is there a way to reference a subnet of an IP address dynamically in VCL *varnish) without creating an ACL on a request by request basis?

Question

like lets say 72.72.72.72 is the client ip and i wanted to compare it to token or a header that had an IP of 72.72.73.72. basically i want to compare if 72.72.72.72 and 72.72.73.72 but dynamically without an ACL.

so basically if i give out a token as a backend HTTP service and sign it with a secret with certain parameters like an IP address, i want to be able to allow only certain IPs to successfully use that token. like i want to allow all IPs with /20 or so of the IPs in the token i gave out to use that token successfully. Does that make sense @djdomi? i know i can split the token string and get the IP and compare the first 3 octets for an easy /24 comparison but is there an easier way for like /20. you can do this using an ACL but the ACL all the ips must be in there. like is it possible to check client.ip ~ client.ip/20 without using an ACL feature.

Answer 1

The only way to currently do this is through the vmod_aclplus, which is a Varnish Enterprise VMOD. See https://docs.varnish-software.com/varnish-cache-plus/vmods/aclplus/ for more details.

The VCL code

Here's some simplified code that gets the subnet from the token header.

In your use case there will probably be some cryptography involved for the token and some regsub() magic to extract the subnet from the token.

vcl 4.1;

import aclplus;

sub vcl_recv {
    if (aclplus.match(client.ip, req.http.token) {
        return(synth(403));
    }
}

Basically the aclplus.match(IP, STRING) function allows you to pass an ACL dynamically as a string and match it to an IP address.

Here's an example of potential values that could be stored inside the token header:

127.0.0.1, !192.168.0.1, 192.168.0.0/16, ::1, !::2, fe00::1/16

This mean you can store multiple values in a single line.

Buying a Varnish Enterprise license

Varnish Enterprise is the commercial version of Varnish and requires a license. See https://www.varnish-software.com/solutions/varnish-enterprise/ for information about the license.

Pay as you use

If you don't want to buy a license upfront and still want to use Varnish Enterprise and vmod_aclplus, you can run Varnish Enterprise in the Cloud and get charged on a "pay as you use" basis.

There are official Varnish Enterprise machine images available on the AWS, Azure and GCP marketplaces.

See https://www.varnish-software.com/developers/downloads/#cloud-images for more information.

Answer 2

I was super bothered by the fact that we do not have a solution to this problem in open-source varnish cache and because it seemed doable in a couple of hours, I wrote libvmod-acltools just now. For now, it only supports converting a single <ip>/<mask> into an ACL and I noticed some limitations in Varnish-Cache which we might want to address.

As Thijs included an ad for Varnish-Software's closed-source product, I would also like to mention that there are some independent open source developers out there like myself and phk:

• see the CONTRIBUTING section in the README on how to support us
• see the Varnish Moral License on how to support phk