This document discusses different access control methods for purging content in Varnish, including IP-based access control, basic authentication, and cookie-based access control. It argues that cookie-based access control provides the optimal solution, describing how to generate and authenticate random cookies signed with a secret key to control access. The document then outlines how this approach is used to build a "Varnish auth tool kit" or "VARNISH PAYWALL" system for metered or subscription-based access control of content.

2. ACCESS
CONTROL

3. AGENDA
! IP-based
! Basic auth
! Cookie access control
! Optimal solution

4. IP-based

5. # Who is allowed to purge
acl local {
“localhost”;
“192.168.1.0”/24; /* and everyone on the local network */
! “192.168.1.23”; /* except for the dialin router */
}
sub vcl_recv {
if (req.method == “PURGE”) {
if (client.ip ~ local) {
return(purge);
} else {
return(synth(403, “Access denied”));
}
}
}

6. BASIC
AUTH

7. ! Not really used
! There is a VMOD for that

8. Cookie
Access
Control

9. ! Generate random cookie
! Issue a cookie to a client
! Authenticate the user that has that cookie
! The cookie can be signed

10. sub vcl_recv {
unset req.http.authstatus;
if (req.http.signature) {
set req.http.sig-verf = digest.hmac_sha256("key", "The quick brown fox
jumps over the lazy dog");
if (req.http.sig-verf == req.http.signature) {
set req.http.authstatus = "ok";
}
}
if (req.http.authstatus == "ok") {
return(synth(200, "ok"));
} else {
return(synth(401, "not ok"));
}
}

11. DEMO

12. “Sharing cookie
formats across
services is bad”

13. BEST OF BOTH WORLDS
! Login-service does auth and issues cookie
! Varnish verifies cookie against API
! Varnish issues its own cookies to track state

14. ARCHITECTURE

15. Varnish auth tool kit
Aka
VARNISH PAYWALL

16. KEY DESIGN DECISIONS
! Access control is either metered or subscription based
! Products IDs - different subscription offerings
! Article IDs - unique article ID for metering
! Auth through cookie and API

17. HOW IS IT BUILT?
! Digest VMOD - Crypto
! Header VMOD - Managing multiple header w/same name
! Variable VMOD - configuration and state
! Paywall VMOD - misc
! Opt. Memcached VMOD - store quota data in Memcached

18. BACKEND HEADER
! X-Access-Control: subscription, metered
! X-Aid: 1234
! X-Auth-Failed: /login.html
! X-Pids: 23, 55

19. AUTH SERVER INTERFACE
! Input: vpw_id (cookie from SSO)
! VPW-Allowed-Pids: 75, 23
! VPW-TTL: 30

20. LOGGED-IN USER

21. LOGGED-IN USER

22. STEP 1

23. STEP 2

24. STEP 2

25. STEP 3

26. STEP 3

27. STEP 4

28. ANONYMOUS USER REQUESTS METERED PAGE

29. STEP 1-2
2

30. STEP 1-2

31. STEP 3

32. STEP 3

33. STEP 4
4

34. STEP 4

35. STEP 5
4

36. STEP 5

37. STEP 6

38. STEP 6

39. Q&A

40. Thanks :)