As you probably know, Varnish has always been a very secure piece of software but so far, that safety only applied to itself and therefore, a malicious request could still go through it and hurt your backend. But as a reverse-proxy (load-balancer, origin shield, etc.), Varnish is going to see everything the backend receives and sends, so there's a great opportunity here to sanitize the traffic before it reaches it.
If you've read a few of my blog posts, you probably already know I love the VCL (Varnish Configuration Language) idea, big time. Being able to change the processing logic via code opens a world of possibilities and makes pretty much all other tools feel constrained in their configurations. But...
But, well, VCL is code, and code is scary to a lot of users, and I can understand when you begin with Varnish and only have very limited configuration needs, VCL can feel complicated and some would prefer a simple, declarative language. The good news is that it's totally possible, let's see how we can help!
Two years ago, I wrote an article about how probes work in Varnish (it's a great article - fun, informative... go read it), it covers a lot of ground, but still, it misses one important spot. More precisely, it only focused on how Varnish uses probes to know whether a backend is worth contacting, so today, we are going to look at the other side of the story: how do we tell the rest of the system that Varnish is up and ready to work?
Also, we'll see how to handle maintenance: if you need to get your Varnish node offline, it's annoying to log into all the load balancers to re-configure them; it's easier to just tell Varnish to fail incoming probes until said load balancers take the node out of their pool, and then you can wait for the active connections to end (does it ring a bell?) and then stop Varnish.
Hop on! We'll have a look at different ways of doing it - good and (mostly) bad, to try and understand how to do it and be warned of the various pitfalls to avoid.
HTTP is an intrinsically textual protocol, with relatively few rules. So it makes sense for Varnish to provide you with one of the best tools available to manipulate text: the regular expression, or "regex" (or "regexp", or "regexp?" if you want to be very clever).