Giter Site home page Giter Site logo

Comments (4)

ewdurbin avatar ewdurbin commented on August 23, 2024

Some thoughts:

Implementation of Surrogate-Keys

It could be done via headers/conditions in the service configuration, though currently the docs fastly configuration is not created from version control (outside of fastly's own internal versioning), so I'm not sure if that's the best way to approach it.

Regardless this is better accomplished by setting Surrogate-Key header values directly on the responses served via the backend.

Since as far as I am aware, there's no trivial way to manage adding HTTP headers with sphinx, I recommend doing this by using nginx add_header directives in the nginx config rather than with VCL.

Access for purging

Currently purges using Surrogate-Keys are only accessible via the authenticated API, so we'd need some mechanism for issuing them when necessary.

from psf-salt.

JulienPalard avatar JulienPalard commented on August 23, 2024

What about using BANs with regexes implemented purely in VCL so we can do it without the authenticated API?

https://varnish-cache.org/docs/7.2/users-guide/purging.html

Something like:

        if (req.method == "BAN") {
                # Same ACL check as above:
                if (!client.ip ~ purge) {
                        return(synth(403, "Not allowed."));
                }
                # Assumes req.url is a regex. This might be a bit too simple
                if (std.ban("obj.http.url ~ " + req.url)) {
                        return(synth(200, "Ban added"));
                } else {
                        # return ban error in 400 response
                        return(synth(400, std.ban_error()));
                }
        }

While we're at it, implementing an IP whitelist for PURGE and BAN should be great to avoid ReDoS attacks.

from psf-salt.

ewdurbin avatar ewdurbin commented on August 23, 2024

Surrogate-Key purges aren't exposed via Fastly's config/VCL but through their API, so I don't think that will work.

from psf-salt.

JulienPalard avatar JulienPalard commented on August 23, 2024

I almost never used fastly, I just had plain varnish in prod. Is fastly VCL restricted is some way blocking us to play this kind of tricks? :(

from psf-salt.

Related Issues (20)

Recommend Projects

  • React photo React

    A declarative, efficient, and flexible JavaScript library for building user interfaces.

  • Vue.js photo Vue.js

    🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.

  • Typescript photo Typescript

    TypeScript is a superset of JavaScript that compiles to clean JavaScript output.

  • TensorFlow photo TensorFlow

    An Open Source Machine Learning Framework for Everyone

  • Django photo Django

    The Web framework for perfectionists with deadlines.

  • D3 photo D3

    Bring data to life with SVG, Canvas and HTML. 📊📈🎉

Recommend Topics

  • javascript

    JavaScript (JS) is a lightweight interpreted programming language with first-class functions.

  • web

    Some thing interesting about web. New door for the world.

  • server

    A server is a program made to process requests and deliver data to clients.

  • Machine learning

    Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.

  • Game

    Some thing interesting about game, make everyone happy.

Recommend Org

  • Facebook photo Facebook

    We are working to build community through open source technology. NB: members must have two-factor auth.

  • Microsoft photo Microsoft

    Open source projects and samples from Microsoft.

  • Google photo Google

    Google ❤️ Open Source for everyone.

  • D3 photo D3

    Data-Driven Documents codes.