Mailing List Archive: HTTP Authorization

HTTP Authorization

Feb 13, 2007, 10:24 AM

Post #1 of 4 (764 views)

Hello, I am curious to know whether anybody has had any success with caching
files with HTTP authorization and still authorizing correctly. I have tried
to implement the following VLC:

----------------------
sub vcl_recv {
if (req.url ~ "\.jpg$|\.mpg$|\.wmv$") {
lookup;
}
if (req.http.Cookie) {
pipe;
}
lookup;
}
----------------------

This will correctly pipe all cookie and authorization attempts, and allow
correct caching of mpg's/wmv's/jpg's-- however, once it has been cached
anybody can wget the full url to the mpg/wmv/jpg and varnish will hand it
over from the cache without checking authorization since my vlc is kind of
'skipping' that part. I'm trying to figure out a why to somehow make it
pass all authorizations to a server first to check if it's kosher THEN send
the file from cache ... not sure if this is currently possible. Anybody
have any advice? Any comments are greatly appreciated.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://projects.linpro.no/pipermail/varnish-misc/attachments/20070213/df70ba0a/attachment.htm

HTTP Authorization [ In reply to ]

ask at develooper

Feb 13, 2007, 12:42 PM

Post #2 of 4 (746 views)

Permalink

On Feb 13, 2007, at 9:24, cripy wrote:

> Hello, I am curious to know whether anybody has had any success
> with caching files with HTTP authorization and still authorizing
> correctly. I have tried to implement the following VLC:

I don't know if it can be done with VLC, but I'd like to point to the
perlbal "re-proxy" feature (for potential inspiration to varnish).

The idea is that the proxy sends the request to the backend server,
the backend server (typically a "smart" server with DB access and
heavy memory footprint) authorizes the request and gives the proxy
another URL. The proxy then fetches the file from that URL
(typically on a "dumb" server) and sends it to the client.

- ask

--
http://develooper.com/ - http://askask.com/

HTTP Authorization [ In reply to ]

dwetzel at nerim

Feb 14, 2007, 9:09 AM

Post #3 of 4 (759 views)

Permalink

For Authorisations, why don't pass the requests to the backend
for the matching URLs as HEAD requests with Cookie: or Authorisation:
headers in it then if the backend sends 200, Varnish send back the cached
URL, if backend sends 403, the response is forwarded back to the enduser ?

Ask Bj?rn Hansen writes:
>
> On Feb 13, 2007, at 9:24, cripy wrote:
>
> > Hello, I am curious to know whether anybody has had any success
> > with caching files with HTTP authorization and still authorizing
> > correctly. I have tried to implement the following VLC:
>
> I don't know if it can be done with VLC, but I'd like to point to the
> perlbal "re-proxy" feature (for potential inspiration to varnish).
>
> The idea is that the proxy sends the request to the backend server,
> the backend server (typically a "smart" server with DB access and
> heavy memory footprint) authorizes the request and gives the proxy
> another URL. The proxy then fetches the file from that URL
> (typically on a "dumb" server) and sends it to the client.
>
>
> - ask
>
> --
> http://develooper.com/ - http://askask.com/
>
>
> _______________________________________________
> varnish-misc mailing list
> varnish-misc at projects.linpro.no
> http://projects.linpro.no/mailman/listinfo/varnish-misc

HTTP Authorization [ In reply to ]

ccripy at gmail

Feb 14, 2007, 11:17 AM

Post #4 of 4 (754 views)

Permalink

That's a clever idea, but how do you change req.request in VCL? I have
tried doing set req.request = 'HEAD' but I receive the following error:
-------------------------
In VCL code Line 7 Pos 17
set req.request = "HEAD";
-----------------#--------

Also, I don't believe it's possible to process a web servers return codes
(200 or 403) in VCL.

On 2/14/07, Damien Wetzel <dwetzel at nerim.net> wrote:
>
> For Authorisations, why don't pass the requests to the backend
> for the matching URLs as HEAD requests with Cookie: or Authorisation:
> headers in it then if the backend sends 200, Varnish send back the cached
> URL, if backend sends 403, the response is forwarded back to the enduser ?
>
> Ask Bj?rn Hansen writes:
> >
> > On Feb 13, 2007, at 9:24, cripy wrote:
> >
> > > Hello, I am curious to know whether anybody has had any success
> > > with caching files with HTTP authorization and still authorizing
> > > correctly. I have tried to implement the following VLC:
> >
> > I don't know if it can be done with VLC, but I'd like to point to the
> > perlbal "re-proxy" feature (for potential inspiration to varnish).
> >
> > The idea is that the proxy sends the request to the backend server,
> > the backend server (typically a "smart" server with DB access and
> > heavy memory footprint) authorizes the request and gives the proxy
> > another URL. The proxy then fetches the file from that URL
> > (typically on a "dumb" server) and sends it to the client.
> >
> >
> > - ask
> >
> > --
> > http://develooper.com/ - http://askask.com/
> >
> >
> > _______________________________________________
> > varnish-misc mailing list
> > varnish-misc at projects.linpro.no
> > http://projects.linpro.no/mailman/listinfo/varnish-misc
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://projects.linpro.no/pipermail/varnish-misc/attachments/20070214/af450c2a/attachment.htm