SSL Redirection and Basic Auth in Varnish

Varnish has proven itself to be quite brilliant and blindingly fast when it comes to caching. Quite recently I was in a situation where varnish was used as a frontend with nginx serving out a webapp and node serving out API services. The requirements for varnish were to honour cache headers churned out by the application, redirect all incoming requests to https and have basic auth in place.

 Now varnish doesn't ssl redirect out of the box nor does it have a straight forward way of putting basic auth in place.

 In order to handle SSL Redirection, this is the most promising solution I found.
In the vcl_recv segment, right at the beginning put the following condition
sub vcl_recv {
  # SSL redirection
  if ( req.http.host ~ "^(?i)(www\.)?.*(\.<domain>)" && req.http.X-Forwarded-Proto !~ "(?i)https" ) {
    set req.http.x-Redir-Url = "https://" + req.http.host + req.url;
    error 750 req.http.x-Redir-Url;
  }
...
return (lookup);  
}
In the vcl_error segment, define the error and operation
sub vcl_error {
  if (obj.status == 750) {
    set obj.http.Location = obj.response;
    set obj.status = 302;
  }
...
return (deliver);
}
This means any request coming for http://www.<domain> or http://<domain> would be captured under error code 750 and as a part of error handling redirected to the SSL listener with HTTP status 302. Much detailed examples of redirection can be found at Redirect In VCL

 The next issue to address is of Basic Auth. There can be a few scenarios to this.

 Scenario 1: All incoming requests should pass through Basic Auth.

 Generate Base64 Basic Auth via command line.
$ echo -n "user:password" | base64

 In the vcl_recv, after the SSL redirection include the following logic
sub vcl_recv {
  if ( req.http.Authorization !~ "Basic dXNlcjpwYXNzd29yZA==" #user:password
  ) {
   error 401 "Restricted";
  }
...
return (lookup);  
}

 Scenario 2: All incoming requests except a defined ACL should pass through Basic Auth.

 At the beginning of the vcl define an ACL with the host IPs allowed without basic auth.
acl localhost {
  "localhost";
  "127.0.0.1";
}
Modify the vcl_recv as below
sub vcl_recv {
  if ( client.ip !~ localhost && req.http.Authorization !~ "Basic dXNlcjpwYXNzd29yZA==" #user:password
  ) {
   error 401 "Restricted";
  }
...
return (lookup);  
}

 Scenario 3: All incoming requests except for a few specific requests should pass through Basic Auth.

 sub vcl_recv {
  if ( req.url !~ "/version" && req.http.Authorization !~ "Basic dXNlcjpwYXNzd29yZA==" #user:password
  ) {
   error 401 "Restricted";
  }
...
return (lookup);  
}

Comments

Post a Comment

Popular posts from this blog

To DR or Not To DR

Image
Most organizations these days look at strategies and ways of implementing a "working" DR solution. Often a DR plan of action is a manual process based on multiple approvals at each level from Incident Management Teams to Product Ownership teams. What if there was a way to keep an active DR running where failure of a primary site would seamlessly transfer the traffic to the secondary site. In fact if the DR is active or warm then the only manual bit would be disabling the primary site via DNS. A few tips and tricks that would help in a simple implementation of a warm DR for an application hosted on AWS. AMI  Make sure that the AMIs are built across both the primary and secondary region.  The fastest way to build multi-region AMIs would be to use different builds for each region using the same configuration management code altering the "REGION" parameter each time. This would make the AMIs consistent and available in each region. PACKAGE REPOSITORY
Read more

High Availability NAT for AWS VPC with Multiple Private Subnets.

Image
VPCs have become the de-facto architectural choice when deploying enterprise applications. They are highly secure, keep your infrastructure logically separated which when combined with the power that AWS has to offer become highly available and robust. The one thing, however, that still feels like a point of failure are the NAT instances that need to be created for all private subnet outbound connectivity to the internet or any service that is external to the VPC. This brings us to create a sort of NAT failover mechanism. High Availability for Amazon VPC NAT Instances by Jinesh Varia offers a solution for a simple VPC that has active NATs per private subnet and each keeps pinging the other till one of them loses connectivity. The active NAT, at that moment, "takes over" the route for the failed NAT. An edge case to this solution is when you have private subnets per AZ and there is a loss of connectivity between AZs. We were faced with the same issue, which brought the t
Read more

Load Balancer with SSL offloading - nginx + HAProxy

Image
HAProxy and nginx can be configured together to work as an SSL offloader and a load balancer. Listed below are the steps to achieve the same on a centOS instance. Assume 192.168.1.1 and 192.168.1.2 running web servers on port 80 and 192.168.1.3 running haproxy on port 8181. Starting with HAPROXY set up. 1.  Install haproxy.        yum install -y haproxy 2.  Edit the haproxy configuration to update the backend web servers and keep it at the basic log level.     global   log 127.0.0.1   local2   chroot          /var/lib/haproxy   pidfile         /var/run/haproxy.pid   maxconn         4096   user            haproxy   group           haproxy   daemon   defaults                      mode            http   log             global   option          httplog   option          dontlognull   option          http-server-close   option          forwardfor except 127.0.0.0/8   option          redispatch   retries         3   timeout         http-request    20s   timeout        
Read more