-
Notifications
You must be signed in to change notification settings - Fork 376
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
varnishd: add a feature flag to disable bans in VCL
Add vcl_ban feature flag to disallow usage of ban() in VCL to prevent a possible DoS scenario in a multi-tenant setup.
- Loading branch information
Showing
4 changed files
with
58 additions
and
1 deletion.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,46 @@ | ||
varnishtest "Test vcl_ban" | ||
|
||
server s1 { | ||
rxreq | ||
txresp -status 200 -body "ban" | ||
} -start | ||
|
||
varnish v1 -arg "-p feature=-vcl_ban" -vcl+backend { | ||
sub vcl_recv { | ||
ban("obj.status == 0"); | ||
} | ||
} -start | ||
|
||
logexpect l1 -v v1 { | ||
expect * 1001 VCL_Error "ban\\(\\): Feature flag vcl_ban is off" | ||
} -start | ||
|
||
client c1 { | ||
txreq -url "/ban" | ||
rxresp | ||
expect resp.status == 503 | ||
} -run | ||
|
||
logexpect l1 -wait | ||
|
||
varnish v1 -cliok "param.set feature +vcl_ban" | ||
|
||
client c2 { | ||
txreq -url "/ban" | ||
rxresp | ||
expect resp.status == 200 | ||
} -run | ||
|
||
varnish v1 -cliok "param.set feature -vcl_ban" | ||
|
||
logexpect l2 -v v1 { | ||
expect * * VCL_Error "ban\\(\\): Feature flag vcl_ban is off" | ||
} -start | ||
|
||
client c3 { | ||
txreq -url "/ban" | ||
rxresp | ||
expect resp.status == 503 | ||
} -run | ||
|
||
logexpect l2 -wait |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters