Varnish Cache Plus

ACL (aclplus)

Varnish 6.0


This module allows you to match IP addresses against ACLs similar to VCL ACLs. The key difference is that your ACLs don’t need to be bound to the active VCL and can be stored as strings in a separate VMOD such as vmod-kvstore or even backend responses.

Currently, IPv4 and IPv6 addresses and subnets are supported, and entries can be prefixed with an exclamation mark (!) for a negative match, like so: !


ACLs are represented by a single-line CSV string:, !,, ::1, !::2, fe00::1/16

The client IP will be matched against all ACLs, and if a match is found and no negation is encountered then access will be granted. If any matching negations are found then access will always be denied. Granted here meaning the match() API function returning true.


The API consists in a single function:


Returns true if the supplied IP address matches the text-representation of at least one ACL and is not negated by any ACLs. Works with both ranges of IPv4- and IPv6-addresses.

Example VCL

Assuming a CSV file containing a domain name in the first column, followed by IP addresses complying to the syntax described above:

vcl 4.0;

import aclplus;
import kvstore;

sub vcl_init {
	new purgers = kvstore.init();
	purgers.init_file("/some/path/data.csv", ",");

sub vcl_recv {
	if (req.method == "PURGE") {
		if (aclplus.match(client.ip, purgers.get(, "error")) {
			return (purge);
		return (synth(405));