1. 首頁
  2. 問答
  3. Varnish從User-Agent規則返回不正確的後端內容

Varnish從User-Agent規則返回不正確的後端內容

2016-07-21 48 views
0

如果User-Agent == GlobalSign或請求url是/ globalsign,我有一個簡單的規則將流量重定向到特殊的後端。我注意到在罕見的情況下,清漆會錯誤地返回特殊後端的內容。它似乎隨機發生,不重複。Varnish從User-Agent規則返回不正確的後端內容

if (req.http.User-Agent ~ "(?i)GlobalSign" || req.url ~ "^/globalsign") { 
    set req.url = "/"; 
    set req.backend = dgs1; 
    return(pipe); 
}

後端規則

backend b1 { 
    //Backend 1 
    .host = "10.8.8.16"; 
    .port = "80"; 
    .probe = { 
     .url = "/service_up"; 
     .timeout = 1s; 
     .interval = 5s; 
     .window = 10; 
     .threshold = 8; 
    } 
} 


backend gs1 { 
     // Set host: Globalsign 
     .host = "10.8.8.15"; 
     .port = "80"; 
     .probe = { 
      .url = "/service_up"; 
      .timeout = 5s; 
      .interval = 5s; 
      .window = 10; 
      .threshold = 8; 
     } 
    } 

director dgs1 random { 

    { 
     .backend = gs1; 
     .weight = 1; 
    } 

} 

director d01 random { 
     { 
     .backend = b1; 
     .weight = 1; 
    } 
}

全部VCL

include "backends.vcl"; 
include "bans.vcl"; 
include "acl.vcl"; 

sub vcl_recv { 

    // Use the director we set up above to answer the request if it's not cached. 
    set req.backend = d01; 
    if(req.url ~ "^/service_up") { 
     return(lookup); 
    } 

    if(client.ip ~ evil_networks){ 
     error 403 "Forbidden"; 
    } 

    if (req.http.User-Agent ~ "(?i)GlobalSign" || req.url ~ "^/globalsign") { 
     set req.url = "/"; 
     set req.backend = dgs1; 
     return(pipe); 
    } 

    return(pass) 
} 

sub vcl_fetch { 
    set beresp.grace = 24h; 

    if (beresp.status >= 400) { 
     return (hit_for_pass); 
    } 

    // New Set Longer Cache 
    if (req.http.user-agent ~ "(Googlebot|msnbot|Yandex|Slurp|Bot|Crawl|bot|Baid|Mediapartners-Google)") { 
     unset beresp.http.set-cookie; 
     set beresp.ttl = 5d; 
     return (deliver); 
    } 
    if (req.request == "GET" && req.url ~ "\.(css|xml|txt)$") { 
     set beresp.ttl = 5d; 
     unset beresp.http.set-cookie; 
     return (deliver); 
    } 
    // multimedia 
    if (req.request == "GET" && req.url ~ "\.(gif|jpg|jpeg|bmp|png|tiff|tif|ico|img|tga|woff|eot|ttf|svg|wmf|js|swf|ico)$") { 
     unset beresp.http.set-cookie; 
     set beresp.ttl = 5d; 
     return (deliver); 
    } 
    set beresp.ttl = 5d; 
    return (deliver); 
} 

include "errors.vcl"; 

sub vcl_deliver { 

    return(deliver); 
}

來源

2016-07-21 jozwikjp

+0

你能解釋一下在這種情況下「不正確」的含義嗎? – ldg

+0

只有包含GlobalSign或req.url〜「^/globalsign」的User-Agent的流量才能使用director dgs1。然而,不符合該標準的用戶正在接收僅來自dgs1的內容 – jozwikjp

回答

0

我猜回報(管);是犯罪嫌疑人之一。

如果你有保活HTTP客戶端僅僅製造一個請求與GlobalSign的用戶代理或/GlobalSign的網址,所有後續請求將通過管道輸送到dgs1,即使它們不符合標準。

儘量避免管道系統,如果可能的話,嘗試避免管道系統,這是很多難以追蹤問題的常見原因。可能還有安全漏洞。

來源

2016-07-26 09:48:12

相關問題

 相關問題