Varnish Edge Authentication

Varnish Edge Authentication

The Drupal module does not restrict access to any files, but simply sets headers describing which entitlements are needed to access them. You can use Varnish to perform edge authentication based on these headers. The varnish plugin also allows you to specify internal IP ranges which can both bypass the security and see content which has not yet been published.

If you are using Varnish, it needs to be listening on port 80 and serving the requests from the Pugpig App. It will forward requests to a back end server listening on a different port. Varnish must only pass through non-Pugpig requests (like Drupal or WordPress admin screens).

The provided varnish configuration and associated authentication service applies the following rules, which you may want to customise:

  • if your hostname starts with cms.* (e.g. varnish will pass the connection through without preforming any additional authentication or caching. Accessing the Drupal admin pages through anything other than cms. will not work
  • varnish assumes any URL ending in /edition_credentials or /verify_subscription is a Pugpig for Drupal authentication module. These connections also bypass varnish.
  • assets will never be authenticated. A file is determined to be an asset if it ends with .css, .jpg, .gif, .jpeg, .png, .ttf, .ico or .js.
  • if your ip range reports that you are an internal user (see below) varnish will re-write any access to the edition.xml or edition-atom.xml files to their internal versions (which also show unpublished editions).
  • all other requests will be validated via the helper auth service.

Varnish for PHP

Note: This has only been tested with varnish-2.1 - there may be issues with earlier or later versions. Get in touch if you have issues.

See the Pugpig Varnish for PHP Release Notes


Auth Service Config

The Auth Service files need to be placed somewhere accessible by your web server. It contains the following:

  • pugpug_auth.php - Varnish will forward requests to this file to determine if they need authorisation
  • pugpig_range_check.php - Use this to test the internal/external ranges.
  • ip_in_range.php - Helper functions used by both pugpug_auth and pugpig_range_check

In your auth_service subdirectory, add a env_config.php file with your configuration. You can use the sample env_config_sample.php as a starting point. The following variables need to be set:

  • $internal_ip_range - ; seperated ranges of IP address that are considered internal. See ip_in_range.php comments for supported formats
  • $sharedSecret - this is the authentication secret used to generate authentication tokens. It needs to match the Pugpig secret which you can find in the Drupal modules under Pugpig > Settings > Authentication Secret
  • $cms_root - leave this blank if your Drupal instance runs at the root (e.g. Otherwise it should be the base path (e.g. “drupal”)
$internal_ip_range = "200.200.200.*;100.100.100.*";
$sharedSecret = 'thisisasharedscret';
$cms_root = "";   // no trailing slash. blank for root

Varnish Config

Rename pugpig.vcl to something like YourSystem.vcl

Edit your varnishd config (usually in /etc/default/varnish) to point to your VCL file

Change the following settings in YourSystem.vcl:

The settings for your content back end server:

backend default {
     .host = "";
     .port = "8080";

The web URL to the auth service.

set req.url = "/path_to_your_auth_service_directory/pugpig_auth.php";

If your authoring (passthrough) names are structured differently to cms. as below, change the host check. This check happens in more than one place.

    /* Anything for cms.* goes straight through without caching */
    if ( ~ "^cms.") {
      ... DO STUFF ...

If you have other sites/domains running on the same server that you do NOT want to be affected by Varnish, you could add something like this to the pugpig.vcl

    /* Anything that does not start with api isn't intended for the drupal multisite and is passed through */
    if (! ~ "^api.") {
       set req.http.x-client-ip = client.ip;
       set req.http.x-original-url = req.url;
       return (pipe);

Drupal Config of Varnish

Once Varnish is installed, you need to tell Drupal which Varnish servers need to be cleared when content changes. You can include a space separate list of machines here. All the machines in the cluster that need to be cleared should be listed.

Configure this at: /admin/config/development/varnish


Using Multi Drupal Instances (or Drupal Multisite)

Each site will need:

  • its own version of the auth module, including a env_config.php with specific setting for that site
  • host specific .vcl file pointing to the correct backend and version of pugpig_auth.php
  • varnishd will need to include the correct .vcl based on the host

Testing Your Configuration

You can use the following URL to test the IP ranges that are considered internal: /auth_service/pugpig_range_check.php

See an example below:

Was this article helpful?
0 out of 0 found this helpful
Have more questions? Submit a request


Powered by Zendesk