Search
Varnish Enterprise

Introduction Installation Upgrading Troubleshooting Changelog Changelog for 6.0.x Changes (Varnish Cache 4.1) Changes (Varnish Cache Plus 4.1) Known Issues Features Backend SSL/TLS Client SSL/TLS termination Cluster In-Process TLS MSE 4 Basic Configuration / Getting Started Configuration Persisted caching Categories Configuration Reference MSE 3.0 Settings mkfs.mse Memory Governor MSE 2.0 NUMA Parallel ESI Backend health counter HTTP/2 Support JSON Logging TCP Only Probes Timeouts Transit Buffer Varnish scoreboard VMODs Accept Accounting ACL (aclplus) ActiveDNS Akamai Connector AWS VCL Body Access & Transformation (xbody) Brotli Cookie Plus (cookieplus) DeviceAtlas DeviceAtlas3 Digest Dynamic backends (goto) Edgestash File Format Geolocation (geoip/mmdb) Header Manipulation (headerplus) HTTP communication (http) Image JSON parsing (json) JWT Key value storage (kvstore) Least connections director (leastconn) Module to control the built-in HTTP2 transport (h2) MSE control (mse) MSE4 control (mse4) Probe Proxy ProxyV2 TLV Attribute Extraction (proxy) Pseudo Random Number Generator Purge (purge/softpurge) Real-time Status (rtstatus) Reverse DNS (resolver) Rewrite S3 VMOD Session Slicer SQLite3 Stale Standard (std) Stat (Prometheus) Strings (str) Synthetic backends (synthbackend) Tag-based invalidation (Ykey/Xkey) TCP configuration (tcp) TLS Total Encryption (crypto) Unified director object (udo) Uniform Resource Identifier (uri) Unix Socket Utilities (unix) URL Plus (urlplus) Utils Vsthrottle

Unix Socket Utilities (unix)

Description

The unix vmod provides information about the credentials of the peer process (user and group of the process owner) that is connected to a Varnish listener via a Unix domain socket, if the platform supports it.

Errors

All functions in this VMOD are subject to the following constraints:

  • None of them may be called in sub vcl_init or sub vcl_fini. If one of them is called in sub vcl_init, then the VCL program will fail to load, with an error message from the VMOD.

  • If called on a platform that is not supported, then VCL failure is invoked. An error message is written to the log (with the sub vcl_Error tag), and for all VCL subroutines except for sub vcl_synth, control is directed immediately to sub vcl_synth, with the response status set to 503 and the reason string set to “VCL failed”.

If the failure occurs during sub vcl_synth, then sub vcl_synth is aborted, and the the response line “503 VCL failed” is sent.

  • If the current listener is not a Unix domain socket, or if the attempt to read credentials fails, then a sub vcl_Error message is written to the log. The STRING functions (vmod_user and vmod_group) return NULL, while the INT functions (vmod_uid and vmod_gid) return -1.

Examples

import unix;

sub vcl_recv {
  # Return "403 Forbidden" if the connected peer is
  # not running as the user "trusteduser".
  if (unix.user() != "trusteduser") {
    return( synth(403) );
  }

  # Require the connected peer to run in the group
  # "trustedgroup".
  if (unix.group() != "trustedgroup") {
    return( synth(403) );
  }

  # Require the connected peer to run under a specific numeric
  # user id.
  if (unix.uid() != 4711) {
    return( synth(403) );
  }

  # Require the connected peer to run under a numeric group id.
  if (unix.gid() != 815) {
    return( synth(403) );
  }
}

Obtaining the peer credentials is possible on a platform that supports one of the following:

  • getpeereid(3) (such as FreeBSD and other BSD-derived systems)

  • the socket option SO_PEERCRED for getsockopt(2) (Linux)

  • getpeerucred(3C) (SunOS and descendants)

On SunOS and friends, the PRIV_PROC_INFO privilege set is added to the Varnish child process while the VMOD is loaded, see setppriv(2).

On most platforms, the value returned is the effective user or group that was valid when the peer process initiated the connection.

user

STRING user()

Return the user name of the peer process owner.

Arguments: None

Type: Function

Returns: String

Restricted to: client, backend

group

STRING group()

Return the group name of the peer process owner.

Arguments: None

Type: Function

Returns: String

Restricted to: client, backend

uid

INT uid()

Return the numeric user id of the peer process owner.

Arguments: None

Type: Function

Returns: Int

Restricted to: client, backend

gid

INT gid()

Return the numeric group id of the peer process owner.

Arguments: None

Type: Function

Returns: Int

Restricted to: client, backend

Availability

The unix VMOD is available in Varnish Enterprise version 6.0.0r0 and later.


®Varnish Software, Wallingatan 12, 111 60 Stockholm, Organization nr. 556805-6203