Uploaded image for project: 'eZ Publish / Platform'
  1. eZ Publish / Platform
  2. EZP-21992

improve the proposed varnish VCL for eZ



    • Improvement
    • Status: Closed
    • High
    • Resolution: Obsolete
    • 5.2
    • None
    • Caching, Documentation
    • None


      Ref https://confluence.ez.no/display/EZP52/Using+Varnish :

      1. "Do a standard lookup on assets"
      instead of using the url suffix to determine if an incoming request is for a static resource, we should use the url prefix instead (if possible).
      This because some custom eZ modules might be used to generate dynamic css/js/etc... and they would also benefit of being served with the userhash

      2. "x-forwarded-for"
      instead of removing any such IP sent by the user browser, we just add the true IP to it.
      Is this correct/safe for both the case where there is a further proxy in fornt of Varnish and for the case where there is none?
      (asking because generally security guidelines tell to remove any x-forwarded-for header from upstream)

      3. "vary: x-user-hash"
      This is not in the vcl, but is a header sent by eZPublish with http responses.
      We should probably remove this one from outgoing responses, for best performances and cleanliness

      4. deny any incoming request which looks like a request for user-hash generation

      5. check if it is possible to connect directly to memcache to retrieve userhash instead of connecting to ez

      6. curl subrequest should specify original host:

      curl.header_add("Host: " + req.http.Host);


        Issue Links



              Unassigned Unassigned
              gaetano.giunta-obsolete@ez.no Gaetano Giunta (Inactive)
              0 Vote for this issue
              2 Start watching this issue