VCL: Can we craft and send a HTTP request to an Auth server?

Comments

11 comments

  • Justin

    Can we craft a HTTP request to my auth server from vcl_recv?

    You can change the host to connect to, the path and query string, and add headers before a restart. So in effect you can create a whole new request. Check here and here for more information on this.

    Payload of this will be json format auth request and based on response from auth server proceed to allow or deny access to the web content.

    However, as far as I know, you can't add a body, so that won't be possible.

    OR can i use any of the vmod's like curl for doing this? Is there support to achieve this.

    No, you can't use vmods either. We've encorporated many into our core Varnish, but not curl. The restart capability is the closest thing.

  • techreb

    Hi Justin, thank you for this information. I was trying to solve the problem based on your inputs. But now I am stuck with my POST form requests. I see that after a restart my form data in payload is lost. Am i missing something? -Michael

  • Justin

    Yes, that's expected. After a restart the body of a POST request will not be preserved. You could stash req.postbody in a header so that you can pass it on in the other requests and have it available that way.

  • techreb

    Thank you so much for the reply. You are right, i can stash it in a separate HTTP header field. But, req.postbody cannot be attached back to the REQ in second pass, after successful authentication.

    Thanks, Michael

  • Justin

    Yes, that's also true! There's no way to change or amend the body of the request, GET or POST.

  • ryantownsend

    Is there a solution for this use-case? We're looking at authenticating requests, but we need it to work for POST / PATCH / DELETE etc, not just GET requests.

  • gocoy

    Do you have an example with vcl? I need to change request host between first request and the second one. But your link doesn't help me.

  • Andrew Betts

    Hi @gocoy,

    I've recently been working on a tool that helps our customers to try out VCL. You can see an example of what I call 'preflighting', which is sending one request and then using the response to determine whether to send another, in this fiddle:

    https://fiddle.fastlydemo.net/fiddle/f1bbff1e

    You specifically mention changing the host, and you will indeed have to do that, though currently the fiddle does this invisibly rather than allowing you to do it yourself. So when you set the backend with set req.backend = F_originname;, in practice you will also need to do set req.http.host = "host header of new backend";.

    Let me know how you get on, and I'm sorry the tool currently has very little documentation. It's very much an early alpha.

  • gocoy

    Hi, I'm already using fiddle fastly, thanks. Your answer partially resolve my problem, because my second origin is based on first origin's response. I see that origin are modificable only with API, right?

    Any others idea?

    Thanks F.

  • Andrew Betts

    You can't specify an origin dynamically, but you can have a number of origins. So if you know what all the possibilities are, set all of those up as differently-named origins, and then switch to the one that you want based on the content of your preflight response.

    We do have API functions for creating backends versionlessly (ie. without activating a new version of your entire configuration): https://docs.fastly.com/api/dynamicservers.

Please sign in to leave a comment.