feat: purge acl

zazuko · Jun 25, 2024 · 60aa54b · 60aa54b
1 parent 7af4001
commit 60aa54b
Show file tree

Hide file tree

Showing 6 changed files with 39 additions and 0 deletions.
diff --git a/.changeset/olive-icons-guess.md b/.changeset/olive-icons-guess.md
@@ -0,0 +1,10 @@
+---
+"varnish-post": minor
+---
+
+It is now possible to configure purge ACL, by setting the `PURGE_ACL` to a relevant hostname or IP CIDR.
+
+By default, the `PURGE_ACL` is set to `localhost`.
+This means that only requests coming from the same host as the Varnish container will be able to purge the cache.
+
+You can set the `PURGE_ACL` to `0.0.0.0/0` to allow all hosts to purge the cache for example, or a more specific IP CIDR.
diff --git a/Dockerfile b/Dockerfile
@@ -25,6 +25,7 @@ ENV DISABLE_ERROR_CACHING_TTL="30s"
 ENV CONFIG_FILE="default.vcl"
 ENV ENABLE_LOGS="true"
 ENV ENABLE_PROMETHEUS_EXPORTER="false"
+ENV PURGE_ACL="localhost"
 
 # Install some dependencies
 RUN apt-get update \

diff --git a/README.md b/README.md
@@ -30,6 +30,7 @@ You can use following environment variables for configuration:
 - `ENABLE_LOGS`: enable logs (default: `true`)
 - `ENABLE_PROMETHEUS_EXPORTER`: enable the Prometheus exporter if set to `true` (default: `false`).
   If enabled, the exporter will be available on the 9131 port.
+- `PURGE_ACL_CUSTOM`: custom ACL for the PURGE method (default: `localhost`) ; you can use `"0.0.0.0"/0` to allow all.
 
 ## Cache invalidation
 

diff --git a/config/default.vcl b/config/default.vcl
@@ -4,6 +4,10 @@ import std;
 import bodyaccess;
 import xkey;
 
+acl purge {
+  $PURGE_ACL;
+}
+
 # Backend server that should be cached
 backend default {
   .host = "$BACKEND_HOST";
@@ -38,6 +42,9 @@ sub vcl_recv {
 
   # Handle PURGE requests
   if (req.method == "PURGE") {
+    if (!client.ip ~ purge) {
+      return (synth(405, "Method Not Allowed"));
+    }
     if (req.http.xkey) {
       set req.http.n-gone = xkey.purge(req.http.xkey);
       return (synth(200, "Invalidated " + req.http.n-gone + " objects"));

diff --git a/entrypoint.sh b/entrypoint.sh
@@ -5,6 +5,22 @@ ENABLE_PROMETHEUS_EXPORTER="${ENABLE_PROMETHEUS_EXPORTER}"
 
 set -eu
 
+# Function to transform a host into a VCL-friendly format
+transform_host() {
+  input="$1"
+
+  # Check if input is in CIDR notation (e.g., 0.0.0.0/0)
+  if echo "$input" | grep -q "/"; then
+    ip_part=$(echo "$input" | cut -d'/' -f1)
+    cidr_part=$(echo "$input" | cut -d'/' -f2)
+    echo "\"$ip_part\"/$cidr_part"
+  else
+    # Otherwise, it's a regular hostname or IP
+    echo "\"$input\""
+  fi
+}
+PURGE_ACL=$(transform_host "${PURGE_ACL}")
+
 # Environment variables substitution
 for SRC_LOCATION in $(find /templates -type f); do
   DST_LOCATION=$(echo "${SRC_LOCATION}" | sed 's/^\/templates/\/etc\/varnish/')
@@ -26,6 +42,9 @@ if [ "${ENABLE_PROMETHEUS_EXPORTER}" = "true" ]; then
     -web.telemetry-path "/metrics") &
 fi
 
+# Display Varnish configuration
+cat "/etc/varnish/${CONFIG_FILE}"
+
 set -x
 
 # Run Varnish

diff --git a/test/docker-compose.yaml b/test/docker-compose.yaml
@@ -12,3 +12,4 @@ services:
       - BACKEND_HOST=backend
       - BACKEND_PORT=8080
       - CACHE_TTL=2s
+      - PURGE_ACL=0.0.0.0/0