From bd8079743f8d5bec57337f7a9a60c6a81ae343a1 Mon Sep 17 00:00:00 2001
From: Thomas Lynch <tom@69420.me>
Date: Tue, 12 Nov 2024 20:33:04 +1100
Subject: [PATCH] add header restriction to cache purging

---
 varnish/default.vcl | 6 +++++-
 1 file changed, 5 insertions(+), 1 deletion(-)

diff --git a/varnish/default.vcl b/varnish/default.vcl
index c80771b..4ccd95a 100644
--- a/varnish/default.vcl
+++ b/varnish/default.vcl
@@ -1,6 +1,10 @@
 vcl 4.1;
 import std;
 
+sub vcl_init {
+	set purge_secret_key = "CHANGEME_YOUR_SECRET_KEY";
+}
+
 # backend pointing to HAProxy
 backend haproxy {
 	.path = "/shared-sockets/varnish-to-haproxy-internal.sock";
@@ -14,7 +18,7 @@ acl purge_allowed {
 sub vcl_recv {
 
 	# handle PURGE requests
-	if (req.method == "PURGE") {
+	if (req.method == "PURGE" && req.http.X-BasedFlare-Varnish-Key == secret_key) {
 		if (req.http.X-Forwarded-For) {
 			set req.http.X-Real-IP = regsub(req.http.X-Forwarded-For, ",.*", "");
 		} else {