Urg, can't believe I didn't figure this out originally... my varnish server is behind an LB and it wasn't seeing the true IP of the client request.
-- Chad From: [email protected] To: [email protected] Subject: purge ACL not being enforced Date: Thu, 11 Apr 2013 17:25:47 -0700 We're running 3.0.3 and our config is set up to enforce an ACL for purges, but I recently discovered that it has no effect - purges are successful regardless of the origin IP. The config is using the example from the documentation and I've been unable to determine why it's not working. Any help would be appreciated; VCL is below. Thanks, Chad acl purge { "localhost"; "10.0.0.0"/16; } backend sc { .host = "39.22.194.41"; .port = "80"; } backend scstatic { .host = "10.0.2.109"; .port = "80"; } backend ecommerce_ext { .host = "39.22.194.40"; .port = "80"; } sub vcl_recv { if (req.request != "GET" && req.request != "HEAD" && req.request != "PUT" && req.request != "POST" && req.request != "TRACE" && req.request != "OPTIONS" && req.request != "PURGE" && req.request != "DELETE") { /* Non-RFC2616 or CONNECT which is weird. */ return (pipe); } if (req.request == "PURGE") { if (!client.ip ~ purge) { error 405 "Not allowed."; } } else if (req.request != "GET" && req.request != "HEAD") { /* We only deal with GET and HEAD by default */ #return (pass); error 500 "Unknown method."; } #if (req.http.Authorization || req.http.Cookie) { # /* Not cacheable by default */ # return (pass); #} if (req.url == "/sc_status.php") { error 200 "okay."; } # remove cookies for all static content unset req.http.Cookie; if (req.http.Host == "static.pub-ecommerce.somecompany.com") { set req.backend = ecommerce_ext; set req.http.Host = "pub-ecommerce.somecompany.com"; } else if (req.http.Host ~ "static.(.*\.)?somecompany.com") { set req.backend = scstatic; set req.http.Host = "www.somecompany.com"; } else if (req.http.Host ~ "somecompany.com(:[0-9]+)?$") { set req.backend = sc; set req.http.Host = "www.somecompany.com"; } else { error 404 "Unknown virtual host."; } return (lookup); } sub vcl_fetch { unset beresp.http.Set-Cookie; # cache 404's for 2 minutes if (beresp.status >= 400 && beresp.status < 500) { set beresp.ttl = 30s; } else if (beresp.status >=500 && beresp.status < 600) { set beresp.ttl = 30s; } } sub vcl_deliver { set resp.http.X-Backend = server.identity; } sub vcl_hit { if (req.request == "PURGE") { purge; error 200 "Purged HIT."; } } sub vcl_miss { if (req.request == "PURGE") { purge; error 200 "Purged MISS."; } } _______________________________________________ varnish-misc mailing list [email protected] https://www.varnish-cache.org/lists/mailman/listinfo/varnish-misc
_______________________________________________ varnish-misc mailing list [email protected] https://www.varnish-cache.org/lists/mailman/listinfo/varnish-misc
