VCL: Can we craft and send a HTTP request to an Auth server?


#1

Hi,
Quite new to Fastly and VCL. Can we craft a HTTP request to my auth server from vcl_recv?
Payload of this will be json format auth request and based on response from auth server proceed to allow or deny access to the web content.
-Wils


#2

OR can i use any of the vmod’s like curl for doing this? Is there support to achieve this.


#3

Can we craft a HTTP request to my auth server from vcl_recv?

You can change the host to connect to, the path and query string, and add headers before a restart. So in effect you can create a whole new request. Check here and here for more information on this.

Payload of this will be json format auth request and based on response from auth server proceed to allow or deny access to the web content.

However, as far as I know, you can’t add a body, so that won’t be possible.

OR can i use any of the vmod’s like curl for doing this? Is there support to achieve this.

No, you can’t use vmods either. We’ve encorporated many into our core Varnish, but not curl. The restart capability is the closest thing.


#4

Hi Justin, thank you for this information. I was trying to solve the problem based on your inputs. But now I am stuck with my POST form requests. I see that after a restart my form data in payload is lost. Am i missing something?
-Michael


#5

Yes, that’s expected. After a restart the body of a POST request will not be preserved.
You could stash req.postbody in a header so that you can pass it on in the other requests and have it available that way.


#6

Thank you so much for the reply. You are right, i can stash it in a separate HTTP header field. But, req.postbody cannot be attached back to the REQ in second pass, after successful authentication.

Thanks,
Michael


#7

Yes, that’s also true! There’s no way to change or amend the body of the request, GET or POST.


#8

Is there a solution for this use-case? We’re looking at authenticating requests, but we need it to work for POST / PATCH / DELETE etc, not just GET requests.


#9

Do you have an example with vcl? I need to change request host between first request and the second one. But your link doesn’t help me.


#10

Hi @gocoy,

I’ve recently been working on a tool that helps our customers to try out VCL. You can see an example of what I call ‘preflighting’, which is sending one request and then using the response to determine whether to send another, in this fiddle:

https://fiddle.fastlydemo.net/fiddle/f1bbff1e

You specifically mention changing the host, and you will indeed have to do that, though currently the fiddle does this invisibly rather than allowing you to do it yourself. So when you set the backend with set req.backend = F_originname;, in practice you will also need to do set req.http.host = "host header of new backend";.

Let me know how you get on, and I’m sorry the tool currently has very little documentation. It’s very much an early alpha.


#11

Hi, I’m already using fiddle fastly, thanks.
Your answer partially resolve my problem, because my second origin is based on first origin’s response.
I see that origin are modificable only with API, right?

Any others idea?

Thanks
F.


#12

You can’t specify an origin dynamically, but you can have a number of origins. So if you know what all the possibilities are, set all of those up as differently-named origins, and then switch to the one that you want based on the content of your preflight response.

We do have API functions for creating backends versionlessly (ie. without activating a new version of your entire configuration): https://docs.fastly.com/api/dynamicservers.


#13

See also Can I set set req.backend.host dynamically