Uploaded image for project: 'eZ Publish / Platform'
  1. eZ Publish / Platform
  2. EZP-27131

How to set X-User-Hash in Varnish VCL for different anonymous users

    Details

    • Sprint:
      Sprint 6

      Description

      It's possible to use the anonymous_user_id to set different anonymous users for different siteaccesses so each siteaccess will have a different set of permissions for the anonymous users.

      To see how this is configured:

      $ app/console config:dump-reference ezpublish --env=dev
       
      ezpublish:
        system:
          siteaccess_name:
            # The ID of the user used for everyone who is not logged in.
            anonymous_user_id:  ~ # Example: 10
      

      eZ Publish has a varnish.vcl file where you can set the X-User-Hash thta will be used to detect and handle anonymous users cache:

      if (req.http.Cookie !~ "eZSESSID" && !req.http.authorization) {
          set req.http.X-User-Hash = "38015b703d82206ebc01d17a39c727e5";
      }
      

      Now, if you use anonymous_user_id to configure multiple anonymous users, how the X-User-Hash should be configured so Varnish will work nicely?

      It's important to document this.

        Issue Links

          Activity

          Hide
          Vidar Langseid added a comment - - edited

          Totally untested, but this might be the way to solve this problem

          sub ez_user_hash {
          (...)
           
              if (req.restarts == 0 && (req.method == "GET" || req.method == "HEAD")) {
                  // Get User (Context) hash, for varying cache by what user has access to.
                  // https://doc.ez.no/display/EZP/Context+aware+HTTP+cache
          -        if (req.http.Cookie !~ "eZSESSID" && !req.http.authorization) {
          +        if (req.http.Cookie !~ "eZSESSID" && !req.http.authorization && req.http.url ~ "mysite.com/siteaccess1") {
                      // You may update this hash with the actual one for anonymous user
                      // to get a better cache hit ratio across anonymous users.
                      // Note: You should then update it every time anonymous user rights change.
                      set req.http.X-User-Hash = "38015b703d82206ebc01d17a39c727e5";
          +        } elsif (req.http.Cookie !~ "eZSESSID" && !req.http.authorization && req.http.url ~ "mysite.com/siteaccess2") {
          +            set req.http.X-User-Hash = "asdfasdfasdfasdfasdfasdfasdfasdf";
                  }
                  // Pre-authenticate request to get shared cache, even when authenticated
                  else {
          

          Show
          Vidar Langseid added a comment - - edited Totally untested, but this might be the way to solve this problem sub ez_user_hash { (...)   if (req.restarts == 0 && (req.method == "GET" || req.method == "HEAD")) { // Get User (Context) hash, for varying cache by what user has access to. // https://doc.ez.no/display/EZP/Context+aware+HTTP+cache - if (req.http.Cookie !~ "eZSESSID" && !req.http.authorization) { + if (req.http.Cookie !~ "eZSESSID" && !req.http.authorization && req.http.url ~ "mysite.com/siteaccess1") { // You may update this hash with the actual one for anonymous user // to get a better cache hit ratio across anonymous users. // Note: You should then update it every time anonymous user rights change. set req.http.X-User-Hash = "38015b703d82206ebc01d17a39c727e5"; + } elsif (req.http.Cookie !~ "eZSESSID" && !req.http.authorization && req.http.url ~ "mysite.com/siteaccess2") { + set req.http.X-User-Hash = "asdfasdfasdfasdfasdfasdfasdfasdf"; } // Pre-authenticate request to get shared cache, even when authenticated else {
          Hide
          Vidar Langseid added a comment -

          Note : From 1.12, if you use varnish4_xkey.vcl, the X-User-Hash is no longer hard coded in the .vcl and the problem should be non-existent

          Show
          Vidar Langseid added a comment - Note : From 1.12, if you use varnish4_xkey.vcl , the X-User-Hash is no longer hard coded in the .vcl and the problem should be non-existent
          Hide
          Dominika Kurek added a comment -

          Closing this, as the pre-1.12 solution is only a workaround, and the problem has been resolved since 1.12 (so will not exist in the upcoming lTS anyway).

          Show
          Dominika Kurek added a comment - Closing this, as the pre-1.12 solution is only a workaround, and the problem has been resolved since 1.12 (so will not exist in the upcoming lTS anyway).

            People

            • Assignee:
              Unassigned
              Reporter:
              Eduardo Fernandes (Inactive)
            • Votes:
              0 Vote for this issue
              Watchers:
              5 Start watching this issue

              Dates

              • Created:
                Updated:
                Resolved:

                Agile