When a user logouts out, Varnish throws a 503 server error on all pages

Comments

bfroehle’s picture

bfroehle commented
Status: Active » Postponed (maintainer needs more info)

@Shefik: Can you provide some more debugging information? I'm not currently using Varnish, and I don't think the other maintaner (@metzlerd) is either.

Is there helpful information in any error log?

How are you initiating the logout? Are you being redirected to the CAS server logout page?

shefik’s picture

shefik commented

There was a build of this module dated March 30. Did you recently remove it? Now, the date says March 29.

bfroehle’s picture

bfroehle commented

@Shefik: No, we have no control over the automated builds. Nothing significant should have changed in the past ~5 days with the exception of adding test routines (which are in separate files and should not effect the performance of CAS itself).

The date difference, by the way, is likely a timezone phenomenon. The page shows March 30th if I'm not logged in, but March 29th if I am. It's likely because the anonymous user and I have different timezones set.

shefik’s picture

shefik commented

It looks like it has something to do with the function _cas_single_sign_out_check();

When that is called, it throws the error in Varnish.

Also, it then prevents the user to login again, since al pages have the 503 error.

bfroehle’s picture

bfroehle commented

@Shefik: Can you provide any more specificity? There's still not enough here for me to be able to help you, short of installing Varnish myself which I do not have time for at the moment.

shefik’s picture

shefik commented

I have a fix for the problem, which appears to be working for me at the moment.

In the Varnish .vcl configuration file, I added these lines to "sub vcl_recv", to prevent the "/cas" URI from being cached by Varnish:

/**
* Don't cache cas.
*/
if (req.url ~ "^cas$") {
return (pass);
}

If that URI is cached by Varnish, then it causes issues when the user logs in and out, resulting in server error code 503 (for any page handled by the cas modules) for all other users.

bfroehle’s picture

bfroehle commented
Status: Postponed (maintainer needs more info) » Active

@Shefik: That's great to know. Is there a similar exception for 'user/login' or similar? Or is there a way we can change the CAS module code to be compatible?

Regardless, we should document this someplace for others.

bfroehle’s picture

bfroehle commented

@Shefik: That's great to know. Is there a similar exception for 'user/login' or similar? Or is there a way we can change the CAS module code to be compatible?

Regardless, we should document this someplace for others.

shefik’s picture

shefik commented
Status: Active » Postponed (maintainer needs more info)

Do you know how often the automated builds get generated?

Any certain schedule, such as daily, weekly, monthly, etc.?

bfroehle’s picture

bfroehle commented

Shefik: Every 12 hours, but I don't know what time of day. But of course there won't be a new build if there weren't any source code changes.

bfroehle’s picture

bfroehle commented
Component: Code » Documentation
Priority: Major » Normal
Status: Postponed (maintainer needs more info) » Active
shefik’s picture

shefik commented

@bfroehle - I'll be posting additional info on this Varnish issue during the upcoming week. I executed more testing on my end, and I think I may have pinpointed a more specific behavior that should be addressed overall. Based on this recent testing, I may have been premature in my advice to simply resolve the issue by just preventing the "/cas" URI from being cached by Varnish. In fact, I am almost on the verge of completely withdrawing that particular advice. Instead, I'm getting "back to the drawing board". I am now theorizing on possibly a more efficient and practical solution, one that can lend itself to be utilized site-wide via any other Varnish-conflicted module (if any).

bfroehle’s picture

bfroehle commented

@Shefik: Awesome! If any architectural changes are needed for CAS for compatibility, we can discuss those here as well.

bfroehle’s picture

bfroehle commented
Category: bug » task
Status: Active » Postponed (maintainer needs more info)

Shefik: Any chance you could post your final working Varnish + CAS configuration (or add it to the CAS Documentation)?

cilefen’s picture

cilefen commented
Issue summary: View changes
Status: Postponed (maintainer needs more info) » Closed (cannot reproduce)

Marking this as Closed (cannot reproduce) because there is no clear answer in the comments and the issue reporter has not responded in three years.

vinmassaro’s picture

vinmassaro commented

@cilefen: Just to follow up, it looks like a session cookie is set when visiting /cas. All Varnish configurations you will find online for Drupal are set to pass to the backend when a session cookie is set. This means that no additional configuration should be necessary on the Varnish end for CAS to work. It's unclear if Gateway mode works with Varnish without additional configuration though.

cilefen’s picture

cilefen commented

@vinmassaro: That makes sense to me and probably that it is the reason this problem has not arisen generally.