英文:
Varnish VCL to get a header from the origin and associate it with a sessionid for future cache lookups
问题
不要回答我要翻译的问题。以下是要翻译的内容:
We have a number of user roles, and would like Varnish to cache the authenticated pages as many users are in each role.
In theory, we could add the role code to the request, eg, as a cookie, then strip sessionid and use that role code value in the key when storing the page in cache. But this opens a security hole, if someone copies the role code into their cookie.
Could the origin server add a header to the response with the role key, and Varnish extract it (on first delivery to that session), and associate it with a sessionid, in private, shared Varnish server memory space, and then when a future request from this session comes in, look up the role code based on sessionid, and use that to construct the cache key?
This seems secure, as Varnish only trusts the role from the origin, but is it possible?
Or is there a better way?
英文:
We have a number of user roles, and would like Varnish to cache the authenticated pages as many users are in each role.
In theory, we could add the role code to the request, eg, as a cookie, then strip sessionid and use that role code value in the key when storing the page in cache. But this opens a security hole, if someone copies the role code into their cookie.
Could the origin server add a header to the response with the role key, and Varnish extract it (on first delivery to that session), and associate it with a sessionid, in private, shared Varnish server memory space, and then when a future request from this session comes in, look up the role code based on sessionid, and use that to construct the cache key?
This seems secure, as Varnish only trusts the role from the origin, but is it possible?
Or is there a better way?
答案1
得分: 1
嗯... 你可以尝试将你的 varnish 转换成一个 API 网关,通过 vmod_curl(开源)。如果使用 varnish 软件/企业模块(vmod_http 和 vmod_headerplus)会更容易/更安全。
这样最终用户会获得一个授权令牌,可能会更安全。而且 varnish 缓存会根据角色进行哈希处理(预期角色少于用户数量)。
非常粗略地:
import curl;
vcl_recv {
if (req.http.authorization) {
set req.http.bearer-authorization = regsub(req.http.authorization, "^Bearer (.*)$", "");
if (req.http.bearer-authorization) {
curl.header_add("Authorization:" + req.http.bearer-authorization);
curl("https://myoauthwebsite/oauth");
if (curl.status() == 200) {
set http.req.x-roles = curl.body();
}
curl.free()
unset req.http.bearer-authorization;
}
unset req.http.authorization; # 不使用 unset,就无法缓存
...
}
}
vcl_hash {
if (http.req.x-roles) {
hash_data(http.req.x-roles);
}
}
为了实现高速率,你还可以将你的 OAuth 服务器置于 varnish 配置之后(这样你的 curl 可能会变成类似 curl("127.0.0.1"))。
正如Nils所解释的,你也可以将所有内容存储在一个 JWT 令牌中。
英文:
hum... you might try to transform your varnish into an api gateway.. via the vmod_curl (opensource). it would be easier/safer with the varnish software/entreprise modules (vmod_http and vmod_headerplus)
So the end-user is getting an authorization bearer, which might be safe.. and the varnish cache is hashed with roles (who are expected to be fewer that the users)
very roughly:
import curl;
vcl_recv {
if (req.http.authorization) {
set req.http.bearer-authorization = regsub(req.http.authorization,"^Bearer (.*)$","");
if (req.http.bearer-authorization) {
curl.header_add("Authorization:" + req.http.bearer-authorization);
curl("https://myoauthwebsite/oauth");
if (curl.status() == 200) {
set http.req.x-roles = curl.body();
}
curl.free()
unset req.http.bearer-authorization;
}
unset req.http.authorization; # without the unset, no-cache
...
}
vcl_hash {
if (http.req.x-roles) {
hash_data(http.req.x-roles);
}
}
To achieve high rates, you might also put your oauth server behind your varnish configuration (so your curl would be something like curl("127.0.0.1");
As Nils explained, you might also store everything in a JWT token.
通过集体智慧和协作来改善编程学习和解决问题的方式。致力于成为全球开发者共同参与的知识库,让每个人都能够通过互相帮助和分享经验来进步。
评论