Mailing List Archive

Creating ACLs in Varnish
Hi all,

I'm wondering if there's a better way to handle defining ACLs in Varnish. Currently I have an AWS ALB fronting a set of web servers hosting several related sites. However, one of the sites (previously two, hence the two examples here) has a more restrictive ACL requirement than the others, but since an ALB can only use a single Security Group, I've had to implement the tighter ACL in Varnish. Basically it looks like this, assuming our main sites are in example.com and the special ones are under example.net:

acl specialsite1_acl {
"127.0.0.1/32";
"10.0.0.0/8";
"60.70.80.0/24"; # this is made up for example purposes
}

acl specialsite2_acl {
"127.0.0.1/32";
"10.0.0.0/8";
"12.34.56.0/24"; # this is made up for example purposes
}

# I know the two if-statements could be joined, but this is programmatically generated from a Jinja template in Salt,
# so it was cleaner to do it this way.
sub check_acls {
if (req.http.host ~ "^specialsite1.example.net$" && !std.ip(regsub(req.http.X-Forwarded-For, ",.*$", "")) ~ specialsite1_acl) {
return (synth(403, "Access Forbidden"));
}
if (req.http.host ~ "^specialsite2.example.net$" && !std.ip(regsub(req.http.X-Forwarded-For, ",.*$", "")) ~ specialsite2_acl) {
return (synth(403, "Access Forbidden"));
}
}

sub vcl_recv {
...
# Check the site-specific ACLs.
if (req.http.host ~ "\.example\.net$") {
call check_acls;
}
...
}

Is there a better approach to this in Varnish Cache? We're also going to be evaluating Varnish Enterprise, so if there's something in VE, that would also be good to know.

Thanks,
Justin
Re: Creating ACLs in Varnish [ In reply to ]
> Is there a better approach to this in Varnish Cache? We’re also going to be evaluating Varnish Enterprise, so if there’s something in VE, that would also be good to know.

Hello,

There are better ways to do this, but not out of the box with Varnish
Cache. You would need something like
https://code.uplex.de/uplex-varnish/varnish-objvar/ to index ACLs by
host names.

With Varnish Enterprise, you can manage this out of the box with the
combination of built-in modules vmod_aclplus and vmod_kvstore.

https://docs.varnish-software.com/varnish-cache-plus/vmods/aclplus/
https://docs.varnish-software.com/varnish-cache-plus/vmods/kvstore/

Feel free to reach out to me directly to discuss the Varnish
Enterprise solution with you.

Best Regards,
Dridi
_______________________________________________
varnish-misc mailing list
varnish-misc@varnish-cache.org
https://www.varnish-cache.org/lists/mailman/listinfo/varnish-misc