Hi Hugo,<div><br></div><div>-I did as you suggested as added the 'pass' for requests asking for authentication. And sure enough, it started asking for the authentication--however it doesnt stop asking for the authentication--it never seems to authenticate. I know the auth works, because I can access it without going through varnish and it works fine. Any idea what could be the problem here?<div>
<br></div><div>FWIW, The auth is not a typical basic auth, but a basic auth against an ldap using the apache and the mod_ldapns_auth</div><div><br><div class="gmail_quote">On Wed, May 30, 2012 at 3:50 PM, Scott Stewart <span dir="ltr"><<a href="mailto:scott.stewart@nbtsolutions.com" target="_blank">scott.stewart@nbtsolutions.com</a>></span> wrote:<br>
<blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"><div>Hi </div><div><br></div><div>I have a newly minted varnish (and a newly minted varnish user myself) install that has two backends, as spec'ed in this vcl (below).</div>
<div><br></div><div>The "wms1" has no auth on it.</div>
<div><br></div><div>The "default" backend is a Apache server with basic auth, but no one is getting asked to authenticate. My understanding was the out of the box config for varnish would not cache those authentication required pages, but no one is being asked for a username/password</div>
<div><br></div><div>What am I doing wrong here? The app works perfectly otherwise.</div><div><br></div><div><br></div><div><br></div><div><div># This is a basic VCL configuration file for varnish. See the vcl(7)</div><div>
# man page for details on VCL syntax and semantics.</div><div># </div><div># Default backend definition. Set this to point to your content</div><div># server.</div><div># </div><div>backend default {</div><div> .host = "127.0.0.1";</div>
<div> .port = "8081";</div><div>}</div><div><br></div><div>backend wms1 {</div><div> .host = "<a href="http://example.com" target="_blank">example.com</a>"; </div><div> .port = "80";</div>
<div>}</div>
<div><br></div><div>sub vcl_recv {</div><div> </div><div><span style="white-space:pre-wrap"> </span></div><div><span style="white-space:pre-wrap"> </span></div><div><span style="white-space:pre-wrap"> </span>if (req.http.host ~ "^(mapsdev\.)example\.com" && req.url~ "^/wms") {</div>
<div><span style="white-space:pre-wrap"> </span>set req.http.host = "<a href="http://maps.example.com" target="_blank">maps.example.com</a>";</div><div><span style="white-space:pre-wrap"> </span>set req.url = regsub(req.url, "^/wms", "/wms");</div>
<div><span style="white-space:pre-wrap"> </span>set req.backend = wms1;</div><div><span style="white-space:pre-wrap"> </span>if (req.request == "GET" && req.http.cookie) </div>
<div><span style="white-space:pre-wrap"> </span>{</div><div> unset req.http.cookie;</div><div><span style="white-space:pre-wrap"> </span>}</div><div><span style="white-space:pre-wrap"> </span>}</div>
<div><span style="white-space:pre-wrap"> </span></div><div><span style="white-space:pre-wrap"> </span>if (req.http.host ~ "^(mapsdev\.)?example\.com" && req.url~ "^/app/") {</div>
<div><span style="white-space:pre-wrap"> </span>set req.url = regsub(req.url, "^/app/", "/flol/admin_2/public/");</div><div><span style="white-space:pre-wrap"> </span>remove req.http.X-Forwarded-For; </div>
<div><span style="white-space:pre-wrap"> </span>set req.http.X-Forwarded-For = client.ip; </div><div><span style="white-space:pre-wrap"> </span></div><div>}</div><div><br></div><div>
sub vcl_fetch {</div><div><span style="white-space:pre-wrap"> </span>set beresp.ttl = 72h; // default ttl 72 hours</div><div><span style="white-space:pre-wrap"> </span>if (req.http.Authorization) </div>
<div><span style="white-space:pre-wrap"> </span>{ </div><div><span style="white-space:pre-wrap"> </span>return(hit_for_pass);</div><div><span style="white-space:pre-wrap"> </span>}</div>
<div>}</div><div><br></div><div># </div><div># Below is a commented-out copy of the default VCL logic. If you</div><div># redefine any of these subroutines, the built-in logic will be</div><div># appended to your code.</div>
<div># sub vcl_recv {</div><div># if (req.restarts == 0) {</div><div># <span style="white-space:pre-wrap"> </span>if (req.http.x-forwarded-for) {</div><div># <span style="white-space:pre-wrap"> </span> set req.http.X-Forwarded-For =</div>
<div># <span style="white-space:pre-wrap"> </span>req.http.X-Forwarded-For + ", " + client.ip;</div><div># <span style="white-space:pre-wrap"> </span>} else {</div><div># <span style="white-space:pre-wrap"> </span> set req.http.X-Forwarded-For = client.ip;</div>
<div># <span style="white-space:pre-wrap"> </span>}</div><div># }</div><div># if (req.request != "GET" &&</div><div># req.request != "HEAD" &&</div><div>
# req.request != "PUT" &&</div><div># req.request != "POST" &&</div><div># req.request != "TRACE" &&</div><div># req.request != "OPTIONS" &&</div>
<div># req.request != "DELETE") {</div><div># /* Non-RFC2616 or CONNECT which is weird. */</div><div># return (pipe);</div><div># }</div><div># if (req.request != "GET" && req.request != "HEAD") {</div>
<div># /* We only deal with GET and HEAD by default */</div><div># return (pass);</div><div># }</div><div># if (req.http.Authorization || req.http.Cookie) {</div><div># /* Not cacheable by default */</div>
<div># return (pass);</div><div># }</div><div># return (lookup);</div><div># }</div><div># </div><div># sub vcl_pipe {</div><div># # Note that only the first request to the backend will have</div><div>
# # X-Forwarded-For set. If you use X-Forwarded-For and want to</div><div># # have it set for all requests, make sure to have:</div><div># # set bereq.http.connection = "close";</div><div># # here. It is not set by default as it might break some broken web</div>
<div># # applications, like IIS with NTLM authentication.</div><div># return (pipe);</div><div># }</div><div># </div><div># sub vcl_pass {</div><div># return (pass);</div><div># }</div><div># </div><div># sub vcl_hash {</div>
<div># hash_data(req.url);</div><div># if (req.http.host) {</div><div># hash_data(req.http.host);</div><div># } else {</div><div># hash_data(server.ip);</div><div># }</div><div># return (hash);</div>
<div># }</div><div># </div><div># sub vcl_hit {</div><div># return (deliver);</div><div># }</div><div># </div><div># sub vcl_miss {</div><div># return (fetch);</div><div># }</div><div># </div><div># sub vcl_fetch {</div>
<div># if (beresp.ttl <= 0s ||</div><div># beresp.http.Set-Cookie ||</div><div># beresp.http.Vary == "*") {</div><div># <span style="white-space:pre-wrap"> </span>/*</div>
<div># <span style="white-space:pre-wrap"> </span> * Mark as "Hit-For-Pass" for the next 2 minutes</div><div># <span style="white-space:pre-wrap"> </span> */</div><div># <span style="white-space:pre-wrap"> </span>set beresp.ttl = 120 s;</div>
<div># <span style="white-space:pre-wrap"> </span>return (hit_for_pass);</div><div># }</div><div># return (deliver);</div><div># }</div><div># </div><div># sub vcl_deliver {</div><div># return (deliver);</div>
<div># }</div><div># </div><div># sub vcl_error {</div><div># set obj.http.Content-Type = "text/html; charset=utf-8";</div><div># set obj.http.Retry-After = "5";</div><div># synthetic {"</div>
<div># <?xml version="1.0" encoding="utf-8"?></div><div># <!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN"</div><div># "<a href="http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd" target="_blank">http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd</a>"></div>
<div># <html></div><div># <head></div><div># <title>"} + obj.status + " " + obj.response + {"</title></div><div># </head></div><div># <body></div><div># <h1>Error "} + obj.status + " " + obj.response + {"</h1></div>
<div># <p>"} + obj.response + {"</p></div><div># <h3>Guru Meditation:</h3></div><div># <p>XID: "} + req.xid + {"</p></div><div># <hr></div><div>
# <p>Varnish cache server</p></div><div># </body></div><div># </html></div><div># "};</div><div># return (deliver);</div><div># }</div><div># </div><div># sub vcl_init {</div><div># <span style="white-space:pre-wrap"> </span>return (ok);</div>
<div># }</div><div># </div><div># sub vcl_fini {</div><div># <span style="white-space:pre-wrap"> </span>return (ok);</div><div># }</div></div><div><br></div>
</blockquote></div><br><br clear="all"><div><br></div>-- <br>Scott Stewart<br>Principal<br>NBT Solutions LLC<br>phone: (757)941-5110<br>email: <a href="mailto:scott.stewart@nbtsolutions.com">scott.stewart@nbtsolutions.com</a><br>
website:<a href="http://www.nbtsolutions.com">www.nbtsolutions.com</a><br>
</div></div>