Using varnish and vouch-proxy together

Tom Anheyer | BerlinOnline tom.anheyer at berlinonline.de
Tue Jul 26 07:01:28 UTC 2022 

Hello,

I try to use vouch-proxy and varnish (v7) together to build a authorisation
proxy. vouch-proxy is written to work with nginx ngx_http_auth_request_module

https://github.com/vouch/vouch-proxy
https://nginx.org/en/docs/http/ngx_http_auth_request_module.html

Idea:

inspired from 
https://web.archive.org/web/20121124064818/https://adayinthelifeof.nl/2012/07/06/using-varnish-to-offload-and-cache-your-oauth-requests/

- use varnish request restart feature
- intercept original client request and make a GET request to vouch-proxy
validate endpoint
- when validated restore the original request and do a restart 

in detail:

# vcl_recv
#   restarts == 0
#       save req method, url, Content-Length, Content-Type in var
#       method := GET
#       url := /validate
#       backend := vouch-proxy
#       remove Content-Length, Content-Type
#   restarts > 0
#       check vouch-proxy headers (roles, groups)
#
# vcl_deliver
#   resp == vouch-proxy,GET,/validate,200
#       restore req method, url, Content-Length, Content-Type from var
#       forward vouch-proxy response headers to req
#       restart (original) req

see attached common-vouch-proxy.vcl

It works for client requests without request body (GET, HEAD, …) but not for
POST, PUT, …. POST, PUT run in timeouts, so I think the request body is lost in
the restarted request. Why is the body gone after restart?

I think it should work with the curl vmod but this is not integrated yet.

Thank you very much in advance
tom

-- 
Tom Anheyer
Senior Developer

BerlinOnline Stadtportal GmbH & Co. KG
Stefan-Heym-Platz 1
10365 Berlin
Germany

Tel.: +49 30 2327-5210
Fax: +49 30 5771180-95
E-Mail: tom.anheyer at berlinonline.de

berlin.de | berlinonline.net

Amtsgericht Berlin-Charlottenburg, HRA 31951
Sitz der Gesellschaft: Berlin,
Deutschland
USt-IdNr.: DE219483549

Persönlich haftender Gesellschafter:
BerlinOnline Stadtportalbeteiligungsges. mbH
Amtsgericht Berlin-Charlottenburg, HRB 79077
Sitz der Gesellschaft: Berlin, Deutschland

Geschäftsführung: Olf Dziadek, Andreas Mängel
Amtierender Vorsitzender des Aufsichtsrates: Lothar Sattler
-------------- next part --------------
An embedded and charset-unspecified text was scrubbed...
Name: common-vouch-proxy.vcl
URL: <https://www.varnish-cache.org/lists/pipermail/varnish-misc/attachments/20220726/81db98ec/attachment.ksh>

More information about the varnish-misc mailing list