Hi Laurence, Caching personalised content that uses cookies for identification is already possible with a bit of VCL magic. But, this is cached based upon a hash of their cookies, so if they open lots of browser sessions (with different cookies), then you get multiple copies of the content per user, which is a bad thing!
So yes, if we could effectively put an SSO agent (that could validate tokens/tickets and extract the authenticated username) then you could cache on a per user basis (which would also be a use case I'd be interested in). Or, perhaps even more preferably, cached based upon a group or role basis (providing that data was made available). Anyway, I think I'm going to give this a shot. I'll probably start by trying to write a simple agent that makes calls against Sun's OpenSSO REST services (as that's where I have the most experience). Thanks, Sam 2010/1/26 Laurence Rowe <l...@lrowe.co.uk>: > I keep meaning to look into mod_auth_tkt > (http://www.openfusion.com.au/labs/mod_auth_tkt/) support for varnish. > It should be fairly easy to implement with inline C and doing so would > allow us to cache pages that require authorisation (by matching tokens > in the signed cookie to tokens in an obj header.) So in principle I > think it's a good idea. > > Laurence > > 2010/1/26 Sam Crawford <samcrawf...@gmail.com>: >> Any thoughts anyone? Good idea / bad idea? >> >> Thanks, >> >> Sam >> >> >> 2010/1/23 Sam Crawford <samcrawf...@gmail.com>: >>> Evening all, >>> >>> I've been an avid Varnish user both personally and at work for a >>> couple of years now. At work we use it to cache content across our >>> global intranet, handling a few million requests per day. At present, >>> we have the following logical setup... >>> >>> F5 GTM (GSLB device) > F5 load balancer > Varnish > In-house Java >>> Reverse Proxy > Backend applications (hundreds) >>> >>> Varnish and the in-house reverse proxy reside on the same servers, >>> with varnish having a single backend pointing at the in-house reverse >>> proxy (the F5s handle failover between instances). >>> >>> The in-house Java reverse proxy performs a range of functions, >>> including (but certainly not limited to): >>> >>> * Authenticating/authorising users via our Single Sign On service >>> * Header injection to help backend applications identify users >>> * Catching cookies from backend applications and delivering a single >>> pointer cookie back to clients >>> >>> I've been wondering if we could write some C extensions to Varnish to >>> remove the need for the Java reverse proxy. This would help flatten >>> the infrastructure and save on latency (which is pretty important for >>> us). The standard Varnish VCL capabilities would meet many of our >>> requirements, but for some functions we'd certainly need to write >>> extensions (such as making an out-of-band HTTP request to an SSO >>> server in order to validate an SSO cookie (which we'd also need to >>> cache!)). >>> >>> Whilst I know it's technically feasible for us to do this, I was >>> wondering (a) if anyone is already doing something similar and (b) if >>> the community thinks I'm completely mad for evening thinking about >>> doing it :-) >>> >>> Thanks, >>> >>> Sam >>> >> _______________________________________________ >> varnish-misc mailing list >> varnish-misc@projects.linpro.no >> http://projects.linpro.no/mailman/listinfo/varnish-misc >> > _______________________________________________ varnish-misc mailing list varnish-misc@projects.linpro.no http://projects.linpro.no/mailman/listinfo/varnish-misc