays Finland 2018 - Building secure cloud applications with Azure Key VaultTechdays Finland 2018 - Building secure cloud applications with Azure Key Vault
Techdays Finland 2018 - Building secure cloud applications with Azure Key Vault
 
CNIT 129S: Ch 6: Attacking Authentication
CNIT 129S: Ch 6: Attacking AuthenticationCNIT 129S: Ch 6: Attacking Authentication
CNIT 129S: Ch 6: Attacking Authentication
 

Plus de Varnish Software

Plus de Varnish Software (20)

Ask Me Anything on authentication & authorisation in Varnish
Ask Me Anything on authentication & authorisation in VarnishAsk Me Anything on authentication & authorisation in Varnish
Ask Me Anything on authentication & authorisation in Varnish
 
Boozt.com Use Case
Boozt.com Use CaseBoozt.com Use Case
Boozt.com Use Case
 
Akamai connector for varnish
Akamai connector for varnishAkamai connector for varnish
Akamai connector for varnish
 
Varnish High Availability
Varnish High AvailabilityVarnish High Availability
Varnish High Availability
 
PostNord: Copy On Write
PostNord: Copy On WritePostNord: Copy On Write
PostNord: Copy On Write
 
Varnish extend
Varnish extendVarnish extend
Varnish extend
 
Streaming with Varnish
Streaming with VarnishStreaming with Varnish
Streaming with Varnish
 
Edgestash
EdgestashEdgestash
Edgestash
 
What is new in varnish plus
What is new in varnish plusWhat is new in varnish plus
What is new in varnish plus
 
Varnish Extend demo
Varnish Extend demoVarnish Extend demo
Varnish Extend demo
 
Varnish extend introduction
Varnish extend introductionVarnish extend introduction
Varnish extend introduction
 
Cedexis introduction
Cedexis introductionCedexis introduction
Cedexis introduction
 
Secure content caching
Secure content cachingSecure content caching
Secure content caching
 
Microservices
MicroservicesMicroservices
Microservices
 
Varnishtest
VarnishtestVarnishtest
Varnishtest
 
Lightning fast with Varnish
Lightning fast with VarnishLightning fast with Varnish
Lightning fast with Varnish
 
E-commerce use case
E-commerce use caseE-commerce use case
E-commerce use case
 
Varnish TLS
Varnish TLSVarnish TLS
Varnish TLS
 
MSE
MSEMSE
MSE
 
Debugging varnish
Debugging varnishDebugging varnish
Debugging varnish
 

Dernier

Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FMECloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Safe Software
 
Ransomware_Q4_2023. The report. [EN].pdf
Ransomware_Q4_2023. The report. [EN].pdfRansomware_Q4_2023. The report. [EN].pdf
Ransomware_Q4_2023. The report. [EN].pdf
Overkill Security
 
Architecting Cloud Native Applications
Architecting Cloud Native ApplicationsArchitecting Cloud Native Applications
Architecting Cloud Native Applications
WSO2
 

Dernier (20)

Exploring the Future Potential of AI-Enabled Smartphone Processors
Exploring the Future Potential of AI-Enabled Smartphone ProcessorsExploring the Future Potential of AI-Enabled Smartphone Processors
Exploring the Future Potential of AI-Enabled Smartphone Processors
 
Apidays New York 2024 - The Good, the Bad and the Governed by David O'Neill, ...
Apidays New York 2024 - The Good, the Bad and the Governed by David O'Neill, ...Apidays New York 2024 - The Good, the Bad and the Governed by David O'Neill, ...
Apidays New York 2024 - The Good, the Bad and the Governed by David O'Neill, ...
 
DBX First Quarter 2024 Investor Presentation
DBX First Quarter 2024 Investor PresentationDBX First Quarter 2024 Investor Presentation
DBX First Quarter 2024 Investor Presentation
 
AWS Community Day CPH - Three problems of Terraform
AWS Community Day CPH - Three problems of TerraformAWS Community Day CPH - Three problems of Terraform
AWS Community Day CPH - Three problems of Terraform
 
Connector Corner: Accelerate revenue generation using UiPath API-centric busi...
Connector Corner: Accelerate revenue generation using UiPath API-centric busi...Connector Corner: Accelerate revenue generation using UiPath API-centric busi...
Connector Corner: Accelerate revenue generation using UiPath API-centric busi...
 
Apidays New York 2024 - Accelerating FinTech Innovation by Vasa Krishnan, Fin...
Apidays New York 2024 - Accelerating FinTech Innovation by Vasa Krishnan, Fin...Apidays New York 2024 - Accelerating FinTech Innovation by Vasa Krishnan, Fin...
Apidays New York 2024 - Accelerating FinTech Innovation by Vasa Krishnan, Fin...
 
How to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected WorkerHow to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected Worker
 
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FMECloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
 
Boost Fertility New Invention Ups Success Rates.pdf
Boost Fertility New Invention Ups Success Rates.pdfBoost Fertility New Invention Ups Success Rates.pdf
Boost Fertility New Invention Ups Success Rates.pdf
 
Ransomware_Q4_2023. The report. [EN].pdf
Ransomware_Q4_2023. The report. [EN].pdfRansomware_Q4_2023. The report. [EN].pdf
Ransomware_Q4_2023. The report. [EN].pdf
 
presentation ICT roal in 21st century education
presentation ICT roal in 21st century educationpresentation ICT roal in 21st century education
presentation ICT roal in 21st century education
 
AXA XL - Insurer Innovation Award Americas 2024
AXA XL - Insurer Innovation Award Americas 2024AXA XL - Insurer Innovation Award Americas 2024
AXA XL - Insurer Innovation Award Americas 2024
 
Apidays New York 2024 - Passkeys: Developing APIs to enable passwordless auth...
Apidays New York 2024 - Passkeys: Developing APIs to enable passwordless auth...Apidays New York 2024 - Passkeys: Developing APIs to enable passwordless auth...
Apidays New York 2024 - Passkeys: Developing APIs to enable passwordless auth...
 
ICT role in 21st century education and its challenges
ICT role in 21st century education and its challengesICT role in 21st century education and its challenges
ICT role in 21st century education and its challenges
 
Artificial Intelligence Chap.5 : Uncertainty
Artificial Intelligence Chap.5 : UncertaintyArtificial Intelligence Chap.5 : Uncertainty
Artificial Intelligence Chap.5 : Uncertainty
 
Manulife - Insurer Transformation Award 2024
Manulife - Insurer Transformation Award 2024Manulife - Insurer Transformation Award 2024
Manulife - Insurer Transformation Award 2024
 
Architecting Cloud Native Applications
Architecting Cloud Native ApplicationsArchitecting Cloud Native Applications
Architecting Cloud Native Applications
 
MS Copilot expands with MS Graph connectors
MS Copilot expands with MS Graph connectorsMS Copilot expands with MS Graph connectors
MS Copilot expands with MS Graph connectors
 
Polkadot JAM Slides - Token2049 - By Dr. Gavin Wood
Polkadot JAM Slides - Token2049 - By Dr. Gavin WoodPolkadot JAM Slides - Token2049 - By Dr. Gavin Wood
Polkadot JAM Slides - Token2049 - By Dr. Gavin Wood
 
Emergent Methods: Multi-lingual narrative tracking in the news - real-time ex...
Emergent Methods: Multi-lingual narrative tracking in the news - real-time ex...Emergent Methods: Multi-lingual narrative tracking in the news - real-time ex...
Emergent Methods: Multi-lingual narrative tracking in the news - real-time ex...
 

Varnish access control

  • 1.
  • 3. Access Control • IP-based access • Basic auth • Various cookie based access controls
  • 4. IP-based ACLs # Who is allowed to purge.... acl local { "localhost"; "192.168.1.0"/24; /* and everyone on the local network */ ! "192.168.1.23"; /* except for the dialin router */ } sub vcl_recv { if (req.method == "PURGE") { if (client.ip ~ local) { return(purge); } else { return(synth(403, "Access denied.")); } } }
  • 5. Basic Auth • Not really used • There is aVMOD for that
  • 6. Cookie based auth • Generate random cookie • Issue a cookie to a client • Authenticate the user that has the cookie
  • 7. Crypto-signed cookies • Sign the cookie • Issue to the client • Cookie is now tamperproof • You can also verify it’s origin • Problem: Now the format of the cookie is defined in two places
  • 8. Silly crypto access example sub vcl_recv { unset req.http.authstatus; if (req.http.signature) { set req.http.sig-verf = digest.hmac_sha256("secret", req.http.username + req.url); if (req.http.sig-verf == req.http.signature) { set req.http.authstatus = "ok"; } } if (req.http.authstatus == "ok") { return(synth(200, "ok")); } else { return(synth(401, "Not ok")); } }
  • 10. Points to remember • If you add a random string your crypto cookie becomes really hard to crack • Client side scripting required to manipulate the cookies
  • 13. Best of both worlds • Login-service does auth and issues cookie • Varnish verifies cookie against API • Varnish issues it’s own cookies to track state
  • 16. Key design decisions • Access control is either metered or subscription based • Products IDs - different subscription offerings • Article IDs - unique article ID for metering • Auth through cookie and API
  • 17. How is it built? • DigestVMOD - Crypto • HeaderVMOD - Managing multiple headers w/same name • VariableVMOD - configuration and state • PaywallVMOD - misc • Opt. MemcachedVMOD - store quota data in Memcached
  • 18. Backend header ex • X-Access-Control: subscription,metered • X-Aid: 1234 • X-Auth-Failed: /login.html • X-Pids: 23,55
  • 19. Auth server interface • Input: vpw_id (cookie from SSO) • VPW-Allowed-Pids: 75,23 • VPW-TTL: 30
  • 20. Demo
  • 21. Q&A