I'm using Varnish 4 on a test environment and want to protect access to content using Basic Authentication.
What I want to happen is that the first request causes a prompt for Basic Auth and then it no longer asks once the user has entered their username and password. I have setup a rule with Varnish to check for the correct Authroization and ask the user to provide it if they have not.
My end users are complaining that they are repeatedly challenged for Basic Authentication details in their browser sometimes having to enter it 20 times before the first page is shown.
When using Chrome browser, this doesn't seem to happen unless I have the dev tools panel open and have the do not cache requests with dev tools panel open ticked. In various versions of IE, this happens all the time.
In my VCL, the basic auth rule looks like this in the sub vcl_recv section:
if (!req.http.Authorization ~ "Basic xxxxxxxxxxxxxxxxxx=="
# Don't require auth if IP on the authpass list.
&& !client.ip ~ authpass
# Don't require auth if this is the live website.
&& !req.http.Host == "www.mylivesite.com") {
return(synth(401, "Authentication required"));
}
unset req.http.Authorization;
I think you are missing this in your vcl_synth:
sub vcl_synth {
if (resp.status == 401) {
set resp.status = 401;
set resp.http.WWW-Authenticate = "Basic";
return(deliver);
}
Check detailed answer on setting up Basic authentication in Varnish.