Varnish Cache Plus

ACL (aclplus)

Varnish 6.0

Description

This module allows you to match IP addresses against ACLs similar to VCL ACLs. The key difference is that your ACLs don’t need to be bound to the active VCL and can be stored as strings in a separate VMOD such as vmod-kvstore or even backend responses.

Currently, only IPv4 addresses and subnets are supported, and entries can be prepended with a bang (!) for a negative match.

This product is called vmod-acl in Varnish Cache Plus 4.1 but its documentation is not yet available online. Once the varnish-plus package is installed you can get it by running man vmod_acl.

Syntax

ACLs are represented by a single-line CSV string:

127.0.0.1, !192.168.0.1, 192.168.0.0/16

However, the match is currently not exhaustive but instead rather lazy, the following ACLs don’t yield the same results:

! 192.168.0.1, 192.168.0.0/16
192.168.0.0/16, ! 192.168.0.1

For this reason you should always put the most inclusive entries last in your ACL.

API

The API consists in a single function:

BOOL match(IP, STRING)

Returns true if the supplied IP address matches the text-representation of an ACL. Always returns false for IPv6 addresses.

Example VCL

Assuming a CSV file containing a domain name in the first column, followed IP addresses complying to the syntax described above:

vcl 4.0;

import aclplus;
import kvstore;

sub vcl_init {
	new purgers = kvstore.init();
	purgers.init_file("/some/path/data.csv", ",");
}

sub vcl_recv {
	if (req.method == "PURGE") {
		if (aclplus.match(client.ip, purgers.get(req.http.host, "error")) {
			return (purge);
		}
		return (synth(405));
	}
}