When I read this messages, theres something I miss, too. Some function in varnishd, similar to the lighty/apache mod_evasive. It enables you the possibility to create dynamic hit/connection rate depending blocking of ips.
How can varnishd help me prevent DDOS / DOS attacks ? Regards Mike Schiessl [email protected] http://makeITyourway.de -----Ursprüngliche Nachricht----- Von: [email protected] [mailto:[email protected]] Im Auftrag von Ken Brownfield Gesendet: Sonntag, 10. Januar 2010 04:28 An: pub crawler Cc: [email protected] Betreff: Re: Varnish poisoned cache avoidance Have the application emit a cache pragma or expires to make the BANNED page non-cacheable. Alternatively, you could have the app emit an Expires header to cause the browser to cache the result, but also add a header that would trigger Varnish to /not/ cache it. Looking at your previous posts, make sure you don't try to pull app logic up into caches, firewalls, or load balancers -- it will hurt you later, IMHO. The application is the definitive source of cacheability. Varnish/etc offer tools to tweak this, but the logic really belongs in the app and widely supported cache headers. As an alternate IP blocking implementation, you could create a list of banned IPs in a file that your VCL includes; a Varnish reload causes essentially no outage. But then you're adding an extra linear lookup for /every/ hit to Varnish. My US$0.02, -- Ken On Jan 9, 2010, at 10:59 AM, pub crawler wrote: > We have some ban / block logic in our application server behind > Varnish. For instance, when we have a comment spammer or other > repetitive troublemaker messing with our applications we ban their IP > in our application server. > > A person or bot returning after being blocked will still reach our app > server, but it just returns a page that says BANNED. > > We had such a banned IP request a page and subsequently I requested > the same page and was given the BANNED message as it was sitting in > Varnish cache - even though my IP is not banned. > > My question here is how best to prevent this and what sort of > workaround other folks have for this? > > I've considered banning at our firewall level, but it's too time > consuming to do so and the block lists are so long that it really > causes the firewall to take forever to restart from cold reboot. > Originally I had blocked at the firewall, so I've been down that road. > > Any input would be greatly appreciated... > > -Paul > _______________________________________________ > varnish-misc mailing list > [email protected] > http://projects.linpro.no/mailman/listinfo/varnish-misc -- kb _______________________________________________ varnish-misc mailing list [email protected] http://projects.linpro.no/mailman/listinfo/varnish-misc _______________________________________________ varnish-misc mailing list [email protected] http://projects.linpro.no/mailman/listinfo/varnish-misc
