Using JSON Web Tokens & Varnish to cache content for logged-in users - DrupalCon Vienna 2017

by Thijs Feryn

Slide 1

Slide 1 text

By Thijs Feryn Using JSON Web Tokens & Varnish to cache content for logged-in users

Slide 2

Slide 2 text

Slow websites suck

Slide 3

Slide 3 text

Web performance is an essential part of the user experience

Slide 4

Slide 4 text

SLOW Slowdown ~ downtime

Slide 5

Slide 5 text

No content

Slide 6

Slide 6 text

Heavy load

Slide 7

Slide 7 text

Mo money Mo servers

Slide 8

Slide 8 text

Cache

Slide 9

Slide 9 text

Don’t recompute if the data hasn’t changed

Slide 10

Slide 10 text

Normally User Server

Slide 11

Slide 11 text

With Varnish User Varnish Server

Slide 12

Slide 12 text

No content

Slide 13

Slide 13 text

Hi, I’m Thijs

Slide 14

Slide 14 text

I’m @ThijsFeryn on Twitter

Slide 15

Slide 15 text

I’m an Evangelist At

Slide 16

Slide 16 text

I’m an Evangelist At

Slide 17

Slide 17 text

No content

Slide 18

Slide 18 text

Let's dive right in!

Slide 19

Slide 19 text

Website for big TV channel

Slide 20

Slide 20 text

Video content is very popular

Slide 21

Slide 21 text

Drupal 7 with Varnish

Slide 22

Slide 22 text

Hit rate is great!

Slide 23

Slide 23 text

Business requirement

Slide 24

Slide 24 text

Force users to log in to watch full episodes

Slide 25

Slide 25 text

No content

Slide 26

Slide 26 text

SESS8776ed48f0b08839e2cd7485bc08b4d0= O12RKyXsM8_f8vC3xJPE4WtGyGH4eirXhT_AcN5 MTGI

Slide 27

Slide 27 text

Cache bypass

Slide 28

Slide 28 text

User-specific content

Slide 29

Slide 29 text

Compromise: disable login when it's too busy

Slide 30

Slide 30 text

What if we could create cache variations for logged-in users?

Slide 31

Slide 31 text

MariaDB [drupal]> select * from main_sessions; +-----+---------------------------------------------+------+-----------------+------------+-------+---------+ | uid | sid | ssid | hostname | timestamp | cache | session | +-----+---------------------------------------------+------+-----------------+------------+-------+---------+ | 2 | 26lbuJAm37NrudWYaJ8TcW1u7J7WFs7TjAWOhjv-krI | | 141.135.242.208 | 1505304003 | 0 | | | 2 | O12RKyXsM8_f8vC3xJPE4WtGyGH4eirXhT_AcN5MTGI | | 141.135.242.208 | 1505307466 | 0 | | +-----+---------------------------------------------+------+-----------------+------------+-------+---------+ SESS8776ed48f0b08839e2cd7485bc08b4d0= O12RKyXsM8_f8vC3xJPE4WtGyGH4eirXhT_AcN5MTGI Client-side Server-side

Slide 32

Slide 32 text

How do you identify a logged-in user without accessing the backend every time?

Slide 33

Slide 33 text

Push session information from the server to the client

Slide 34

Slide 34 text

JSON Web Tokens

Slide 35

Slide 35 text

Marco Pivetta introduced me to JWT https://twitter.com/ocramius

Slide 36

Slide 36 text

JWT eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJzdWIiOi JhZG1pbiIsImV4cCI6MTQ5NTUyODc1NiwibG9naW4iOnRyd WV9.u4Idy-SYnrFdnH1h9_sNc4OasORBJcrh2fPo1EOTre8 ✓3 parts ✓Dot separated ✓Base64 encoded JSON ✓Header ✓Payload ✓Signature (HMAC with secret)

Slide 37

Slide 37 text

eyJzdWIiOiJhZG1pbiIsIm V4cCI6MTQ5NTUyODc1Niwi bG9naW4iOnRydWV9 { "alg": "HS256", "typ": "JWT" } { "sub": "admin", "exp": 1495528756, "login": true } HMACSHA256( base64UrlEncode(header) + "." + base64UrlEncode(payload), secret ) eyJhbGciOiJIUzI1NiIsI nR5cCI6IkpXVCJ9 u4Idy- SYnrFdnH1h9_sNc4OasOR BJcrh2fPo1EOTre8

Slide 38

Slide 38 text

https://jwt.io

Slide 39

Slide 39 text

No content

Slide 40

Slide 40 text

JWT Cookie:jwt_token=eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9. eyJzdWIiOiJhZG1pbiIsImV4cCI6MTQ5NTUyODc1NiwibG9naW4iOn RydWV9.u4Idy-SYnrFdnH1h9_sNc4OasORBJcrh2fPo1EOTre8 ✓Stored in a cookie ✓Can be validated by Varnish ✓Payload can be processed by any language (e.g. Javascript)

Slide 41

Slide 41 text

Drupal creates JWT alongside the regular session

Slide 42

Slide 42 text

Drupal template loads stateful data from JWT in Javascript

Slide 43

Slide 43 text

Andreas De Rijcke built the custom Drupal module to handle JWT https://twitter.com/andreasderijcke https://gitlab.com/andreasderijcke/jwt-cookie

Slide 44

Slide 44 text

{ "iss": "drupaljwt.feryn.eu", "jti": "mIEBDk2zFP3nqrlDuEScTsc4fVocTmhrkp36fQwJQdA", "iat": 1505313422, "exp": 1507313422, "uid": "2", "roles": "authenticated user", "data": "{\"html\":{\"user-name\":\"test1\"},\"attr\":{\"user- url\":{\"href\":\"\\/user\\/2\"}}}" } Issuer

Slide 45

Slide 45 text

Slide 46

Slide 46 text

Slide 47

Slide 47 text

Slide 48

Slide 48 text

Slide 49

Slide 49 text

Slide 50

Slide 50 text

Slide 51

Slide 51 text

Meanwhile I wrote some VCL code

Slide 52

Slide 52 text

Using vmod_digest for HMAC & base64

Slide 53

Slide 53 text

vcl 4.0;    import std;  import var;  import cookie;  import digest;    acl internal {  "192.168.20.0"/24;  }    backend default {  .host = "127.0.0.1";  .port = "8080";  }

Slide 54

Slide 54 text

sub vcl_recv {  var.set(“key",std.fileread("/home/drupal/jwt.key"));    if ((req.method != "GET" && req.method != "HEAD") || req.http.Authorization) {  return (pass);  }    if (req.url ~ "^/(cron|install|update)\.php$" && !client.ip ~ internal) {  return (synth(404, "Page not found."));  }    if (req.url ~ "(?i)\.(png|gif|jpeg|jpg|ico|swf|css|js|html|htm|woff)(\?[wd=.-]+)?$") {  unset req.http.Cookie;  return(hash);  }    if (req.http.Cookie) {  cookie.parse(req.http.cookie);    if(req.http.cookie ~ ".*(SESS[a-z0-9]+)=.*") {  var.set("sessionCookie",regsub(req.http.cookie,".*(SESS[a-z0-9]+)=.*","\1"));  }    cookie.filter_except("PHPSESSID,NO_CACHE,ci_session,CI_SESSION,authtoken,jwt_cookie,"+var.get("sessionCookie"));    set req.http.cookie = cookie.get_string();    if (req.http.Cookie ~ "^\s*$") {  unset req.http.Cookie;  }  }  call jwt; if(var.get("roles") ~ "administrator") {  std.log("Administrators bypass the cache");  return(pass);  }    if(req.url == "/login" && req.http.X-login =="true") {  return(synth(302,"/user"));  } 

Slide 55

Slide 55 text

    if(var.get("roles") ~ "administrator") {  std.log("Administrators bypass the cache");  return(pass);  }    if(req.url == "/login" && req.http.X-login == "true") {  return(synth(302,"/user"));  }    if(req.url == "/user" && req.http.X-login != "true") {  return (hash);  }    if (req.url == "/user/password" || req.url == "/user/register") {  return(hash);  }    if(req.url ~ "^/user/login") {  return(hash);  }    if (req.url == "/status.php" ||  req.url == "/ooyala/ping" ||  req.url == "/user" ||  req.url ~ "^/admin/.*$" ||  req.url ~ "^/info/.*$" ||  req.url ~ "^/flag/.*$" ||  req.url ~ "^.*/ajax/.*$" ||  req.url ~ "^.*/ahah/.*$" ||  req.url ~ "^/rest/.*$" ||  req.url ~ "^/users?/.*$"  ) {  return (pass);  }    return(hash);  }

Slide 56

Slide 56 text

sub vcl_hash {  if (req.http.X-Forwarded-Proto) {  hash_data(req.http.X-Forwarded-Proto);  }  }    sub vcl_backend_response {  set beresp.http.x-url = bereq.url;  set beresp.http.x-host = bereq.http.host;    if (bereq.url ~ "(?i)\.(png|gif|jpeg|jpg|ico|swf|css|js|html|htm)(\?[wd=.-]+)?$") {  unset beresp.http.set-cookie;  }  }  sub vcl_synth {  if (resp.status == 301 || resp.status == 302) {  set resp.http.location = resp.reason;  set resp.reason = "Moved";  return (deliver);  }  }

Slide 57

Slide 57 text

sub jwt {  if(cookie.isset("jwt_cookie")) {  var.set("token", cookie.get("jwt_cookie"));  var.set("header", regsub(var.get("token"),"([^\.]+)\.[^\.]+\.[^\.]+","\1"));  var.set("type", regsub(digest.base64url_decode(var.get("header")),{"^.*?"typ"\s*:\s*"(\w+)".*?$"},"\1"));  var.set("algorithm", regsub(digest.base64url_decode(var.get("header")),{"^.*?"alg"\s*:\s*"(\w+)".*? $"},"\1"));    if(var.get("type") == "JWT" && var.get("algorithm") == "HS256") {  var.set("rawPayload",regsub(var.get("token"),"[^\.]+\.([^\.]+)\.[^\.]+$","\1"));  var.set("signature",regsub(var.get("token"),"^[^\.]+\.[^\.]+\.([^\.]+)$","\1"));  var.set("currentSignature",digest.base64url_nopad_hex(digest.hmac_sha256(var.get("key"),var.get("header") + "." + var.get("rawPayload"))));  var.set("payload", digest.base64url_decode(var.get("rawPayload")));  var.set("exp",regsub(var.get("payload"),{"^.*?"exp"\s*:\s*([0-9]+).*?$"},"\1"));  var.set("jti",regsub(var.get("payload"),{"^.*?"jti"\s*:\s*"([a-z0-9A-Z_\-]+)".*?$"},"\1"));  var.set("userId",regsub(var.get("payload"),{"^.*?"uid"\s*:\s*"([0-9]+)".*?$"},"\1"));  var.set("roles",regsub(var.get("payload"),{"^.*?"roles"\s*:\s*"([a-z0-9A-Z_\-, ]+)".*?$"},"\1"));    if(std.time(var.get("exp"),now) >= now && cookie.get(var.get("sessionCookie")) == var.get(“jti”) && var.get("signature") == var.get("currentSignature")) {  set req.http.X-login="true";  }  }   }    if(req.url ~ "/node/2" && req.url !~ "^/user/login") {  if(req.http.X-login != "true") {  return(synth(302,"/user/login?destination=" + req.url));  }  }  }

Slide 58

Slide 58 text

Slide 59

Slide 59 text

sub jwt {  if(cookie.isset("jwt_cookie")) {  var.set("token", cookie.get("jwt_cookie"));  var.set("header", regsub(var.get("token"),"([^\.]+)\.[^\.]+\.[^\.]+","\1"));  var.set("type", regsub(digest.base64url_decode(var.get("header")),{"^.*?"typ"\s*:\s*"(\w+)".*?$"},"\1"));  var.set("algorithm", regsub(digest.base64url_decode(var.get("header")),{"^.*?"alg"\s*:\s*"(\w+)".*? $"},"\1"));    if(var.get("type") == "JWT" && var.get("algorithm") == "HS256") {  var.set("rawPayload",regsub(var.get("token"),"[^\.]+\.([^\.]+)\.[^\.]+$","\1"));  var.set("signature",regsub(var.get("token"),"^[^\.]+\.[^\.]+\.([^\.]+)$","\1"));  var.set("currentSignature",digest.base64url_nopad_hex(digest.hmac_sha256(var.get("key"),var.get("header") + "." + var.get("rawPayload"))));  var.set("payload", digest.base64url_decode(var.get("rawPayload")));  var.set("exp",regsub(var.get("payload"),{"^.*?"exp"\s*:\s*([0-9]+).*?$"},"\1"));  var.set("jti",regsub(var.get("payload"),{"^.*?"jti"\s*:\s*"([a-z0-9A-Z_\-]+)".*?$"},"\1"));  var.set("userId",regsub(var.get("payload"),{"^.*?"uid"\s*:\s*"([0-9]+)".*?$"},"\1"));  var.set("roles",regsub(var.get("payload"),{"^.*?"roles"\s*:\s*"([a-z0-9A-Z_\-, ]+)".*?$"},"\1"));    if(std.time(var.get("exp"),now) >= now && cookie.get(var.get("sessionCookie")) == var.get(“jti”) && var.get("signature") == var.get("currentSignature")) {  set req.http.X-login="true";  }  }   }   if(req.url ~ "/node/2" && req.url !~ "^/user/login") {  if(req.http.X-login != "true") {  return(synth(302,"/user/login?destination=" + req.url));  }  }  }

Slide 60

Slide 60 text

Slide 61

Slide 61 text

Slide 62

Slide 62 text

sub jwt {  if(cookie.isset("jwt_cookie")) {  var.set("token", cookie.get("jwt_cookie"));  var.set("header", regsub(var.get("token"),"([^\.]+)\.[^\.]+\.[^\.]+","\1"));  var.set("type", regsub(digest.base64url_decode(var.get("header")),{"^.*?"typ"\s*:\s*"(\w+)".*?$"},"\1"));  var.set("algorithm", regsub(digest.base64url_decode(var.get("header")),{"^.*?"alg"\s*:\s*"(\w+)".*? $"},"\1"));    if(var.get("type") == "JWT" && var.get("algorithm") == "HS256") {  var.set("rawPayload",regsub(var.get("token"),"[^\.]+\.([^\.]+)\.[^\.]+$","\1"));  var.set("signature",regsub(var.get("token"),"^[^\.]+\.[^\.]+\.([^\.]+)$","\1"));  var.set("currentSignature",digest.base64url_nopad_hex(digest.hmac_sha256(var.get("key"),var.get("header") + "." + var.get("rawPayload"))));  var.set("payload", digest.base64url_decode(var.get("rawPayload")));  var.set("exp",regsub(var.get("payload"),{"^.*?"exp"\s*:\s*([0-9]+).*?$"},"\1"));  var.set("jti",regsub(var.get("payload"),{"^.*?"jti"\s*:\s*"([a-z0-9A-Z_\-]+)".*?$"},"\1"));  var.set("userId",regsub(var.get("payload"),{"^.*?"uid"\s*:\s*"([0-9]+)".*?$"},"\1"));  var.set("roles",regsub(var.get("payload"),{"^.*?"roles"\s*:\s*"([a-z0-9A-Z_\-, ]+)”.*?$"},"\1"));   if(std.time(var.get("exp"),now) >= now && cookie.get(var.get("sessionCookie")) == var.get(“jti”) && var.get("signature") == var.get("currentSignature")) {  set req.http.X-login="true";  }  }   }    if(req.url ~ "/node/2" && req.url !~ "^/user/login") {  if(req.http.X-login != "true") {  return(synth(302,"/user/login?destination=" + req.url));  }  }  }

Slide 63

Slide 63 text

Cache variations

Slide 64

Slide 64 text

Vary: X-login Vary header sent by Drupal X-login header set by Varnish Creates cache variations in Varnish

Slide 65

Slide 65 text

Let's talk Drupal

Slide 66

Slide 66 text

Modules ✓Varnish ✓Key (store JWT key) ✓HTTP Response Headers + UI (set cache-control) ✓JWT cookie (set JWT token) ✓JWT cookie Example (replace content & display meta info)

Slide 67

Slide 67 text

No content

Slide 68

Slide 68 text

No content

Slide 69

Slide 69 text

No content

Slide 70

Slide 70 text

Slide 71

Slide 71 text

->set('uid', $user->uid) ->set('roles', implode(',', $user->roles)); // When we use data from cache, we don't need to clean the data again. if (!$cached) { // Get and clean the data. Discard the rest. $attr = isset($data['attr']) ? $data['attr'] : array(); $html = isset($data['html']) ? $data['html'] : array(); unset($data); foreach ($html as $tag => $value) { $html[$tag] = _jwt_cookie_clean_value($value); } $data['html'] = $html; foreach ($attr as $tag => $attributes) { foreach ($attributes as $attribute => $value) { $attributes[$attribute] = _jwt_cookie_clean_value($value); } } $data['attr'] = $attr; // Store in cache. _jwt_cookie_cache_set($user->uid, $data); } $data = json_encode($data); $builder->set('data', $data); // Wrap up and set the cookie. $signature = _jwt_cookie_get_signature_key(); $builder->sign($signer, $signature); $token = $builder->getToken(); return setcookie(JWT_COOKIE_NAME, $token, $expiration, '/', '.' . $cookie_domain); }

Slide 72

Slide 72 text

https://gitlab.com/andreasderijcke/jwt-cookie

Slide 73

Slide 73 text

Push session information from the server to the client

Slide 74

Slide 74 text

No content

Slide 75

Slide 75 text

https://feryn.eu https://twitter.com/ThijsFeryn https://instagram.com/ThijsFeryn

Slide 76

Slide 76 text

No content