Varnish从User-Agent规则返回不正确的后端内容

时间:2016-07-21 16:48:20

标签: varnish

如果User-Agent == GlobalSign或请求网址是/ globalsign,我有一个简单的规则可以将流量重定向到特殊后端。我注意到,在极少数情况下,清漆会错误地从特殊后端返回内容。这似乎是随机发生的,不会重复。

if (req.http.User-Agent ~ "(?i)GlobalSign" ||  req.url ~ "^/globalsign" ) {
    set req.url = "/";
    set req.backend = dgs1;
    return(pipe);
}

后端规则

    backend b1 {
     //Backend 1
    .host = "10.8.8.16";
    .port = "80";
    .probe = {
        .url = "/service_up";
        .timeout = 1s;
        .interval = 5s;
        .window = 10;
        .threshold = 8;
    }
}


backend gs1 {
         // Set host: Globalsign 
        .host = "10.8.8.15";
        .port = "80";
        .probe = {
            .url = "/service_up";
            .timeout = 5s;
            .interval = 5s;
            .window = 10;
            .threshold = 8;
        }
    }

director dgs1 random {

  {
        .backend =   gs1;
        .weight  = 1;
    }

}

director d01 random {
      {
        .backend =   b1;
        .weight  = 1;
    }
}

完整的VCL

include "backends.vcl";
include "bans.vcl";
include "acl.vcl";

sub vcl_recv {

    // Use the director we set up above to answer the request if it's not cached.
    set req.backend = d01;
    if( req.url ~ "^/service_up" ) {
        return(lookup);
    }

    if(client.ip ~ evil_networks){
        error 403 "Forbidden";
    }

    if (req.http.User-Agent ~ "(?i)GlobalSign" ||  req.url ~ "^/globalsign" ) {
        set req.url = "/";
        set req.backend = dgs1;
        return(pipe);
    }

    return(pass)
}

sub vcl_fetch {
    set beresp.grace = 24h;

    if (beresp.status >= 400) {
         return (hit_for_pass);
    }

    // New Set Longer Cache
    if (req.http.user-agent ~ "(Googlebot|msnbot|Yandex|Slurp|Bot|Crawl|bot|Baid|Mediapartners-Google)") {
        unset beresp.http.set-cookie;
        set beresp.ttl = 5d;
        return (deliver);
    }
    if (req.request == "GET" && req.url ~ "\.(css|xml|txt)$") {
        set beresp.ttl = 5d;
        unset beresp.http.set-cookie;
        return (deliver);
    }
    // multimedia
    if (req.request == "GET" && req.url ~ "\.(gif|jpg|jpeg|bmp|png|tiff|tif|ico|img|tga|woff|eot|ttf|svg|wmf|js|swf|ico)$") {
        unset beresp.http.set-cookie;
        set beresp.ttl = 5d;
        return (deliver);
    }
    set beresp.ttl = 5d;
    return (deliver);
}

include "errors.vcl";

sub vcl_deliver {

    return(deliver);
}

1 个答案:

答案 0 :(得分:0)

我猜返回(管道); 是可疑的。

如果保持活动的HTTP客户端只使用 GlobalSign 用户代理或 / globalsign 网址发出一个请求,则所有后续请求都将通过管道传输到 dgs1 ,即使他们不符合标准。

尽可能避免使用管道,这是许多难以跟踪的问题的常见来源。也可能是安全漏洞。