diff --git a/site-modules/profile/files/varnish/unknown_vhost_then_forbidden_access.vcl b/site-modules/profile/files/varnish/unknown_vhost_then_forbidden_access.vcl new file mode 100644 --- /dev/null +++ b/site-modules/profile/files/varnish/unknown_vhost_then_forbidden_access.vcl @@ -0,0 +1,12 @@ +# known_vhost_determine_forbidden_access.vcl +# +# Now that we passed along all vhosts declared, we should be able to determine +# if the access to such query should be forbidden or not +# +# File managed by puppet. All modifications will be lost. + +sub vcl_recv { + if (req.http.X-Known-Vhost != "Yes") { + return(synth(403, "Forbidden access to unknown vhost " + req.http.host)); + } +} diff --git a/site-modules/profile/manifests/varnish.pp b/site-modules/profile/manifests/varnish.pp --- a/site-modules/profile/manifests/varnish.pp +++ b/site-modules/profile/manifests/varnish.pp @@ -80,4 +80,10 @@ order => '10', content => file('profile/varnish/synth_redirect.vcl'), } + + ::profile::varnish::vcl_include {'unknown_vhost_then_forbidden_access': + order => '99', + content => file('profile/varnish/unknown_vhost_then_forbidden_access.vcl'), + } + } diff --git a/site-modules/profile/templates/varnish/vhost.vcl.erb b/site-modules/profile/templates/varnish/vhost.vcl.erb --- a/site-modules/profile/templates/varnish/vhost.vcl.erb +++ b/site-modules/profile/templates/varnish/vhost.vcl.erb @@ -11,6 +11,7 @@ <% end -%> req.http.host ~ "^(?i)<%= Regexp.escape(@servername) %>(:[0-9]+)?$" ) { + set req.http.X-Known-Vhost = "Yes"; if (std.port(server.ip) == <%= scope['::profile::varnish::http_port'] %>) { set req.http.x-redir = "https://" + req.http.host + req.url; return(synth(850, "Moved permanently")); @@ -46,6 +47,7 @@ <% end -%> req.http.host ~ "^(?i)<%= Regexp.escape(@servername) %>(:[0-9]+)?$" ) { + unset req.http.X-Known-Vhost; <% if @hsts_max_age -%> if (std.port(server.ip) != <%= scope['::profile::varnish::http_port'] %>) { set resp.http.Strict-Transport-Security = "max-age=<%= @hsts_max_age %>;";