All this year, Varnish Software has been celebrating the ten-year anniversary of Varnish Cache. One of the best traits of Varnish Cache is its flexibility - and throughout its decade of existence, we have been consistently surprised by the creative ways our users have deployed Varnish. To capture and share with the entire community some of these use cases, we launched the Varnish Awards. We invited Varnish users to submit their stories in two categories, innovation and value, and then empaneled a group of judges to choose the best of the best. The value category award winner will be announced shortly - stay tuned. The winners in each category will share their stories on September 22 at the Varnish Summit in Los Angeles.
And the most innovative nomination is...
We were overwhelmed by the positive response, and finally we are able to announce the winner in the Innovation category: The Financial TImes (FT) and its software architects.
The FT, a leader in delivering world-class news, comments and analysis to readers around the world used Varnish to implement multi-factor email login for employees to help protect against the increasing threat of phishing attacks. The FT solution integrates Varnish Cache with Google Apps to create the multi-factor authentication screen solution.
In May 2013, the Financial Times experienced a sophisticated email phishing attack, which would have been more serious had they not created and implemented this solution. Because multi-factor authentication was not comprehensively available for all FT enterprise applications, they integrated Varnish with Google Apps two-factor authentication. This allowed a Varnish server to be placed in front of any existing application to add a multi-factor authentication layer, which works like this:
- Token-based access: Until the user has a valid, freshly issued token, Varnish will refuse access to the web-server. Those tokens are only issued when the user has been identified by Google authentication and verified against the FT’s internal directory servers.
- Verification: Executed in Varnish Configuration Language (VCL) and inline-C, the process checks the token against the regularly rotated public key.
- Simple Replication: The entire process is wrapped into a Puppet module so that each FT development team can repeat this pattern for consistent identification, authorization and protection across key business applications.
See you in LA!
Congratulations to FT and its team of developers! It is a true honor for Varnish Software to be able to deliver software that allows organizations to solve their pressing challenges in such creative ways.
We look forward to learning more at the Varnish Award ceremony in September. Register to join us there!
Image (c) 2016 Edewaa Foster