5. # Who is allowed to purge
acl local {
“localhost”;
“192.168.1.0”/24; /* and everyone on the local network */
! “192.168.1.23”; /* except for the dialin router */
}
sub vcl_recv {
if (req.method == “PURGE”) {
if (client.ip ~ local) {
return(purge);
} else {
return(synth(403, “Access denied”));
}
}
}
9. ! Generate random cookie
! Issue a cookie to a client
! Authenticate the user that has that cookie
! The cookie can be signed
10. sub vcl_recv {
unset req.http.authstatus;
if (req.http.signature) {
set req.http.sig-verf = digest.hmac_sha256("key", "The quick brown fox
jumps over the lazy dog");
if (req.http.sig-verf == req.http.signature) {
set req.http.authstatus = "ok";
}
}
if (req.http.authstatus == "ok") {
return(synth(200, "ok"));
} else {
return(synth(401, "not ok"));
}
}
13. BEST OF BOTH WORLDS
! Login-service does auth and issues cookie
! Varnish verifies cookie against API
! Varnish issues its own cookies to track state
16. KEY DESIGN DECISIONS
! Access control is either metered or subscription based
! Products IDs - different subscription offerings
! Article IDs - unique article ID for metering
! Auth through cookie and API
17. HOW IS IT BUILT?
! Digest VMOD - Crypto
! Header VMOD - Managing multiple header w/same name
! Variable VMOD - configuration and state
! Paywall VMOD - misc
! Opt. Memcached VMOD - store quota data in Memcached