I need to restrict varnish purge requests to wordpress logged in users, so that when one user updates a post or page, the purge request sent to varnish can take effect. I have debian, apache2, varnish 4.0, and 'Varnish HTTP Purge' plugin installed. All works well, but the problem is anyone on the internet can send a ' curl -X PURGE "example.com" ' command and purge my cache. I know I can restrict the IP's that can send purge requests in the 'acl' clause in my 'default.vcl', but the problem is that the IP's of users that must send purge requests are dynamic, so they change from time to time.
Asked
Active
Viewed 163 times
0
-
If the _plugin_ is sending the purge requests, then only the local server's IP addresses need to be listed! Users shouldn't need to manually send purge requests with curl at all. – Michael Hampton Aug 09 '15 at 23:41
-
Yes, only the plugin is sending the purge requests. The fact is the server itself has a changing IP, and I wouldn't want to manually set the IPs in the 'acl' clause every time the IP changes. – Ludvik Aug 10 '15 at 00:51
-
1What's wrong with localhost? That never changes. – Michael Hampton Aug 10 '15 at 01:25
-
It doesn't work with localhost. It only works if I add the server's public IPv4 and IPv6 addresses. And those are the ones that change periodically. – Ludvik Aug 10 '15 at 01:30