Commit b041a942 authored by Geoff Simmons's avatar Geoff Simmons

Optionally set the reason string for synth in req-disposition.

parent d7cfa065
......@@ -368,6 +368,9 @@ spec:
type: integer
minimum: 200
maximum: 599
reason:
type: string
minLength: 1
status:
acceptedNames:
kind: VarnishConfig
......
......@@ -87,7 +87,7 @@ then the request proceeds to cache lookup (``return(hash)``).
``disposition`` is an object with these two fields:
* ``action`` (required): one of the following strings, corresponnding
* ``action`` (required): one of the following strings, corresponding
to a [``return()`` keyword for
``vcl_recv``](https://varnish-cache.org/docs/6.1/users-guide/vcl-built-in-subs.html#vcl-recv);
......@@ -116,6 +116,13 @@ then the request proceeds to cache lookup (``return(hash)``).
other values of ``action``. ``status`` MUST be in the range 200 to
599, inclusive.
* ``reason``: if present, and if the ``action`` is ``synth``,
``reason`` is the "reason string" that appears in the HTTP response
line. The reason string is, for example, "OK" in response status
"200 OK", or "Not Found" in "404 Not Found". By default, Varnish
sets the standard reason string for a standard HTTP status code, or
"Unknown HTTP Status" for a non-standard status.
It is not possible to use ``action`` to specify branching to a VCL label.
``conditions`` is an array of objects with the following fields,
......
......@@ -728,12 +728,18 @@ The blacklist is defined with:
disposition:
action: synth
status: 403
reason: Blacklisted
```
In this case, the synthetic 403 Forbidden response is generated for
requests whose URL path does begin with one of the prefixes in
``values``. The combined effect is that requests are only permitted
for URLs in the whitelist, but not for URLs in the blacklist.
In this case, the synthetic 403 response is generated for requests
whose URL path does begin with one of the prefixes in ``values``.
The ``reason`` setting sets the response line to "403 Blacklisted"
rather than the standard "403 Forbidden". In most cases, you can
leave out ``reason``, and Varnish sets the standard reason string
corresponding to the response code.
The combined effect is that requests are only permitted for URLs in
the whitelist, but not for URLs in the blacklist.
Of course your configuration can characterize the requests by other
means available in ``conditions``, for example by specifying regex
......@@ -781,14 +787,15 @@ $ curl -x $IP:$PORT -v http://cafe.example.com/tea/quux
< HTTP/1.1 403 Forbidden
[...]
# Requests matching the blacklist are also forbidden:
# Requests matching the blacklist are also forbidden. Notice that the
# "Blacklisted" reason string is used for these cases.
$ curl -x $IP:$PORT -v http://cafe.example.com/coffee/sugar/black/foo
[...]
> GET http://cafe.example.com/coffee/sugar/black/foo HTTP/1.1
> Host: cafe.example.com
[...]
>
< HTTP/1.1 403 Forbidden
< HTTP/1.1 403 Blacklisted
[...]
$ curl -x $IP:$PORT -v http://cafe.example.com/tea/sugar/black/foo
......@@ -797,7 +804,7 @@ $ curl -x $IP:$PORT -v http://cafe.example.com/tea/sugar/black/foo
> Host: cafe.example.com
[...]
>
< HTTP/1.1 403 Forbidden
< HTTP/1.1 403 Blacklisted
[...]
```
......
......@@ -75,6 +75,7 @@ spec:
disposition:
action: synth
status: 403
reason: Blacklisted
# Cache lookup is bypassed for requests whose method is neither of
# GET or HEAD.
......
......@@ -389,6 +389,7 @@ const (
type DispositionSpec struct {
Action RecvReturn `json:"action"`
Status *int64 `json:"status,omitempty"`
Reason string `json:"reason,omitempty"`
}
// RequestDispSpec specifies the disposition of a client request when
......
......@@ -813,6 +813,7 @@ func (worker *NamespaceWorker) configReqDisps(spec *vcl.Spec,
if disp.Disposition.Action == vcr_v1alpha1.RecvSynth {
vclDisp.Disposition.Status = uint16(
*disp.Disposition.Status)
vclDisp.Disposition.Reason = disp.Disposition.Reason
}
spec.Dispositions[i] = vclDisp
}
......
......@@ -36,7 +36,8 @@ sub vcl_recv {
) {
return (
{{- with .Disposition}}
{{- if eq .Action "synth"}}synth({{.Status}})
{{- if eq .Action "synth"}}synth({{.Status}}
{{- if .Reason}}, "{{.Reason}}"{{end -}})
{{- else}}{{.Action}}
{{- end}}
{{- end -}}
......
......@@ -204,6 +204,7 @@ var urlWhitelistSpec = Spec{
Disposition: DispositionType{
Action: RecvSynth,
Status: 403,
Reason: "Not whitelisted",
},
}},
}
......
......@@ -708,6 +708,7 @@ const (
type DispositionType struct {
Action RecvReturn
Status uint16
Reason string
}
// DispositionSpec specifies the disposition of a client request when
......
......@@ -13,7 +13,7 @@ sub vcl_init {
sub vcl_recv {
if (! vk8s_reqdisp_0_0.hasprefix(req.url)) {
return (synth(403));
return (synth(403, "Not whitelisted"));
}
return (hash);
}
Markdown is supported
0% or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment