0

It is my understanding, from looking at the Varnish pipeline chart, that vcl_pipe can be only called from vcl_recv.

I am setting up a VCL to serve binary resources from a back end contingent on some conditions, including access control.

The way I thought of setting this up so far is thus: go through all my checks, which include moving out of vcl_recv; if the conditions are set for streaming the resource, set a flag; restart the transaction; check the flag first thing in vcl_recv, and if set, call vcl_pipe.

The only, major, issue is that I don't know how to set a flag (e.g. in http.request) that could not be forged by a request header. So a caller who knows my VCL could easily set the pipe flag and bypass all checks.

The other option is to keep all checks in vcl_recv but that may be clunky or even impossible.

Suggestions will be appreciated. Thanks.

user3758232
  • 109
  • 5

1 Answers1

1

The only, major, issue is that I don't know how to set a flag

You could unset it at the beginning of your vcl_recv, if number of restarts is zero (that would indicate "initial" landing in VCL e.g.

sub vcl_recv {
    if (req.restarts == 0) {
        unset req.http.X-Foo; 
    }

Oh, and I found just precisely what you were after while getting the syntax for that :)

Danila Vershinin
  • 5,286
  • 5
  • 17
  • 21
  • Thanks very much, also for the related thread. I think that should work, even if I restart for other reasons, if I add your snippet at the very beginning of my `vcl_recv`. – user3758232 Sep 09 '20 at 19:04