Mailing List Archive

cli bans
Hi,

Just a smal question. Is it possible to temporarily send a specific http errorcode back (e.g. http 429) to an ip from varnish using the commandline client (or by any other means) without restarting varnish?
Consider this scenario:
A varnish cluster is running nicely. Among other things it also gives access to a set of developer api’s.
Not all programmers are equally skilled so sometimes it happens that a programmer creates a loop that is flooding the platform.
At this moment I use fail2ban to just block it in iptables and unblock it after 10 minutes.
However I would prefer instead of blocking it that I can just reroute the requests of this ip temporarily to an errorpage which returns http 429 (which as statuscode also should be returned bij Varnish)
Important with this is than that no varnish restarts are required.

Any ideas?

Met vriendelijke groet/Kind Regards
Eric van den Hout

Devops Engineer / Technical administrator
Cluster Klant & Content / AAB

[cid:image001.png@01D558CE.2907C520]

Stationsstraat 115
3811 MH Amersfoort
Mofo: +31 6 83569993
Email: aab@kpn.com<mailto:aab@kpn.com>
eric.m.vandenhout@kpn.com<mailto:eric.m.vandenhout@kpn.com>
Re: cli bans [ In reply to ]
--------
In message <AM6PR01MB4279CC64CEDED17494222A8AA0A50@AM6PR01MB4279.eurprd01.prod.
exchangelabs.com>, eric.m.vandenhout@kpn.com writes:

> Just a smal question. Is it possible to temporarily send a specific http
> errorcode back (e.g. http 429) to an ip from varnish using the commandline
> client (or by any other means) without restarting varnish?


Yes.

Add the necessary code to your VCL, switch to the new VCL. This is
an instant operation which does not affect your cache content.

Something like:

vi/emacs/ed whatever_your.vcl

then

varnishadm vcl.load somename /full/path/to/whatever_your.vcl

varnishadm vcl.use somename


--
Poul-Henning Kamp | UNIX since Zilog Zeus 3.20
phk@FreeBSD.ORG | TCP/IP since RFC 956
FreeBSD committer | BSD since 4.3-tahoe
Never attribute to malice what can adequately be explained by incompetence.
_______________________________________________
varnish-misc mailing list
varnish-misc@varnish-cache.org
https://www.varnish-cache.org/lists/mailman/listinfo/varnish-misc
RE: cli bans [ In reply to ]
Thnx for you reply.
Anther question that pops in mind then. Can vcl's include other files?

Regards, Eric

-----Oorspronkelijk bericht-----
Van: Poul-Henning Kamp <phk@phk.freebsd.dk>
Verzonden: Thursday, 22 August 2019 23:06
Aan: Hout, Eric van den <eric.m.vandenhout@kpn.com>
CC: varnish-misc@varnish-cache.org
Onderwerp: Re: cli bans

--------
In message <AM6PR01MB4279CC64CEDED17494222A8AA0A50@AM6PR01MB4279.eurprd01.prod.
exchangelabs.com>, eric.m.vandenhout@kpn.com writes:

> Just a smal question. Is it possible to temporarily send a specific
> http errorcode back (e.g. http 429) to an ip from varnish using the
> commandline client (or by any other means) without restarting varnish?


Yes.

Add the necessary code to your VCL, switch to the new VCL. This is an instant operation which does not affect your cache content.

Something like:

vi/emacs/ed whatever_your.vcl

then

varnishadm vcl.load somename /full/path/to/whatever_your.vcl

varnishadm vcl.use somename


--
Poul-Henning Kamp | UNIX since Zilog Zeus 3.20
phk@FreeBSD.ORG | TCP/IP since RFC 956
FreeBSD committer | BSD since 4.3-tahoe
Never attribute to malice what can adequately be explained by incompetence.
_______________________________________________
varnish-misc mailing list
varnish-misc@varnish-cache.org
https://www.varnish-cache.org/lists/mailman/listinfo/varnish-misc
Re: cli bans [ In reply to ]
--------
In message <AM6PR01MB4279859358682284C40C3457A0A40@AM6PR01MB4279.eurprd01.prod.exchangelabs.com>, eric.m.vandenhout@kpn.com writes
:

> Thnx for you reply.
> Anther question that pops in mind then. Can vcl's include other files?

Yes:

include "path-to-file" ;

works _anywhere_ in VCL.

You can do strange things with it like:

acl something {
include "/some/where/acl_body";
}

or even

acl include "/some/where/name_of_acl"; {
include "/some/where/acl_body";
}

But that is probably not very useful :-)

--
Poul-Henning Kamp | UNIX since Zilog Zeus 3.20
phk@FreeBSD.ORG | TCP/IP since RFC 956
FreeBSD committer | BSD since 4.3-tahoe
Never attribute to malice what can adequately be explained by incompetence.
_______________________________________________
varnish-misc mailing list
varnish-misc@varnish-cache.org
https://www.varnish-cache.org/lists/mailman/listinfo/varnish-misc