On 4 October 2010 09:37, Tollef Fog Heen <[email protected]> wrote: > ]] Ron van der Vegt > > | What do you suggest? Are there other approaches that fit the use-case? How > did > | or would you solve this problem with Varnish? > > I'd set a cookie on the backend, sign it using a HMAC, include an expiry > time in the cookie value and validate the HMAC signature + expiry value > using inline C in Varnish. I don't think there's any examples of this, > but it shouldn't be that hard to write something.
This sounds similar to the mod_auth_tkt scheme - http://www.openfusion.com.au/labs/mod_auth_tkt/ - although this is C code it relies heavily on the apache libraries and as such does not look trivial to convert to inline C code in varnish. I implemented an HMAC SHA-256 variant of mod_auth_tkt in plone.session - http://pypi.python.org/pypi/plone.session - see tktauth.py for the python code that generates and validates these cookies (usable outside of Plone). http://dev.plone.org/plone/browser/plone.session/trunk/plone/session/tktauth.py I think this is your best route, and I would certainly find it interesting to see one of these authentication schemes implemented for Varnish. You could then do token based authorization in vcl_deliver, checking that the user has one of the tokens listed in a response header. Also take a look at the varnish-dev list. Nils Goroll has been working on "Digests and data encoding in Varnish" and there is considerable overlap there. Laurence _______________________________________________ varnish-misc mailing list [email protected] http://lists.varnish-cache.org/mailman/listinfo/varnish-misc
