Problem with purge key

[arrubiu]

On my site I'm using varnish_tag 6.0-4.0.0 with varnish_purger module on a Drupal installation. With 4.1-3.0.7 I've no problem, I've update to latest stable release and for every request I've this error in my watchdog entries:

purger_varnish_d671be62a8: item failed due GuzzleHttp\Exception\ClientException, details (JSON): {"msg":"Client error:BAN http:\/\/varnish:6081\/resulted in a405 Not allowed from 172.27.0.3response: <!DOCTYPE html> <html> <head> <title>405 Not allowed from 172.27.0.3<\/title> <\/head> <body> <h1>Error 405 (truncated...) ","uri":"http:\/\/varnish:6081\/","method":"BAN","guzzle_opt":{"http_errors":true,"connect_timeout":1,"timeout":1},"headers":{"user-agent":"varnish_purger module for Drupal 8.","cache-tags":"config:system.menu.main","x-vc-my-purge-key":"secret"}}

This is the varnish section of my docker-compose:

varnish:
    image: wodby/varnish:$VARNISH_TAG
    container_name: "${PROJECT_NAME}_varnish"
    depends_on:
      - nginx
    environment:
      VARNISH_SECRET: secret
      VARNISH_PURGE_KEY: secret
      VARNISH_BACKEND_HOST: nginx
      VARNISH_BACKEND_PORT: 80
      VARNISH_CONFIG_PRESET: drupal
      VARNISH_PURGE_EXTERNAL_REQUEST_HEADER: X-Real-IP
      VARNISH_DRUPAL_PRESERVED_COOKIES: "SESS[a-z0-9]+|SSESS[a-z0-9]+|NO_CACHE+|Drupal.visitor.legal_hash+|Drupal.visitor.legal_id"

On the module configuration I've added an header "X-VC-My-Purge-Key" with value "secret".

Is it the right way?

Thanks a lot, Sergio

[csandanov]

We've released 4.1.0, it has fixes related to purging.

[arrubiu]

I've installaed release 4.1.0 (on 6.x "branch") and the error remains. Are configurations above ok?

[csandanov]

Is this only with 6.0 branch? Does it work with 4.1-4.1.0?

[csandanov]

By the way, you must use X-VC-My-Purge-Key header to pass the purge key, see https://github.com/wodby/varnish#cache-flushing

[arrubiu]

The error remains alto in 4.1-4.1.0. I've added the header to the module conf:

[arrubiu]

In the drupal error it seems the header is sent:

purger_varnish_d671be62a8: item failed due GuzzleHttp\Exception\ClientException, details (JSON): {"msg":"Client error:BAN http:\/\/varnish:6081\/resulted in a405 Not allowed from 172.27.0.4response: <!DOCTYPE html> <html> <head> <title>405 Not allowed from 172.27.0.4<\/title> <\/head> <body> <h1>Error 405 (truncated...) ","uri":"http:\/\/varnish:6081\/","method":"BAN","guzzle_opt":{"http_errors":true,"connect_timeout":1,"timeout":1},"headers":{"user-agent":"varnish_purger module for Drupal 8.","cache-tags":"config:user.role.administrator","x-vc-my-purge-key":"secret"}}

[csandanov]

I'm sorry, the header should be X-VC-Purge-Key, not X-VC-My-Purge-Key (fixed in the README as well). By the way, if you can set $VARNISH_ALLOW_UNRESTRICTED_PURGE.

[csandanov]

Are you running varnish locally in docker-compose? If so, having VARNISH_PURGE_EXTERNAL_REQUEST_HEADER: X-Real-IP should normally allow you purging without specifying the purge key from the internal network. Because in case of the varnish purger module the ban request comes from the php container that has no X-Real-IP header.

[csandanov]

Ok, I've tested with D8 and there was the issue that prevented $VARNISH_PURGE_EXTERNAL_REQUEST_HEADER from working. Fixed now, 4.1.1 tag.

[arrubiu]

By the way: in my case, with the right header name, it works without using VARNISH_PURGE_EXTERNAL_REQUEST_HEADER

I'm using a "classical" docker4drupal installation.

[csandanov]

Not sure what you mean by "classical" but yes, that's how it suppose to work – either allow requests from the internal network (from php to varnish container) without a purge key by setting $VARNISH_PURGE_EXTERNAL_REQUEST_HEADER or just specify the purge key.