Varnish access control
-
Upload
varnish-software -
Category
Technology
-
view
12 -
download
0
Transcript of Varnish access control
Access Control
Access Control
• IP-based access
• Basic auth
• Various cookie based access controls
IP-based ACLs# Who is allowed to purge....acl local { "localhost"; "192.168.1.0"/24; /* and everyone on the local network */ ! "192.168.1.23"; /* except for the dialin router */}
sub vcl_recv { if (req.method == "PURGE") { if (client.ip ~ local) { return(purge); } else { return(synth(403, "Access denied.")); } }}
Basic Auth
• Not really used
• There is a VMOD for that
Cookie based auth
• Generate random cookie
• Issue a cookie to a client
• Authenticate the user that has the cookie
Crypto-signed cookies
• Sign the cookie
• Issue to the client
• Cookie is now tamperproof
• You can also verify it’s origin
• Problem: Now the format of the cookie is defined in two places
Silly crypto access example
sub vcl_recv { unset req.http.authstatus; if (req.http.signature) { set req.http.sig-verf = digest.hmac_sha256("secret", req.http.username + req.url); if (req.http.sig-verf == req.http.signature) { set req.http.authstatus = "ok"; } } if (req.http.authstatus == "ok") { return(synth(200, "ok")); } else { return(synth(401, "Not ok")); }}
demo
Points to remember
• If you add a random string your crypto cookie becomes really hard to crack
• Client side scripting required to manipulate the cookies
Example 2
“Sharing cookie formats across services
is bad"
Best of both worlds
• Login-service does auth and issues cookie
• Varnish verifies cookie against API
• Varnish issues it’s own cookies to track state
Architecture
client varnish
auth
content
Varnish auth toolkitaka
Varnish Paywall
Key design decisions
• Access control is either metered or subscription based
• Products IDs - different subscription offerings
• Article IDs - unique article ID for metering
• Auth through cookie and API
How is it built?• Digest VMOD - Crypto
• Header VMOD - Managing multiple headers w/same name
• Variable VMOD - configuration and state
• Paywall VMOD - misc
• Opt. Memcached VMOD - store quota data in Memcached
Backend header ex
• X-Access-Control: subscription,metered
• X-Aid: 1234
• X-Auth-Failed: /login.html
• X-Pids: 23,55
Auth server interface
• Input: vpw_id (cookie from SSO)
• VPW-Allowed-Pids: 75,23
• VPW-TTL: 30
Demo
Q&A