php.vcl breaks timthumb.php

[missilefish]

Hi All,

This is my first and seemingly only issue I have with this terrific Varnish addition you all have developed. I'd like to find a way to include some kind of exclusion for what timthumb.php would need to run, it is very common with Wordpress themes. My only solution today (terrible with regex) is to comment out that one section below in the php.vcl security module.

http://EXAMPLEDOMAIN.COM/wp-content/themes/MISCTHEME/scripts/timthumb.php?src=http://EXAMPLEDOMAIN.COM/wp-content/uploads/2010/08/filename.png&w=60&h=60&zc=1&q=100

Any suggestions on crafting something awesome to handle this circumstance? Or a variable to set maybe that would allow certain external sources to be named/blessed, like an ACL?

From php.vcl (lines 133-140):

Generic check for remote code inclusion from external sites

    if (req.url ~ "=?(https?|ftps?|php)://") {
           set req.http.X-SEC-RuleName = "Remote site in URL parameter";
           set req.http.X-SEC-RuleId   = "100";
           set req.http.X-SEC-RuleInfo = "Generic check for remote code inclusion from external sites";
           call sec_php_sev1;
    }

[sz00gun]

any solution so far to fix this problem? I have the same problem...

[jhmartin]

You could make that if (req.url ~ "=?(https?|ftps?|php)://" && ! req.url ~ "timthumb.php") {