HTTP Authorization Patch

Wed, 21 Feb 2007 08:39:22 -0800 

Hello, we recently ran into an issue with varnish when http authorizations
were concerned so I created this patch [ it can probably be done a whole lot
better ].  The attached patch has a function cnt_auth which calls an
external function that you must insert yourself.  It passes the  external
function the username and password base64 encoded, the users ip, and the
path of the filename.  It is up to your external function to decide whether
the credentials presented are correct or not and return a 1 or -1.  (true or
false).  If false it sets the sp->handling to VCL_RET_PASS which will pass
it off to the server.  The patch also modifies cnt_fetch function to check
for  a 401 status code to prevent us from caching an actual 401 Unauthorized
status and serving that to a legitimate client.

--- /tmp/tmp/svn/svn/trunk/varnish-cache/bin/varnishd/cache_center.c	2007-02-20 22:34:15.000000000 -0500
+++ cache_center.c	2007-02-21 10:45:37.000000000 -0500
@@ -290,6 +290,10 @@
 
 	VCL_fetch_method(sp);
 
+        if (http_GetStatus(sp->vbc->http) == 401) {
+		sp->handling = VCL_RET_PASS;
+	}
+
 	if (sp->handling == VCL_RET_LOOKUP)
 		INCOMPL();
 	if (sp->handling == VCL_RET_PASS) {
@@ -368,7 +372,35 @@
 	sp->step = STP_DONE;
 	return (0);
 }
-
+/*--------------------------------------------------------------------
+ * receives base64 encoded Basic Authorization. calls external 
+ * function which returns 1 or -1 
+ * (1 = proper login credentials; -1 = login failed)
+ */
+void
+cnt_auth(struct sess *sp) 
+{
+	int a, b, c;
+	char *saveptr;
+	char *result = NULL;
+	char delims[] = " ";
+
+	for(a=6;a<20;a++) {
+		if (strstr(sp->http->hd[a].b, "Authorization")) {
+			for(result = strtok_r(sp->http->hd[a].b, delims, &saveptr), b=0; result, b<2; result = strtok_r(NULL, delims, &saveptr), b++) {
+			}
+			if (ndauth(result, sp->addr, sp->http->hd[1].b) == 1) {
+				c = 1;
+			}
+			else {
+				c = -1;
+				sp->handling = VCL_RET_PASS;
+			}
+			break;
+		}
+	}
+}
+				
 /*--------------------------------------------------------------------
  * We had a cache hit.  Ask VCL, then march off as instructed.
  *
@@ -412,6 +444,8 @@
 
 	VCL_hit_method(sp);
 
+	cnt_auth(sp);
+
 	if (sp->handling == VCL_RET_DELIVER && sp->obj->pass)
 		sp->handling = VCL_RET_PASS;
 

_______________________________________________
varnish-misc mailing list
varnish-misc@projects.linpro.no
http://projects.linpro.no/mailman/listinfo/varnish-misc

Reply via email to