search

python / psf-salt

PSF infrastructure configuration
MIT License
111 stars 57 forks source link

Add some VCL to fastly so docs can be purged by top or 2nd level folder #287

Open JulienPalard opened 1 year ago

JulienPalard commented 1 year ago

As documented in https://docs.fastly.com/en/guides/wildcard-purges

It would be nice to be able to purge a whole version of the doc at once from docsubild scripts when updating a symlink, like PURGE /3/ and PURGE /fr/3/ and so on, instead of doing it file by file.

ewdurbin commented 1 year ago

Some thoughts:

Implementation of Surrogate-Keys

It could be done via headers/conditions in the service configuration, though currently the docs fastly configuration is not created from version control (outside of fastly's own internal versioning), so I'm not sure if that's the best way to approach it.

Regardless this is better accomplished by setting Surrogate-Key header values directly on the responses served via the backend.

Since as far as I am aware, there's no trivial way to manage adding HTTP headers with sphinx, I recommend doing this by using nginx add_header directives in the nginx config rather than with VCL.

Access for purging

Currently purges using Surrogate-Keys are only accessible via the authenticated API, so we'd need some mechanism for issuing them when necessary.

JulienPalard commented 1 year ago

What about using BANs with regexes implemented purely in VCL so we can do it without the authenticated API?

https://varnish-cache.org/docs/7.2/users-guide/purging.html

Something like:

        if (req.method == "BAN") {
                # Same ACL check as above:
                if (!client.ip ~ purge) {
                        return(synth(403, "Not allowed."));
                }
                # Assumes req.url is a regex. This might be a bit too simple
                if (std.ban("obj.http.url ~ " + req.url)) {
                        return(synth(200, "Ban added"));
                } else {
                        # return ban error in 400 response
                        return(synth(400, std.ban_error()));
                }
        }

While we're at it, implementing an IP whitelist for PURGE and BAN should be great to avoid ReDoS attacks.

ewdurbin commented 1 year ago

Surrogate-Key purges aren't exposed via Fastly's config/VCL but through their API, so I don't think that will work.

JulienPalard commented 1 year ago

I almost never used fastly, I just had plain varnish in prod. Is fastly VCL restricted is some way blocking us to play this kind of tricks? :(