scott.stewart at nbtsolutions
Jun 3, 2012, 8:00 AM
Post #3 of 3
(439 views)
Permalink
|
Hi Hugo,
-I did as you suggested as added the 'pass' for requests asking for
authentication. And sure enough, it started asking for the
authentication--however it doesnt stop asking for the authentication--it
never seems to authenticate. I know the auth works, because I can access
it without going through varnish and it works fine. Any idea what could be
the problem here?
FWIW, The auth is not a typical basic auth, but a basic auth against an
ldap using the apache and the mod_ldapns_auth
On Wed, May 30, 2012 at 3:50 PM, Scott Stewart <
scott.stewart [at] nbtsolutions> wrote:
> Hi
>
> I have a newly minted varnish (and a newly minted varnish user myself)
> install that has two backends, as spec'ed in this vcl (below).
>
> The "wms1" has no auth on it.
>
> The "default" backend is a Apache server with basic auth, but no one is
> getting asked to authenticate. My understanding was the out of the box
> config for varnish would not cache those authentication required pages, but
> no one is being asked for a username/password
>
> What am I doing wrong here? The app works perfectly otherwise.
>
>
>
> # This is a basic VCL configuration file for varnish. See the vcl(7)
> # man page for details on VCL syntax and semantics.
> #
> # Default backend definition. Set this to point to your content
> # server.
> #
> backend default {
> .host = "127.0.0.1";
> .port = "8081";
> }
>
> backend wms1 {
> .host = "example.com";
> .port = "80";
> }
>
> sub vcl_recv {
>
> if (req.http.host ~ "^(mapsdev\.)example\.com" && req.url~ "^/wms") {
> set req.http.host = "maps.example.com";
> set req.url = regsub(req.url, "^/wms", "/wms");
> set req.backend = wms1;
> if (req.request == "GET" && req.http.cookie)
> {
> unset req.http.cookie;
> }
> }
> if (req.http.host ~ "^(mapsdev\.)?example\.com" && req.url~ "^/app/") {
> set req.url = regsub(req.url, "^/app/", "/flol/admin_2/public/");
> remove req.http.X-Forwarded-For;
> set req.http.X-Forwarded-For = client.ip;
> }
>
> sub vcl_fetch {
> set beresp.ttl = 72h; // default ttl 72 hours
> if (req.http.Authorization)
> {
> return(hit_for_pass);
> }
> }
>
> #
> # Below is a commented-out copy of the default VCL logic. If you
> # redefine any of these subroutines, the built-in logic will be
> # appended to your code.
> # sub vcl_recv {
> # if (req.restarts == 0) {
> # if (req.http.x-forwarded-for) {
> # set req.http.X-Forwarded-For =
> # req.http.X-Forwarded-For + ", " + client.ip;
> # } else {
> # set req.http.X-Forwarded-For = client.ip;
> # }
> # }
> # if (req.request != "GET" &&
> # req.request != "HEAD" &&
> # req.request != "PUT" &&
> # req.request != "POST" &&
> # req.request != "TRACE" &&
> # req.request != "OPTIONS" &&
> # req.request != "DELETE") {
> # /* Non-RFC2616 or CONNECT which is weird. */
> # return (pipe);
> # }
> # if (req.request != "GET" && req.request != "HEAD") {
> # /* We only deal with GET and HEAD by default */
> # return (pass);
> # }
> # if (req.http.Authorization || req.http.Cookie) {
> # /* Not cacheable by default */
> # return (pass);
> # }
> # return (lookup);
> # }
> #
> # sub vcl_pipe {
> # # Note that only the first request to the backend will have
> # # X-Forwarded-For set. If you use X-Forwarded-For and want to
> # # have it set for all requests, make sure to have:
> # # set bereq.http.connection = "close";
> # # here. It is not set by default as it might break some broken web
> # # applications, like IIS with NTLM authentication.
> # return (pipe);
> # }
> #
> # sub vcl_pass {
> # return (pass);
> # }
> #
> # sub vcl_hash {
> # hash_data(req.url);
> # if (req.http.host) {
> # hash_data(req.http.host);
> # } else {
> # hash_data(server.ip);
> # }
> # return (hash);
> # }
> #
> # sub vcl_hit {
> # return (deliver);
> # }
> #
> # sub vcl_miss {
> # return (fetch);
> # }
> #
> # sub vcl_fetch {
> # if (beresp.ttl <= 0s ||
> # beresp.http.Set-Cookie ||
> # beresp.http.Vary == "*") {
> # /*
> # * Mark as "Hit-For-Pass" for the next 2 minutes
> # */
> # set beresp.ttl = 120 s;
> # return (hit_for_pass);
> # }
> # return (deliver);
> # }
> #
> # sub vcl_deliver {
> # return (deliver);
> # }
> #
> # sub vcl_error {
> # set obj.http.Content-Type = "text/html; charset=utf-8";
> # set obj.http.Retry-After = "5";
> # synthetic {"
> # <?xml version="1.0" encoding="utf-8"?>
> # <!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN"
> # "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
> # <html>
> # <head>
> # <title>"} + obj.status + " " + obj.response + {"</title>
> # </head>
> # <body>
> # <h1>Error "} + obj.status + " " + obj.response + {"</h1>
> # <p>"} + obj.response + {"</p>
> # <h3>Guru Meditation:</h3>
> # <p>XID: "} + req.xid + {"</p>
> # <hr>
> # <p>Varnish cache server</p>
> # </body>
> # </html>
> # "};
> # return (deliver);
> # }
> #
> # sub vcl_init {
> # return (ok);
> # }
> #
> # sub vcl_fini {
> # return (ok);
> # }
>
>
--
Scott Stewart
Principal
NBT Solutions LLC
phone: (757)941-5110
email: scott.stewart [at] nbtsolutions
website:www.nbtsolutions.com
|
