[PATCH] Implement std.ip() to simplify ACL checking in VCL
Leif Pedersen
bilbo at hobbiton.org
Thu Aug 1 17:21:26 CEST 2013
On Thu, Aug 1, 2013 at 5:41 AM, Lasse Karstensen <
lkarsten at varnish-software.com> wrote:
> On Thu, Aug 01, 2013 at 02:03:14AM +0100, Federico Schwindt wrote:
> > On Wed, Jul 31, 2013 at 2:46 PM, Lasse Karstensen <
> lkarsten at varnish-software.com> wrote:
>
> > - Using VCL_IP for the fallback parameter restricts what you can use to
> > client.ip or server.ip. This might or might not be a problem.
> > I wrote a similar function a while ago that was using a STRING parameter
> as
> > suggested by Tollef. Not sure if this is still required.
>
> You can of course nest them to get an arbitrary fallback:
> std.ip(req.http.X-Forwarded-For, std.ip("127.255.255.255"));
>
>
I've noticed that client.ip and server.ip can be used implicitly as
strings. (Is this without caveats?) So if std.ip accepts a string as the
fall-back, then the VCL never need specify the conversion explicitly, which
would make VCL code more succinct. That is, by accepting a string, both of
these would work, which I think would be helpful:
std.ip(req.http.X-Forwarded-For, "127.255.255.255");
std.ip(req.http.X-Forwarded-For, client.ip);
Of course, your point about a fallback fallback still stands if the string
is formatted badly. I suppose I'd just fall back to 0.0.0.0 or something in
that case.
PS. Useful feature, thanks. I wrote a couple of pieces of VCL code where I
had to resort to matching an IP received from a header against a range with
a regex instead of an ACL. This oughtta clean that up for me.
--
As implied by email protocols, the information in this message is
not confidential. Any middle-man or recipient may inspect, modify,
copy, forward, reply to, delete, or filter email for any purpose unless
said parties are otherwise obligated. As the sender, I acknowledge that
I have a lower expectation of the control and privacy of this message
than I would a post-card. Further, nothing in this message is
legally binding without cryptographic evidence of its integrity.
http://bilbo.hobbiton.org/wiki/Eat_My_Sig
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://www.varnish-cache.org/lists/pipermail/varnish-dev/attachments/20130801/677f22b5/attachment.html>
More information about the varnish-dev
mailing list