Geek Answers Handbook

Varnish S3-like, signed, time-limited request before delivery of objects, in VCL

This question may seem a little strange, but perhaps with a solution for the weak person in VCL, analyze the signed request (with a shared secret key, for example, the HMAC solution for the poor) created by the referrer of the (main) site and only serve content from varnish, if the signature correct and the mark (signature) has not expired?

That is, similar to how Amazon S3 works, where you can easily create a signed temporary URL for your S3 object, which expires in a certain number of seconds.

Note. I'm not talking about cache expiration here, but the URL for the client is expiring.

This is convenient when you only want to provide a temporary URL to your users, to prevent long-term hotlinking without checking the referrer header.

So, the poor person is the solution for the temporary URL in VCL (preferably in vcl_recv), resulting in the expiration of the internal object). Is this possible without creating a VMOD?

Edit:

I found another way to authorize content using varnish:

http://monolight.cc/2011/04/content-authorization-with-varnish/

But this is not what I want to achieve.

Yours faithfully!

+4
source share
2 answers

Yes it is possible.

In essence, you need to check the signature (digest vmod), select the timestamp from any header in which it is located (regsub), and compare it with the current time.

Use std.integer() to create a timestamp:

 https://www.varnish-cache.org/docs/trunk/reference/vmod_std.html#integer

use the now built-in variable in VCL to find the current timestamp. You might want to do (now + 0s) to force Larnish to give you a unix timestamp.

 https://www.varnish-cache.org/docs/trunk/reference/vcl.html#variables

The vmod compilation is on github:

 https://github.com/varnish/libvmod-digest
+3
source

Is VMOD already available for this, if that helps?

Protected varnish protection module

0
source

More articles:


All Articles