creativestyle/magesuite-vary-cookie-signer 问题修复 & 功能扩展

解决BUG、新增功能、兼容多环境部署,快速响应你的开发需求

邮箱:yvsm@zunyunkeji.com | QQ:316430983 | 微信:yvsm316

creativestyle/magesuite-vary-cookie-signer

Composer 安装命令:

composer require creativestyle/magesuite-vary-cookie-signer

包简介

X-Magento-Vary Cookie Signer

README 文档

README

Magento uses special cookie called X-Magento-Vary to distinguish between different variants of some pages (eg. PDP page for customers with special discount).

When varnish server is used this is handled by adding content of X-Magento-Vary cookie to hash key.

This can be abused to bypass varnish page cache and generate high load on php server by generating random value for every request.

This extension provide a way to verify valid cookie on varnish server by providing extra cookie called X-Magento-Vary-Sign containing sha1 hash of X-Magento-Vary cookie content and signing key (which should be random value). Without knowing secret, attacker isn't able to generate correctly signed cookie and we can verify it on varnish server and ignore incorrect values, therefore reuse cached page.

Magento configuration

Edit the /app/etc/env.php file to configure the signing key.

...
     'vary_cookie_sign' => [
            'key' => 'REPLACE_THIS_WITH_SIGNING_KEY'
     ]
...

Varnish configuration

You need to install uplex vmod_blobdigest also available as RPM in mageops repository.

Make sure you have those imports at the beginning of your VCL:

import blobdigest;
import cookie;
import blob;

Add to sub vcl_init

new sha1 =  blobdigest.digest(SHA1);

Add to sub vcl_recv

if (req.http.cookie ~ "X-Magento-Vary=") {
    cookie.parse(req.http.cookie);
    if(! sha1.update( blob.decode( encoded=cookie.get("X-Magento-Vary") + "REPLACE_THIS_WITH_SIGNING_KEY" ) ) ) {
         return (synth(500, "Internal Server Error"));
    }

    if ( blob.encode( encoding=HEX, case=LOWER, blob=sha1.final() ) != cookie.get("X-Magento-Vary-Sign") ) {
         cookie.delete("X-Magento-Vary");
         set req.http.cookie = cookie.get_string();
    }
}

NOTE: First if statement can only fail when update is called after finish, but this is not possible, however VCL do not allow calling object methods, therefore this function mainly as workaround to this limitation.

Do not forget to replace REPLACE_THIS_WITH_SIGNING_KEY with your unique random string, and make sure you use the same value in varnish and magento.

https://creativestyle.atlassian.net/wiki/spaces/MGSDEV/pages/2359951361/VaryCookieSigner+optional

统计信息

  • 总下载量: 18
  • 月度下载量: 0
  • 日度下载量: 0
  • 收藏数: 0
  • 点击次数: 1
  • 依赖项目数: 0
  • 推荐数: 0

GitHub 信息

  • Stars: 0
  • Watchers: 4
  • Forks: 0
  • 开发语言: PHP

其他信息

  • 授权协议: OSL-3.0
  • 更新时间: 2021-03-31

承接程序开发

PHP开发

VUE

Vue开发

前端开发

小程序开发

公众号开发

系统定制

数据库设计

云部署

网站建设

安全加固