Varnish prevent esi access from external source

Question

I have Varnish up and running and every thing works just fine.

But I am using esi <esi:include src="/esi/cache/temp.phtml?id=1"/> and well it works fine but I want to prevent that external resources can access the esi directory.

Now I have it working by setting a header in varnish with the req.esi_level. It will be 0 if you access a esi directly and well otherwise it will be n+1

The only issue with this is that is will hit the back end will I think/hope Varnish it self can prevent access to the esi directory.

tl;dr how can you prevent external access to an esi directory with varnish

Answer 1

In your VCL, instead of setting a header with the value of request.esi_level, just short circuit requests for those resources with esi_level of 0.

pseudo-vcl:

if (req.esi_level == 0 && req.url ~ "^/esi/.*") {
    error (403);
}