varnish access control
TRANSCRIPT
![Page 1: Varnish access control](https://reader033.vdocuments.site/reader033/viewer/2022052514/588047951a28abfd0a8b7085/html5/thumbnails/1.jpg)
![Page 2: Varnish access control](https://reader033.vdocuments.site/reader033/viewer/2022052514/588047951a28abfd0a8b7085/html5/thumbnails/2.jpg)
Access Control
![Page 3: Varnish access control](https://reader033.vdocuments.site/reader033/viewer/2022052514/588047951a28abfd0a8b7085/html5/thumbnails/3.jpg)
Access Control
• IP-based access
• Basic auth
• Various cookie based access controls
![Page 4: Varnish access control](https://reader033.vdocuments.site/reader033/viewer/2022052514/588047951a28abfd0a8b7085/html5/thumbnails/4.jpg)
IP-based ACLs# Who is allowed to purge....acl local { "localhost"; "192.168.1.0"/24; /* and everyone on the local network */ ! "192.168.1.23"; /* except for the dialin router */}
sub vcl_recv { if (req.method == "PURGE") { if (client.ip ~ local) { return(purge); } else { return(synth(403, "Access denied.")); } }}
![Page 5: Varnish access control](https://reader033.vdocuments.site/reader033/viewer/2022052514/588047951a28abfd0a8b7085/html5/thumbnails/5.jpg)
Basic Auth
• Not really used
• There is a VMOD for that
![Page 6: Varnish access control](https://reader033.vdocuments.site/reader033/viewer/2022052514/588047951a28abfd0a8b7085/html5/thumbnails/6.jpg)
Cookie based auth
• Generate random cookie
• Issue a cookie to a client
• Authenticate the user that has the cookie
![Page 7: Varnish access control](https://reader033.vdocuments.site/reader033/viewer/2022052514/588047951a28abfd0a8b7085/html5/thumbnails/7.jpg)
Crypto-signed cookies
• Sign the cookie
• Issue to the client
• Cookie is now tamperproof
• You can also verify it’s origin
• Problem: Now the format of the cookie is defined in two places
![Page 8: Varnish access control](https://reader033.vdocuments.site/reader033/viewer/2022052514/588047951a28abfd0a8b7085/html5/thumbnails/8.jpg)
Silly crypto access example
sub vcl_recv { unset req.http.authstatus; if (req.http.signature) { set req.http.sig-verf = digest.hmac_sha256("secret", req.http.username + req.url); if (req.http.sig-verf == req.http.signature) { set req.http.authstatus = "ok"; } } if (req.http.authstatus == "ok") { return(synth(200, "ok")); } else { return(synth(401, "Not ok")); }}
![Page 9: Varnish access control](https://reader033.vdocuments.site/reader033/viewer/2022052514/588047951a28abfd0a8b7085/html5/thumbnails/9.jpg)
demo
![Page 10: Varnish access control](https://reader033.vdocuments.site/reader033/viewer/2022052514/588047951a28abfd0a8b7085/html5/thumbnails/10.jpg)
Points to remember
• If you add a random string your crypto cookie becomes really hard to crack
• Client side scripting required to manipulate the cookies
![Page 11: Varnish access control](https://reader033.vdocuments.site/reader033/viewer/2022052514/588047951a28abfd0a8b7085/html5/thumbnails/11.jpg)
Example 2
![Page 12: Varnish access control](https://reader033.vdocuments.site/reader033/viewer/2022052514/588047951a28abfd0a8b7085/html5/thumbnails/12.jpg)
“Sharing cookie formats across services
is bad"
![Page 13: Varnish access control](https://reader033.vdocuments.site/reader033/viewer/2022052514/588047951a28abfd0a8b7085/html5/thumbnails/13.jpg)
Best of both worlds
• Login-service does auth and issues cookie
• Varnish verifies cookie against API
• Varnish issues it’s own cookies to track state
![Page 14: Varnish access control](https://reader033.vdocuments.site/reader033/viewer/2022052514/588047951a28abfd0a8b7085/html5/thumbnails/14.jpg)
Architecture
client varnish
auth
content
![Page 15: Varnish access control](https://reader033.vdocuments.site/reader033/viewer/2022052514/588047951a28abfd0a8b7085/html5/thumbnails/15.jpg)
Varnish auth toolkitaka
Varnish Paywall
![Page 16: Varnish access control](https://reader033.vdocuments.site/reader033/viewer/2022052514/588047951a28abfd0a8b7085/html5/thumbnails/16.jpg)
Key design decisions
• Access control is either metered or subscription based
• Products IDs - different subscription offerings
• Article IDs - unique article ID for metering
• Auth through cookie and API
![Page 17: Varnish access control](https://reader033.vdocuments.site/reader033/viewer/2022052514/588047951a28abfd0a8b7085/html5/thumbnails/17.jpg)
How is it built?• Digest VMOD - Crypto
• Header VMOD - Managing multiple headers w/same name
• Variable VMOD - configuration and state
• Paywall VMOD - misc
• Opt. Memcached VMOD - store quota data in Memcached
![Page 18: Varnish access control](https://reader033.vdocuments.site/reader033/viewer/2022052514/588047951a28abfd0a8b7085/html5/thumbnails/18.jpg)
Backend header ex
• X-Access-Control: subscription,metered
• X-Aid: 1234
• X-Auth-Failed: /login.html
• X-Pids: 23,55
![Page 19: Varnish access control](https://reader033.vdocuments.site/reader033/viewer/2022052514/588047951a28abfd0a8b7085/html5/thumbnails/19.jpg)
Auth server interface
• Input: vpw_id (cookie from SSO)
• VPW-Allowed-Pids: 75,23
• VPW-TTL: 30
![Page 20: Varnish access control](https://reader033.vdocuments.site/reader033/viewer/2022052514/588047951a28abfd0a8b7085/html5/thumbnails/20.jpg)
Demo
![Page 21: Varnish access control](https://reader033.vdocuments.site/reader033/viewer/2022052514/588047951a28abfd0a8b7085/html5/thumbnails/21.jpg)
Q&A