SlideShare uma empresa Scribd logo

Varnish access control

Varnish Software
Varnish Software

Varnish Summit, 2016

Tecnologia
1 de 21
Baixar para ler offline
Access Control
Access Control • IP-based access • Basic auth • Various cookie based access controls
IP-based ACLs # Who is allowed to purge.... acl local { "localhost"; "192.168.1.0"/24; /* and everyone on the local network */ ! "192.168.1.23"; /* except for the dialin router */ } sub vcl_recv { if (req.method == "PURGE") { if (client.ip ~ local) { return(purge); } else { return(synth(403, "Access denied.")); } } }
Basic Auth • Not really used • There is aVMOD for that
Cookie based auth • Generate random cookie • Issue a cookie to a client • Authenticate the user that has the cookie
Crypto-signed cookies • Sign the cookie • Issue to the client • Cookie is now tamperproof • You can also verify it’s origin • Problem: Now the format of the cookie is defined in two places
Silly crypto access example sub vcl_recv { unset req.http.authstatus; if (req.http.signature) { set req.http.sig-verf = digest.hmac_sha256("secret", req.http.username + req.url); if (req.http.sig-verf == req.http.signature) { set req.http.authstatus = "ok"; } } if (req.http.authstatus == "ok") { return(synth(200, "ok")); } else { return(synth(401, "Not ok")); } }
demo
Points to remember • If you add a random string your crypto cookie becomes really hard to crack • Client side scripting required to manipulate the cookies
Example 2
“Sharing cookie formats across services is bad"
Best of both worlds • Login-service does auth and issues cookie • Varnish verifies cookie against API • Varnish issues it’s own cookies to track state
Architecture client varnish auth content
Varnish auth toolkit aka Varnish Paywall
Key design decisions • Access control is either metered or subscription based • Products IDs - different subscription offerings • Article IDs - unique article ID for metering • Auth through cookie and API
How is it built? • DigestVMOD - Crypto • HeaderVMOD - Managing multiple headers w/same name • VariableVMOD - configuration and state • PaywallVMOD - misc • Opt. MemcachedVMOD - store quota data in Memcached
Backend header ex • X-Access-Control: subscription,metered • X-Aid: 1234 • X-Auth-Failed: /login.html • X-Pids: 23,55
Auth server interface • Input: vpw_id (cookie from SSO) • VPW-Allowed-Pids: 75,23 • VPW-TTL: 30
Demo
Q&A

Recomendados

Client certificate validation in windows 8
Client certificate validation in windows 8Client certificate validation in windows 8
Client certificate validation in windows 8Ashish Agrawal
 
What are JSON Web Tokens and Why Should I Care?
What are JSON Web Tokens and Why Should I Care?What are JSON Web Tokens and Why Should I Care?
What are JSON Web Tokens and Why Should I Care?Derek Edwards
 
web3j overview
web3j overviewweb3j overview
web3j overviewConor Svensson
 
Micro Web Service - Slim and JWT
Micro Web Service - Slim and JWTMicro Web Service - Slim and JWT
Micro Web Service - Slim and JWTTuyen Vuong
 
web3j 1.0 update
web3j 1.0 updateweb3j 1.0 update
web3j 1.0 updateConor Svensson
 
Securing Single Page Applications with Token Based Authentication
Securing Single Page Applications with Token Based AuthenticationSecuring Single Page Applications with Token Based Authentication
Securing Single Page Applications with Token Based AuthenticationStefan Achtsnit
 
Authentication: Cookies vs JWTs and why you’re doing it wrong
Authentication: Cookies vs JWTs and why you’re doing it wrongAuthentication: Cookies vs JWTs and why you’re doing it wrong
Authentication: Cookies vs JWTs and why you’re doing it wrongDerek Perkins
 
Building Secure User Interfaces With JWTs
Building Secure User Interfaces With JWTsBuilding Secure User Interfaces With JWTs
Building Secure User Interfaces With JWTsrobertjd
 

Recomendados

Client certificate validation in windows 8
Client certificate validation in windows 8Client certificate validation in windows 8
Client certificate validation in windows 8Ashish Agrawal
 
What are JSON Web Tokens and Why Should I Care?
What are JSON Web Tokens and Why Should I Care?What are JSON Web Tokens and Why Should I Care?
What are JSON Web Tokens and Why Should I Care?Derek Edwards
 
web3j overview
web3j overviewweb3j overview
web3j overviewConor Svensson
 
Micro Web Service - Slim and JWT
Micro Web Service - Slim and JWTMicro Web Service - Slim and JWT
Micro Web Service - Slim and JWTTuyen Vuong
 
web3j 1.0 update
web3j 1.0 updateweb3j 1.0 update
web3j 1.0 updateConor Svensson
 
Securing Single Page Applications with Token Based Authentication
Securing Single Page Applications with Token Based AuthenticationSecuring Single Page Applications with Token Based Authentication
Securing Single Page Applications with Token Based AuthenticationStefan Achtsnit
 
Authentication: Cookies vs JWTs and why you’re doing it wrong
Authentication: Cookies vs JWTs and why you’re doing it wrongAuthentication: Cookies vs JWTs and why you’re doing it wrong
Authentication: Cookies vs JWTs and why you’re doing it wrongDerek Perkins
 
Building Secure User Interfaces With JWTs
Building Secure User Interfaces With JWTsBuilding Secure User Interfaces With JWTs
Building Secure User Interfaces With JWTsrobertjd
 
Allegato bando collegi_ universitari_2014_2015
Allegato bando collegi_ universitari_2014_2015 Allegato bando collegi_ universitari_2014_2015
Allegato bando collegi_ universitari_2014_2015 Fabio Bolo
 
TSHEPO PAPISO (BGCSE)
TSHEPO PAPISO (BGCSE)TSHEPO PAPISO (BGCSE)
TSHEPO PAPISO (BGCSE)Tshepo Papiso
 
Review of Evidence on Drylands Pastoral Systems and Climate Change
Review of Evidence on Drylands Pastoral Systems and Climate ChangeReview of Evidence on Drylands Pastoral Systems and Climate Change
Review of Evidence on Drylands Pastoral Systems and Climate ChangeBeefPoint
 
日日是好日時時是好時
日日是好日時時是好時日日是好日時時是好時
日日是好日時時是好時Jaing Lai
 
曼妙青海
曼妙青海曼妙青海
曼妙青海Jaing Lai
 
SUMMER VACATIONAL TRAINING REPORT
SUMMER VACATIONAL TRAINING REPORTSUMMER VACATIONAL TRAINING REPORT
SUMMER VACATIONAL TRAINING REPORTSubhajit Majumdar
 
Oneworld2 12
Oneworld2 12Oneworld2 12
Oneworld2 12oneofsomany
 
Cogan's Syndrome - a very rare disorder that I was fortunate to see
Cogan's Syndrome - a very rare disorder that I was fortunate to seeCogan's Syndrome - a very rare disorder that I was fortunate to see
Cogan's Syndrome - a very rare disorder that I was fortunate to seemeducationdotnet
 
Yearbook 2009 - Satuala Faulalo
Yearbook 2009 - Satuala FaulaloYearbook 2009 - Satuala Faulalo
Yearbook 2009 - Satuala FaulaloTamaki
 
001 sociedade colonial do brasil adaptado
001 sociedade colonial do brasil adaptado001 sociedade colonial do brasil adaptado
001 sociedade colonial do brasil adaptadoandrecarlosocosta
 
Chapter 4 Ahs 104
Chapter 4 Ahs 104Chapter 4 Ahs 104
Chapter 4 Ahs 104tammy vickers
 
The griesly wife analysis
The griesly wife analysisThe griesly wife analysis
The griesly wife analysisjonesjrah1973
 
Brosura de prezentare
Brosura de prezentareBrosura de prezentare
Brosura de prezentareSSIF Romcapital SA
 
Sahejpreet SEO basics
Sahejpreet SEO basicsSahejpreet SEO basics
Sahejpreet SEO basicsSahej Preet Singh Kohli
 
Application of Bioinformatics in different fields of sciences
Application of Bioinformatics in different fields of sciencesApplication of Bioinformatics in different fields of sciences
Application of Bioinformatics in different fields of sciencesSobia
 
Secure all things with CBSecurity 3
Secure all things with CBSecurity 3Secure all things with CBSecurity 3
Secure all things with CBSecurity 3Ortus Solutions, Corp
 
Hashitalks 2021 - How the Dynamic Duo of Vault and Puppet Tame SSL Certificates
Hashitalks 2021 - How the Dynamic Duo of Vault and Puppet Tame SSL CertificatesHashitalks 2021 - How the Dynamic Duo of Vault and Puppet Tame SSL Certificates
Hashitalks 2021 - How the Dynamic Duo of Vault and Puppet Tame SSL CertificatesNick Maludy
 
Spring4 security
Spring4 securitySpring4 security
Spring4 securitySang Shin
 
Powering Remote Developers with Amazon Workspaces
Powering Remote Developers with Amazon WorkspacesPowering Remote Developers with Amazon Workspaces
Powering Remote Developers with Amazon WorkspacesAmazon Web Services
 
DDD Melbourne 2014 security in ASP.Net Web API 2
DDD Melbourne 2014 security in ASP.Net Web API 2DDD Melbourne 2014 security in ASP.Net Web API 2
DDD Melbourne 2014 security in ASP.Net Web API 2Pratik Khasnabis
 
Wireless Hotspot: The Hackers Playground
Wireless Hotspot: The Hackers PlaygroundWireless Hotspot: The Hackers Playground
Wireless Hotspot: The Hackers PlaygroundJim Geovedi
 
Access control
Access controlAccess control
Access controlVarnish Software
 

Mais conteúdo relacionado

Destaque

Allegato bando collegi_ universitari_2014_2015
Allegato bando collegi_ universitari_2014_2015 Allegato bando collegi_ universitari_2014_2015
Allegato bando collegi_ universitari_2014_2015 Fabio Bolo
 
TSHEPO PAPISO (BGCSE)
TSHEPO PAPISO (BGCSE)TSHEPO PAPISO (BGCSE)
TSHEPO PAPISO (BGCSE)Tshepo Papiso
 
Review of Evidence on Drylands Pastoral Systems and Climate Change
Review of Evidence on Drylands Pastoral Systems and Climate ChangeReview of Evidence on Drylands Pastoral Systems and Climate Change
Review of Evidence on Drylands Pastoral Systems and Climate ChangeBeefPoint
 
日日是好日時時是好時
日日是好日時時是好時日日是好日時時是好時
日日是好日時時是好時Jaing Lai
 
曼妙青海
曼妙青海曼妙青海
曼妙青海Jaing Lai
 
SUMMER VACATIONAL TRAINING REPORT
SUMMER VACATIONAL TRAINING REPORTSUMMER VACATIONAL TRAINING REPORT
SUMMER VACATIONAL TRAINING REPORTSubhajit Majumdar
 
Cogan's Syndrome - a very rare disorder that I was fortunate to see
Cogan's Syndrome - a very rare disorder that I was fortunate to seeCogan's Syndrome - a very rare disorder that I was fortunate to see
Cogan's Syndrome - a very rare disorder that I was fortunate to seemeducationdotnet
 
Yearbook 2009 - Satuala Faulalo
Yearbook 2009 - Satuala FaulaloYearbook 2009 - Satuala Faulalo
Yearbook 2009 - Satuala FaulaloTamaki
 
001 sociedade colonial do brasil adaptado
001 sociedade colonial do brasil adaptado001 sociedade colonial do brasil adaptado
001 sociedade colonial do brasil adaptadoandrecarlosocosta
 
The griesly wife analysis
The griesly wife analysisThe griesly wife analysis
The griesly wife analysisjonesjrah1973
 
Application of Bioinformatics in different fields of sciences
Application of Bioinformatics in different fields of sciencesApplication of Bioinformatics in different fields of sciences
Application of Bioinformatics in different fields of sciencesSobia
 

Destaque (15)

Allegato bando collegi_ universitari_2014_2015
Allegato bando collegi_ universitari_2014_2015 Allegato bando collegi_ universitari_2014_2015
Allegato bando collegi_ universitari_2014_2015
 
TSHEPO PAPISO (BGCSE)
TSHEPO PAPISO (BGCSE)TSHEPO PAPISO (BGCSE)
TSHEPO PAPISO (BGCSE)
 
Review of Evidence on Drylands Pastoral Systems and Climate Change
Review of Evidence on Drylands Pastoral Systems and Climate ChangeReview of Evidence on Drylands Pastoral Systems and Climate Change
Review of Evidence on Drylands Pastoral Systems and Climate Change
 
日日是好日時時是好時
日日是好日時時是好時日日是好日時時是好時
日日是好日時時是好時
 
曼妙青海
曼妙青海曼妙青海
曼妙青海
 
SUMMER VACATIONAL TRAINING REPORT
SUMMER VACATIONAL TRAINING REPORTSUMMER VACATIONAL TRAINING REPORT
SUMMER VACATIONAL TRAINING REPORT
 
Oneworld2 12
Oneworld2 12Oneworld2 12
Oneworld2 12
 
Cogan's Syndrome - a very rare disorder that I was fortunate to see
Cogan's Syndrome - a very rare disorder that I was fortunate to seeCogan's Syndrome - a very rare disorder that I was fortunate to see
Cogan's Syndrome - a very rare disorder that I was fortunate to see
 
Yearbook 2009 - Satuala Faulalo
Yearbook 2009 - Satuala FaulaloYearbook 2009 - Satuala Faulalo
Yearbook 2009 - Satuala Faulalo
 
001 sociedade colonial do brasil adaptado
001 sociedade colonial do brasil adaptado001 sociedade colonial do brasil adaptado
001 sociedade colonial do brasil adaptado
 
Chapter 4 Ahs 104
Chapter 4 Ahs 104Chapter 4 Ahs 104
Chapter 4 Ahs 104
 
The griesly wife analysis
The griesly wife analysisThe griesly wife analysis
The griesly wife analysis
 
Brosura de prezentare
Brosura de prezentareBrosura de prezentare
Brosura de prezentare
 
Sahejpreet SEO basics
Sahejpreet SEO basicsSahejpreet SEO basics
Sahejpreet SEO basics
 
Application of Bioinformatics in different fields of sciences
Application of Bioinformatics in different fields of sciencesApplication of Bioinformatics in different fields of sciences
Application of Bioinformatics in different fields of sciences
 

Semelhante a Varnish access control

Hashitalks 2021 - How the Dynamic Duo of Vault and Puppet Tame SSL Certificates
Hashitalks 2021 - How the Dynamic Duo of Vault and Puppet Tame SSL CertificatesHashitalks 2021 - How the Dynamic Duo of Vault and Puppet Tame SSL Certificates
Hashitalks 2021 - How the Dynamic Duo of Vault and Puppet Tame SSL CertificatesNick Maludy
 
Spring4 security
Spring4 securitySpring4 security
Spring4 securitySang Shin
 
Powering Remote Developers with Amazon Workspaces
Powering Remote Developers with Amazon WorkspacesPowering Remote Developers with Amazon Workspaces
Powering Remote Developers with Amazon WorkspacesAmazon Web Services
 
DDD Melbourne 2014 security in ASP.Net Web API 2
DDD Melbourne 2014 security in ASP.Net Web API 2DDD Melbourne 2014 security in ASP.Net Web API 2
DDD Melbourne 2014 security in ASP.Net Web API 2Pratik Khasnabis
 
Wireless Hotspot: The Hackers Playground
Wireless Hotspot: The Hackers PlaygroundWireless Hotspot: The Hackers Playground
Wireless Hotspot: The Hackers PlaygroundJim Geovedi
 
VM Console Enhancements
VM Console EnhancementsVM Console Enhancements
VM Console EnhancementsShapeBlue
 
Advance java session 7
Advance java session 7Advance java session 7
Advance java session 7Smita B Kumar
 
Mobile Authentication - Onboarding, best practices & anti-patterns
Mobile Authentication - Onboarding, best practices & anti-patternsMobile Authentication - Onboarding, best practices & anti-patterns
Mobile Authentication - Onboarding, best practices & anti-patternsPieter Ennes
 
JWT Authentication with AngularJS
JWT Authentication with AngularJSJWT Authentication with AngularJS
JWT Authentication with AngularJSrobertjd
 
Keycloak for Science Gateways - SGCI Technology Sampler Webinar
Keycloak for Science Gateways - SGCI Technology Sampler WebinarKeycloak for Science Gateways - SGCI Technology Sampler Webinar
Keycloak for Science Gateways - SGCI Technology Sampler Webinarmarcuschristie
 
Spring4 security oauth2
Spring4 security oauth2Spring4 security oauth2
Spring4 security oauth2Sang Shin
 
OAuth 2.0 – A standard is coming of age by Uwe Friedrichsen
OAuth 2.0 – A standard is coming of age by Uwe FriedrichsenOAuth 2.0 – A standard is coming of age by Uwe Friedrichsen
OAuth 2.0 – A standard is coming of age by Uwe FriedrichsenCodemotion
 
I denti wall_3.0_final
I denti wall_3.0_finalI denti wall_3.0_final
I denti wall_3.0_finalIlan Meller
 
FIWARE Wednesday Webinars - How to Secure IoT Devices
FIWARE Wednesday Webinars - How to Secure IoT DevicesFIWARE Wednesday Webinars - How to Secure IoT Devices
FIWARE Wednesday Webinars - How to Secure IoT DevicesFIWARE
 
Techdays Finland 2018 - Building secure cloud applications with Azure Key Vault
Techdays Finland 2018 - Building secure cloud applications with Azure Key VaultTechdays Finland 2018 - Building secure cloud applications with Azure Key Vault
Techdays Finland 2018 - Building secure cloud applications with Azure Key VaultTom Kerkhove
 
CNIT 129S: Ch 6: Attacking Authentication
CNIT 129S: Ch 6: Attacking AuthenticationCNIT 129S: Ch 6: Attacking Authentication
CNIT 129S: Ch 6: Attacking AuthenticationSam Bowne
 

Semelhante a Varnish access control (20)

Secure all things with CBSecurity 3
Secure all things with CBSecurity 3Secure all things with CBSecurity 3
Secure all things with CBSecurity 3
 
Hashitalks 2021 - How the Dynamic Duo of Vault and Puppet Tame SSL Certificates
Hashitalks 2021 - How the Dynamic Duo of Vault and Puppet Tame SSL CertificatesHashitalks 2021 - How the Dynamic Duo of Vault and Puppet Tame SSL Certificates
Hashitalks 2021 - How the Dynamic Duo of Vault and Puppet Tame SSL Certificates
 
Spring4 security
Spring4 securitySpring4 security
Spring4 security
 
Powering Remote Developers with Amazon Workspaces
Powering Remote Developers with Amazon WorkspacesPowering Remote Developers with Amazon Workspaces
Powering Remote Developers with Amazon Workspaces
 
DDD Melbourne 2014 security in ASP.Net Web API 2
DDD Melbourne 2014 security in ASP.Net Web API 2DDD Melbourne 2014 security in ASP.Net Web API 2
DDD Melbourne 2014 security in ASP.Net Web API 2
 
Wireless Hotspot: The Hackers Playground
Wireless Hotspot: The Hackers PlaygroundWireless Hotspot: The Hackers Playground
Wireless Hotspot: The Hackers Playground
 
Access control
Access controlAccess control
Access control
 
VM Console Enhancements
VM Console EnhancementsVM Console Enhancements
VM Console Enhancements
 
Advance java session 7
Advance java session 7Advance java session 7
Advance java session 7
 
Mobile Authentication - Onboarding, best practices & anti-patterns
Mobile Authentication - Onboarding, best practices & anti-patternsMobile Authentication - Onboarding, best practices & anti-patterns
Mobile Authentication - Onboarding, best practices & anti-patterns
 
JWT Authentication with AngularJS
JWT Authentication with AngularJSJWT Authentication with AngularJS
JWT Authentication with AngularJS
 
Java Session
Java SessionJava Session
Java Session
 
Keycloak for Science Gateways - SGCI Technology Sampler Webinar
Keycloak for Science Gateways - SGCI Technology Sampler WebinarKeycloak for Science Gateways - SGCI Technology Sampler Webinar
Keycloak for Science Gateways - SGCI Technology Sampler Webinar
 
Spring4 security oauth2
Spring4 security oauth2Spring4 security oauth2
Spring4 security oauth2
 
OAuth 2.0 – A standard is coming of age by Uwe Friedrichsen
OAuth 2.0 – A standard is coming of age by Uwe FriedrichsenOAuth 2.0 – A standard is coming of age by Uwe Friedrichsen
OAuth 2.0 – A standard is coming of age by Uwe Friedrichsen
 
I denti wall_3.0_final
I denti wall_3.0_finalI denti wall_3.0_final
I denti wall_3.0_final
 
FIWARE Wednesday Webinars - How to Secure IoT Devices
FIWARE Wednesday Webinars - How to Secure IoT DevicesFIWARE Wednesday Webinars - How to Secure IoT Devices
FIWARE Wednesday Webinars - How to Secure IoT Devices
 
OAuth 2.0
OAuth 2.0OAuth 2.0
OAuth 2.0
 
Techdays Finland 2018 - Building secure cloud applications with Azure Key Vault
Techdays Finland 2018 - Building secure cloud applications with Azure Key VaultTechdays Finland 2018 - Building secure cloud applications with Azure Key Vault
Techdays Finland 2018 - Building secure cloud applications with Azure Key Vault
 
CNIT 129S: Ch 6: Attacking Authentication
CNIT 129S: Ch 6: Attacking AuthenticationCNIT 129S: Ch 6: Attacking Authentication
CNIT 129S: Ch 6: Attacking Authentication
 

Mais de Varnish Software

Ask Me Anything on authentication & authorisation in Varnish
Ask Me Anything on authentication & authorisation in VarnishAsk Me Anything on authentication & authorisation in Varnish
Ask Me Anything on authentication & authorisation in VarnishVarnish Software
 
Akamai connector for varnish
Akamai connector for varnishAkamai connector for varnish
Akamai connector for varnishVarnish Software
 
What is new in varnish plus
What is new in varnish plusWhat is new in varnish plus
What is new in varnish plusVarnish Software
 
Varnish extend introduction
Varnish extend introductionVarnish extend introduction
Varnish extend introductionVarnish Software
 
Lightning fast with Varnish
Lightning fast with VarnishLightning fast with Varnish
Lightning fast with VarnishVarnish Software
 

Mais de Varnish Software (20)

Ask Me Anything on authentication & authorisation in Varnish
Ask Me Anything on authentication & authorisation in VarnishAsk Me Anything on authentication & authorisation in Varnish
Ask Me Anything on authentication & authorisation in Varnish
 
Boozt.com Use Case
Boozt.com Use CaseBoozt.com Use Case
Boozt.com Use Case
 
Akamai connector for varnish
Akamai connector for varnishAkamai connector for varnish
Akamai connector for varnish
 
Varnish High Availability
Varnish High AvailabilityVarnish High Availability
Varnish High Availability
 
PostNord: Copy On Write
PostNord: Copy On WritePostNord: Copy On Write
PostNord: Copy On Write
 
Varnish extend
Varnish extendVarnish extend
Varnish extend
 
Streaming with Varnish
Streaming with VarnishStreaming with Varnish
Streaming with Varnish
 
Edgestash
EdgestashEdgestash
Edgestash
 
What is new in varnish plus
What is new in varnish plusWhat is new in varnish plus
What is new in varnish plus
 
Varnish Extend demo
Varnish Extend demoVarnish Extend demo
Varnish Extend demo
 
Varnish extend introduction
Varnish extend introductionVarnish extend introduction
Varnish extend introduction
 
Cedexis introduction
Cedexis introductionCedexis introduction
Cedexis introduction
 
Secure content caching
Secure content cachingSecure content caching
Secure content caching
 
Microservices
MicroservicesMicroservices
Microservices
 
Varnishtest
VarnishtestVarnishtest
Varnishtest
 
Lightning fast with Varnish
Lightning fast with VarnishLightning fast with Varnish
Lightning fast with Varnish
 
E-commerce use case
E-commerce use caseE-commerce use case
E-commerce use case
 
Varnish TLS
Varnish TLSVarnish TLS
Varnish TLS
 
MSE
MSEMSE
MSE
 
Debugging varnish
Debugging varnishDebugging varnish
Debugging varnish
 

Último

Developing An App To Navigate The Roads of Brazil
Developing An App To Navigate The Roads of BrazilDeveloping An App To Navigate The Roads of Brazil
Developing An App To Navigate The Roads of BrazilV3cube
 
Scaling API-first – The story of a global engineering organization
Scaling API-first – The story of a global engineering organizationScaling API-first – The story of a global engineering organization
Scaling API-first – The story of a global engineering organizationRadu Cotescu
 
Apidays New York 2024 - The value of a flexible API Management solution for O...
Apidays New York 2024 - The value of a flexible API Management solution for O...Apidays New York 2024 - The value of a flexible API Management solution for O...
Apidays New York 2024 - The value of a flexible API Management solution for O...apidays
 
GenAI Risks & Security Meetup 01052024.pdf
GenAI Risks & Security Meetup 01052024.pdfGenAI Risks & Security Meetup 01052024.pdf
GenAI Risks & Security Meetup 01052024.pdflior mazor
 
AWS Community Day CPH - Three problems of Terraform
AWS Community Day CPH - Three problems of TerraformAWS Community Day CPH - Three problems of Terraform
AWS Community Day CPH - Three problems of TerraformAndrey Devyatkin
 
Connector Corner: Accelerate revenue generation using UiPath API-centric busi...
Connector Corner: Accelerate revenue generation using UiPath API-centric busi...Connector Corner: Accelerate revenue generation using UiPath API-centric busi...
Connector Corner: Accelerate revenue generation using UiPath API-centric busi...DianaGray10
 
04-2024-HHUG-Sales-and-Marketing-Alignment.pptx
04-2024-HHUG-Sales-and-Marketing-Alignment.pptx04-2024-HHUG-Sales-and-Marketing-Alignment.pptx
04-2024-HHUG-Sales-and-Marketing-Alignment.pptxHampshireHUG
 
A Year of the Servo Reboot: Where Are We Now?
A Year of the Servo Reboot: Where Are We Now?A Year of the Servo Reboot: Where Are We Now?
A Year of the Servo Reboot: Where Are We Now?Igalia
 
From Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time AutomationFrom Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time AutomationSafe Software
 
Exploring the Future Potential of AI-Enabled Smartphone Processors
Exploring the Future Potential of AI-Enabled Smartphone ProcessorsExploring the Future Potential of AI-Enabled Smartphone Processors
Exploring the Future Potential of AI-Enabled Smartphone Processorsdebabhi2
 
What Are The Drone Anti-jamming Systems Technology?
What Are The Drone Anti-jamming Systems Technology?What Are The Drone Anti-jamming Systems Technology?
What Are The Drone Anti-jamming Systems Technology?Antenna Manufacturer Coco
 
🐬 The future of MySQL is Postgres 🐘
🐬 The future of MySQL is Postgres 🐘🐬 The future of MySQL is Postgres 🐘
🐬 The future of MySQL is Postgres 🐘RTylerCroy
 
Histor y of HAM Radio presentation slide
Histor y of HAM Radio presentation slideHistor y of HAM Radio presentation slide
Histor y of HAM Radio presentation slidevu2urc
 
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...Drew Madelung
 
Partners Life - Insurer Innovation Award 2024
Partners Life - Insurer Innovation Award 2024Partners Life - Insurer Innovation Award 2024
Partners Life - Insurer Innovation Award 2024The Digital Insurer
 
Tech Trends Report 2024 Future Today Institute.pdf
Tech Trends Report 2024 Future Today Institute.pdfTech Trends Report 2024 Future Today Institute.pdf
Tech Trends Report 2024 Future Today Institute.pdfhans926745
 
2024: Domino Containers - The Next Step. News from the Domino Container commu...
2024: Domino Containers - The Next Step. News from the Domino Container commu...2024: Domino Containers - The Next Step. News from the Domino Container commu...
2024: Domino Containers - The Next Step. News from the Domino Container commu...Martijn de Jong
 
Data Cloud, More than a CDP by Matt Robison
Data Cloud, More than a CDP by Matt RobisonData Cloud, More than a CDP by Matt Robison
Data Cloud, More than a CDP by Matt RobisonAnna Loughnan Colquhoun
 
Advantages of Hiring UIUX Design Service Providers for Your Business
Advantages of Hiring UIUX Design Service Providers for Your BusinessAdvantages of Hiring UIUX Design Service Providers for Your Business
Advantages of Hiring UIUX Design Service Providers for Your BusinessPixlogix Infotech
 

Último (20)

Developing An App To Navigate The Roads of Brazil
Developing An App To Navigate The Roads of BrazilDeveloping An App To Navigate The Roads of Brazil
Developing An App To Navigate The Roads of Brazil
 
Scaling API-first – The story of a global engineering organization
Scaling API-first – The story of a global engineering organizationScaling API-first – The story of a global engineering organization
Scaling API-first – The story of a global engineering organization
 
Apidays New York 2024 - The value of a flexible API Management solution for O...
Apidays New York 2024 - The value of a flexible API Management solution for O...Apidays New York 2024 - The value of a flexible API Management solution for O...
Apidays New York 2024 - The value of a flexible API Management solution for O...
 
GenAI Risks & Security Meetup 01052024.pdf
GenAI Risks & Security Meetup 01052024.pdfGenAI Risks & Security Meetup 01052024.pdf
GenAI Risks & Security Meetup 01052024.pdf
 
AWS Community Day CPH - Three problems of Terraform
AWS Community Day CPH - Three problems of TerraformAWS Community Day CPH - Three problems of Terraform
AWS Community Day CPH - Three problems of Terraform
 
+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...
+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...
+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...
 
Connector Corner: Accelerate revenue generation using UiPath API-centric busi...
Connector Corner: Accelerate revenue generation using UiPath API-centric busi...Connector Corner: Accelerate revenue generation using UiPath API-centric busi...
Connector Corner: Accelerate revenue generation using UiPath API-centric busi...
 
04-2024-HHUG-Sales-and-Marketing-Alignment.pptx
04-2024-HHUG-Sales-and-Marketing-Alignment.pptx04-2024-HHUG-Sales-and-Marketing-Alignment.pptx
04-2024-HHUG-Sales-and-Marketing-Alignment.pptx
 
A Year of the Servo Reboot: Where Are We Now?
A Year of the Servo Reboot: Where Are We Now?A Year of the Servo Reboot: Where Are We Now?
A Year of the Servo Reboot: Where Are We Now?
 
From Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time AutomationFrom Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time Automation
 
Exploring the Future Potential of AI-Enabled Smartphone Processors
Exploring the Future Potential of AI-Enabled Smartphone ProcessorsExploring the Future Potential of AI-Enabled Smartphone Processors
Exploring the Future Potential of AI-Enabled Smartphone Processors
 
What Are The Drone Anti-jamming Systems Technology?
What Are The Drone Anti-jamming Systems Technology?What Are The Drone Anti-jamming Systems Technology?
What Are The Drone Anti-jamming Systems Technology?
 
🐬 The future of MySQL is Postgres 🐘
🐬 The future of MySQL is Postgres 🐘🐬 The future of MySQL is Postgres 🐘
🐬 The future of MySQL is Postgres 🐘
 
Histor y of HAM Radio presentation slide
Histor y of HAM Radio presentation slideHistor y of HAM Radio presentation slide
Histor y of HAM Radio presentation slide
 
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
 
Partners Life - Insurer Innovation Award 2024
Partners Life - Insurer Innovation Award 2024Partners Life - Insurer Innovation Award 2024
Partners Life - Insurer Innovation Award 2024
 
Tech Trends Report 2024 Future Today Institute.pdf
Tech Trends Report 2024 Future Today Institute.pdfTech Trends Report 2024 Future Today Institute.pdf
Tech Trends Report 2024 Future Today Institute.pdf
 
2024: Domino Containers - The Next Step. News from the Domino Container commu...
2024: Domino Containers - The Next Step. News from the Domino Container commu...2024: Domino Containers - The Next Step. News from the Domino Container commu...
2024: Domino Containers - The Next Step. News from the Domino Container commu...
 
Data Cloud, More than a CDP by Matt Robison
Data Cloud, More than a CDP by Matt RobisonData Cloud, More than a CDP by Matt Robison
Data Cloud, More than a CDP by Matt Robison
 
Advantages of Hiring UIUX Design Service Providers for Your Business
Advantages of Hiring UIUX Design Service Providers for Your BusinessAdvantages of Hiring UIUX Design Service Providers for Your Business
Advantages of Hiring UIUX Design Service Providers for Your Business
 

Varnish access control

  • 1.
  • 3. Access Control • IP-based access • Basic auth • Various cookie based access controls
  • 4. IP-based ACLs # Who is allowed to purge.... acl local { "localhost"; "192.168.1.0"/24; /* and everyone on the local network */ ! "192.168.1.23"; /* except for the dialin router */ } sub vcl_recv { if (req.method == "PURGE") { if (client.ip ~ local) { return(purge); } else { return(synth(403, "Access denied.")); } } }
  • 5. Basic Auth • Not really used • There is aVMOD for that
  • 6. Cookie based auth • Generate random cookie • Issue a cookie to a client • Authenticate the user that has the cookie
  • 7. Crypto-signed cookies • Sign the cookie • Issue to the client • Cookie is now tamperproof • You can also verify it’s origin • Problem: Now the format of the cookie is defined in two places
  • 8. Silly crypto access example sub vcl_recv { unset req.http.authstatus; if (req.http.signature) { set req.http.sig-verf = digest.hmac_sha256("secret", req.http.username + req.url); if (req.http.sig-verf == req.http.signature) { set req.http.authstatus = "ok"; } } if (req.http.authstatus == "ok") { return(synth(200, "ok")); } else { return(synth(401, "Not ok")); } }
  • 10. Points to remember • If you add a random string your crypto cookie becomes really hard to crack • Client side scripting required to manipulate the cookies
  • 13. Best of both worlds • Login-service does auth and issues cookie • Varnish verifies cookie against API • Varnish issues it’s own cookies to track state
  • 16. Key design decisions • Access control is either metered or subscription based • Products IDs - different subscription offerings • Article IDs - unique article ID for metering • Auth through cookie and API
  • 17. How is it built? • DigestVMOD - Crypto • HeaderVMOD - Managing multiple headers w/same name • VariableVMOD - configuration and state • PaywallVMOD - misc • Opt. MemcachedVMOD - store quota data in Memcached
  • 18. Backend header ex • X-Access-Control: subscription,metered • X-Aid: 1234 • X-Auth-Failed: /login.html • X-Pids: 23,55
  • 19. Auth server interface • Input: vpw_id (cookie from SSO) • VPW-Allowed-Pids: 75,23 • VPW-TTL: 30
  • 20. Demo
  • 21. Q&A