Varnish caching Drupal private files

[jacobsaw]

I'm having trouble with Drupal private files returning 403s/404s to authenticated users (including admins).

I've added the example regex for system/files in the README in VARNISH_DRUPAL_EXCLUDE_URLS but no luck.

I noticed that cee55bd addressed this but the order was later reversed in e5c91eb. Is there additional config that solves this?

Thanks for these well-documented Docker images!

[csandanov]

Caching is disabled on Varnish for authenticated users in Drupal preset. You probably have an issue somewhere else.

[jacobsaw]

Wouldn't the pass for authenticated users occur too late though? If I move the preset include above the static include and/or remove VARNISH_CACHE_STATIC_FILES, the page is delivered as expected.

[csandanov]

Please describe how to reproduce this issue, it works fine for me with Drupal 8 and enabled/disabled VARNISH_CACHE_STATIC_FILES

[jacobsaw]

Recreated with vanilla docker4drupal with VARNISH_CACHE_STATIC_FILES enabled for both Drupal 7 and Drupal 8.

Steps to recreate:

• Install Drupal
• Configure private file system and add a field to a content type that uses the private file system (Article has one if using standard install)
• Create an unpublished node

Expected result:

• Anonymous users should get a 403 and users with appropriate permissions should see the file
• Both anonymous and authenticated users receive a 403

[csandanov]

Thank you. I was able to reproduce the issue (I thought you always get 403 when access isn't restricted). Indeed the original issue with the ordering of cookies strip remained, it's probably was reversed because the way it was fixed wasn't right and broke other things. The fix has been applied, please check the latest version.

[jacobsaw]

Perfect, pulled the latest and my original issue is resolved. Thank you for the fix!

[drasgardian]

It looks like this change has disabled the caching ALL static files for authenticated users if a preset is being used.

While it is good that Drupal private files (/system/files/*) should not be cached for authenticated users, there are lots of other files that should still be cached. e.g. public files, css, js, images included in theme or module folders etc.

How about putting includes/static.vcl back above the presets, but checking for VARNISH_DRUPAL_EXCLUDE_URLS inside static.vcl?

[pprishchepa]

@drasgardian do you have VARNISH_CACHE_STATIC_FILES enabled in your environment? It's required because static files not cached by default.

[gene-miller]

@PavelPrischepa (working with @drasgardian) yes we do have VARNISH_CACHE_STATIC_FILES enabled. The order of operations in the default VCL means that this has no effect for authenticated users.