6

Laravel sets a cookie even when a user is not logged in. This forces Varnish to send every request to the backend. I've come across some people (http://abeak.blogspot.co.uk/2014/12/caching-laravel-with-varnish.html) using Session Monster package, which sets a X-No-Session header if the user is not authenticated. This is a Laravel 4 package, so I've created a middleware instead that sets the header if the user is not authed.

I can't figure out how to get Varnish to send requests to the backend only when the header is not set. I'd greatly appreciate any guidance!

EDIT:

This middleware sets the X-No-Session header if the user is not logged in:

<?php

namespace App\Http\Middleware;

use Closure;
use Session;

class StripSessionsIfNotAuthenticated
{
    /**
     * Handle an incoming request.
     *
     * @param  \Illuminate\Http\Request  $request
     * @param  \Closure  $next
     * @return mixed
     */
    public function handle($request, Closure $next)
    {
        if(auth()->check()) {
            return $next($request);
        }

        return $next($request)->header('X-No-Session', 'yeah');
    }
}

I have then converted the VCL in the linked article to VCL V4:

#
# This is an example VCL file for Varnish.
#
# It does not do anything by default, delegating control to the
# builtin VCL. The builtin VCL is called when there is no explicit
# return statement.
#
# See the VCL chapters in the Users Guide at https://www.varnish-cache.org/docs/
# and https://www.varnish-cache.org/trac/wiki/VCLExamples for more examples.

# Marker to tell the VCL compiler that this VCL has been adapted to the
# new 4.0 format.
vcl 4.0;

# Default backend definition. Set this to point to your content server.
backend default {
    .host = "127.0.0.1";
    .port = "8080";
}

sub vcl_recv {
    # Happens before we check if we have this in cache already.
    #
    # Typically you clean up the request here, removing cookies you don't need,
    # rewriting the request, etc.

    if (req.url ~ "^/auth" || req.method == "POST" || req.http.Authorization) {
        return (pass);
    }

    if (req.url ~ "\.(png|gif|jpg|css|js|ico|woff|woff2|svg)$") {
        unset req.http.cookie;

        return (hash); 
    }

    if (req.http.X-No-Session ~ "yeah" && req.method != "POST") {
        unset req.http.cookie;
    }

    return (hash);
}

sub vcl_backend_response {
    # Happens after we have read the response headers from the backend.
    #
    # Here you clean the response headers, removing silly Set-Cookie headers
    # and other mistakes your backend does.

    set beresp.ttl = 1d;

    if (bereq.method == "GET" && bereq.url ~ "\.(png|gif|jpg|css|js|ico|woff|woff2|svg)$") {  
        unset beresp.http.set-cookie;

        set beresp.ttl = 5d;
    }

    return (deliver);
}

sub vcl_deliver {
    # Happens when we have all the pieces we need, and are about to send the
    # response to the client.
    #
    # You can do accounting or modifying the final object here.

    if (obj.hits > 0) {
        set resp.http.X-Cache = "HIT";
    } else {
        set resp.http.X-Cache = "MISS";
    }
}
Chris
  • 3,729
  • 22
  • 30
  • So do you do something similar to Session Monster. I.e set a header regardless with different values dependant on if they are authed or not. Maybe post your middleware. – DavidT Mar 08 '16 at 09:14
  • Hey @DavidT I've updated the post with my middleware and Varnish config – Chris Mar 08 '16 at 12:11

2 Answers2

0

Try replacing 

if (req.http. ~ "laravel_session") {
    return (pass);
}

in your sub vcl_recv function with 

if (req.http.X-No-Session ~ "yeah") {  
    unset req.http.cookie;  
}

So that if you do have the X-No-Session header then you dump the cookies. Which in turn will not pass to the backend based on cookies. At the moment you're saying if there is a cookie, pass to the backend. As you already know there will always be a cookie.

If it is also of any help, here is my Varnish configuration.

DavidT
  • 2,341
  • 22
  • 30
0

Your idea is great, but the main issue is that you have to test for the X-No-Session header from the backend response, not the client request. I've managed to make it working rewriting vcl_backend_response() as:

sub vcl_backend_response {
    set beresp.ttl = 1d;

    if (beresp.http.X-No-Session ~ "yeah" && bereq.method != "POST") {
        unset beresp.http.set-cookie;
    }

    if (bereq.method == "GET" && bereq.url ~ "\.(png|gif|jpg|css|js|ico|woff|woff2|svg)$") {
        unset beresp.http.set-cookie;
        set beresp.ttl = 5d;
    }

    return (deliver);
}

In this way the response from the backend is cached purged from the unwanted session cookie.

EDIT: by the way, using

$response->headers->set('X-No-Session', 'yeah');

in the Laravel middleware works also with redirect responses.

madbob
  • 456
  • 1
  • 6
  • 13