Access control
0 likes139 views
This document discusses different access control methods for purging content in Varnish, including IP-based access control, basic authentication, and cookie-based access control. It argues that cookie-based access control provides the optimal solution, describing how to generate and authenticate random cookies signed with a secret key to control access. The document then outlines how this approach is used to build a "Varnish auth tool kit" or "VARNISH PAYWALL" system for metered or subscription-based access control of content.
Access control
- 3. AGENDA ! IP-based ! Basic auth ! Cookie access control ! Optimal solution
- 4. IP-based
- 5. # Who is allowed to purge acl local { “localhost”; “192.168.1.0”/24; /* and everyone on the local network */ ! “192.168.1.23”; /* except for the dialin router */ } sub vcl_recv { if (req.method == “PURGE”) { if (client.ip ~ local) { return(purge); } else { return(synth(403, “Access denied”)); } } }
- 6. BASIC AUTH
- 7. ! Not really used ! There is a VMOD for that
- 9. ! Generate random cookie ! Issue a cookie to a client ! Authenticate the user that has that cookie ! The cookie can be signed
- 10. sub vcl_recv { unset req.http.authstatus; if (req.http.signature) { set req.http.sig-verf = digest.hmac_sha256("key", "The quick brown fox jumps over the lazy dog"); if (req.http.sig-verf == req.http.signature) { set req.http.authstatus = "ok"; } } if (req.http.authstatus == "ok") { return(synth(200, "ok")); } else { return(synth(401, "not ok")); } }
- 11. DEMO
- 12. “Sharing cookie formats across services is bad”
- 13. BEST OF BOTH WORLDS ! Login-service does auth and issues cookie ! Varnish verifies cookie against API ! Varnish issues its own cookies to track state
- 14. ARCHITECTURE
- 15. Varnish auth tool kit Aka VARNISH PAYWALL
- 16. KEY DESIGN DECISIONS ! Access control is either metered or subscription based ! Products IDs - different subscription offerings ! Article IDs - unique article ID for metering ! Auth through cookie and API
- 17. HOW IS IT BUILT? ! Digest VMOD - Crypto ! Header VMOD - Managing multiple header w/same name ! Variable VMOD - configuration and state ! Paywall VMOD - misc ! Opt. Memcached VMOD - store quota data in Memcached
- 18. BACKEND HEADER ! X-Access-Control: subscription, metered ! X-Aid: 1234 ! X-Auth-Failed: /login.html ! X-Pids: 23, 55
- 19. AUTH SERVER INTERFACE ! Input: vpw_id (cookie from SSO) ! VPW-Allowed-Pids: 75, 23 ! VPW-TTL: 30
- 20. LOGGED-IN USER
- 21. LOGGED-IN USER
- 22. STEP 1
- 23. STEP 2
- 24. STEP 2
- 25. STEP 3
- 26. STEP 3
- 27. STEP 4
- 28. ANONYMOUS USER REQUESTS METERED PAGE
- 29. STEP 1-2 2
- 30. STEP 1-2
- 31. STEP 3
- 32. STEP 3
- 33. STEP 4 4
- 34. STEP 4
- 35. STEP 5 4
- 36. STEP 5
- 37. STEP 6
- 38. STEP 6
- 39. Q&A
- 40. Thanks :)