ericras
commented
7 years ago See notes in #924
Closed ericras closed 7 years ago
ericras
commented
7 years ago See notes in #924
ericras
commented
7 years ago Updated varnish config:
sub vcl_recv {
// If unlcms_force_varnish cookie exists, return cached page
if (req.http.Cookie ~ "(^|;\s*)(unlcms_force_varnish=true)(;|$)"){
set req.http.Cookie = regsuball(req.http.Cookie, "(^|;\s*)(__[a-z]+|SESS[A-Za-z0-9]*)=[^;]*", "");
set req.http.Cookie = regsuball(req.http.Cookie, "(^|;\s*)(__[a-z]+|unl_sso)=[^;]*", "");
return(hash);
}
}Looking good on staging. Need varnish updated on production
ericras
commented
7 years ago ericras
commented
7 years ago Update the Varnish config to only respect the force_varnish cookie on GET and HEAD request. (Ignore for POST requests, like on a webform page)
sub vcl_recv {
// If unlcms_force_varnish cookie exists, return cached page
if (req.http.Cookie ~ "(^|;\s*)(unlcms_force_varnish=true)(;|$)" && (req.method == "GET" || req.method == "HEAD")){
set req.http.Cookie = regsuball(req.http.Cookie, "(^|;\s*)(__[a-z]+|SESS[A-Za-z0-9]*)=[^;]*", "");
set req.http.Cookie = regsuball(req.http.Cookie, "(^|;\s*)(__[a-z]+|unl_sso)=[^;]*", "");
return(hash);
}
}
From #924
This is more pseudo code than anything and would need to be heavily tested. The ideas is that right after authentication with CAS (and before LDAP lookup or account creation), check if the user even needs to be logged in. Then if the user does not need to be logged in, set a cookie for the site's domain+path that tells varnish to always cache (ignore the unl_sso cookie).
In other words:
If the user tries to log in (gateway auth via SSO) do the following:
perform the gateway auth if user has role log them in as usual if user has no role (or is an 'authenticated user') do not log them in and set a cookie unlcms_force_varnish, when varnish can then use to force varnish caching even if the SSO cookie is set. There is also some checking to see if the unl_access module is enabled or if the smart caching was disabled for the site in the configuration. This can 'smart checking' can be vastly improved, but it gets the point across.
I'm not sure if this is the best approach, or if I covered all the necessary cases. I also don't know how to configure varnish to check for the new cookie, but I'm guessing its possible.
How to configure varnish:
I haven't actually tried this yet, but I think it should work.
After all of the other checks to see if content should be not cached, we could add a check like this
if (req.http.Cookie ~ "(^|;\s*)(unlcms_force_varnish=true)(;|$)"){ //force varnish (bypass the unl_sso cookie), another alternative might be to unset the unl_sso cookie here return(hash); } Questions
if the unlcms_force_varnish is set, how can we still force a login if we need it? (maybe just unsetting the unl_sso cookie would be better) Not quite sure how to still allow a gateway auth on pages restricted by unl_access. Perhaps have those pages serve a custom header (x-allow-gateway) and then modify the the above varnish config to NOT force a cache if that header is set?