Its seems that purging doesn't work when using Cloudflare(Cloudflare returns 403 Forbidden).
This what i got when i searched for a solution online:
"The problem is that when you are using cloudflare, varinsh does not get the original IP of the sender. Instead it gets the IP of the cloudflare. So purging can not be done. We need to tell the varnish the original IP of the sender."
Add these following lines inside vcl_recv
if (req.restarts == 0) {
if (req.http.X-Forwarded-For) {
set req.http.X-Forwarded-For = req.http.X-Forwarded-For + ", " + client.ip;
} else {
set req.http.X-Forwarded-For = client.ip;
}
}
if (req.method == "PURGE" || req.url == "/purge") {
# Replace these IP with your IP
if ( req.http.X-Forwarded-For !~ "(209.152.41.21|105.45.120.37)") {
return(synth(405, "This IP is not allowed to send PURGE
requests."));
}
ban("req.url ~ /");
return (purge);
}
I tried this solution but it didn't work.
1 Answers
This question is old but could still use an answer. :-) The quote you found is partially correct. Here's why:
Your setup is likely similar to the below:
------ --------- ------------ ------
| WP | <- | Varnish | <- | CloudFlare | <--- | User |
------ --------- ------------ ------
There are two ways that the purge can happen:
- User -> CloudFlare -> Varnish, or
- User -> CloudFlare -> Varnish -> WP -> WP plugin -> Varnish.
The second situation can successfully cause a purge. If you have a plugin which triggers a cache purge/invalidate, it will come from a predictable IP address. In fact, if you run varnish on the same server as WP, the IP address will be [127.0.0.1]. There's a nice implementation for this situation.
The problem with the first situation (purging directly from CloudFlare) is that CloudFlare has many IP addresses which you would have to keep up to date. But more importantly, there's nothing that would prevent a bad actor from also creating a service using CloudFlare which would also be allowed to send a purge request to your server, basically rendering this security worthless.
Since X-Forwarded-For is basically just a list of all of the previous IP addresses along the way, this would also be easy to fake and bypass.
Since filtering on IP address is not useful directly through CloudFlare, you could alternatively use a token/secret that you send as part of the purge request. (i.e. only allow a special URL like:
if (req.url == "/purge-719179c7-6226-4b87-9503-1b6d54d5fea5") {... with some other Guid of course). One could argue that this is still not secure, but perhaps better than allowing all CloudFlare IPs.
