Search
Varnish Controller
varnish-controller    examples    ui-sec
Introduction Changelog Known Issues Upgrading Deprecation Version 7 Version 6 Version 5 Version 4 Version 3 Version 2 Version 1 Versioning License Features System Overview Demo Concepts Agent Router RoutingRules Tag VCL Domain Deployment Certificates Roles VCLGroup Deployment Types API Logs Private/Shared Config/ConfigSets Authentication System Admin Regular Users Identity Provider Sessions Examples Authorization Organization Account Permission Examples CLI CLI Examples CLI Manual User Interface API API examples Invalidations Integrations Varnish Statistics Backups Installation Quickstart NATS PostgreSQL Brainz API-GW Agents Routers Containers Identity Provider VCLI Graphical User Interface Mapped Ports Routing Plugins gRPC FAQ Examples Deploying VCL files Change a VCL file Purging multiple paths Banning paths Using Labels Certificates HTTP Routing Routing Decisions Private Agents Debugging Multiple Regions OIDC - Microsoft Entra (Azure AD) Staged Deployment Drain Traffic Config/ConfigSet Organizations Controller-UI security settings

Controller-UI security settings

Controller-UI security settings

These examples cover various TLS and CSRF related settings.

Running without TLS

The Controller-UI runs in plaintext-mode as a default, but it assumes running behind a TLS-terminating reverse proxy or dedicated TLS terminator such as Hitch. As a result, HTTPS-specific CSRF checks are active as long as they are not turned off with the -no-tls parameter.

If you use a plaintext connection without the -no-tls parameter, any login attempt will fail with a Forbidden - origin invalid error message.

The start command of the Controller-UI should look like this:

varnish-controller-ui -api-hosts=http://api-gw:8002 -no-tls

Turning off the Forbidden - origin invalid message when using HTTPS

If you run the Controller-UI behind Varnish or any other reverse proxy and get the Forbidden - origin invalid error message when trying to log in, make sure that the reverse proxy does not modify the Host header.

Preserving the Host header in Varnish

In Varnish (both Varnish Enterprise and the open source Varnish Cache), do not modify the req.http.host variable in your VCL.

Preserving hte Host header in nginx

If you run the Controller-UI behind nginx and get the Forbidden - origin invalid error message, add the following configuration directive behind your proxy_pass ... entry:

proxy_set_header Host $http_host;
Manuals
Varnish Enterprise
Varnish Cloud
Varnish Controller
Varnish High Availability
Varnish Custom Statistics
Varnish WAF
Varnish Broadcaster
Varnish Helm Chart
Packages
Docker
Varnish Otel
News
Varnish Enterprise 6.0.16r4
Varnish Controller 7.2.1
Varnish Controller 7.2.0
Varnish Discovery 1.6.0
Varnish Enterprise 6.0.16r3
News archive
Cookie Settings Privacy Policy Contact Us Press Branding
®Varnish Software, Wallingatan 12, 111 60 Stockholm, Organization nr. 556805-6203