While deploying a new Varnish Cache setup, we came across an annoying problem - which turned out to be not a problem at all.
The large request header problem is nothing new to us, so we immediately thought we've run into a request header limit, something we've dealt with in the past already. Varnish Cache sets this limit to 8k by default, but it can be increased using the http_req_hdr_len parameter.
When this request header limit is hit, the receiving web/proxy server usually responds with a HTTP 400 (Bad Request) status. But in this particular case a HTTP 200 was delivered back to the client - even though the varnishlog output clearly showed a cut (truncated) Cookie header:
$ curl -H "Host: www.example.com" "http://localhost:6081/" -H "Cookie: _ga=GA1.2.XXXXXXXXX.XXXXXXXXX; _ga_XXXXXXXXX=GS1.1.1111111111.5.1.2222222222.0; CLAUDIOTESTCOOKIE=adasfasfdasfasdfasdfasdf; ASP.NET_SessionId=5v3oxrpmereww5r5lfdfyalh; _STTT=1222,12.01.2022 00:00:00; cookieOptIn=1; ip-login=1; _gid=GA1.2.1234567891.1641981198; WP-XSRF-TOKEN=XXXXXXXXXXXXXXXXXXXXXXXXXXXX_XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX; WP-XSRF-V=-XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX; WP_UCONTEXT=WP_UCONTEXT=xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx_xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx_xxxxxxxxxxxxxxxxxxx;WP_UPDCHK=1;" -H "Upgrade-Insecure-Requests: 1"
$ sudo varnishlog
[...]
- ReqHeader Cookie:
_ga=GA1.2.XXXXXXXXX.XXXXXXXXX;
_ga_XXXXXXXXX=GS1.1.1111111111.5.1.2222222222.0;
CLAUDIOTESTCOOKIE=adasfasfdasfasdfasdfasdf;
ASP.NET_SessionId=5v3oxrpmereww5r5lfdfyalh; _STTT=1222,12.01.2022
00:00:00; cookieOptIn=1; ip-login=1; _gid=GA1.2.123456
All the other headers were also showing up fine, only the (large) Cookie header seems to be cut.
To find out the reason, all the relevant header and workspace parameters were adjusted, even though the typical symptom (HTTP 400), did not show up. But with no success, the result was still a cut Cookie header in varnishlog.
After additional research, we finally came across an important hint in an old mailing list post. Varnish actually does not cut the Cookie header, it's merely a display limitation in the varnishlog command. This is controlled by the vsl_reclen (previously: shm_reclen) parameter and is by default set to 255 Bytes:
root@varnish:~# varnishadm param.show vsl_reclen
vsl_reclen
Value is: 255b [bytes] (default)
Minimum is: 16b
Maximum is: 4084b
Maximum number of bytes in SHM log record.
The maximum tracks the vsl_buffer parameter - 12 bytes.
Note: In Varnish Plus (the commercial edition), the default is already set to the maximum of 4084b.
To change the default, the vsl_reclen parameter can be increased on the fly:
root@varnish:~# varnishadm param.set vsl_reclen 4084b
Right after this, the curl request was sent again and varnishlog finally displays the full Cookie header:
$ curl -H "Host: www.example.com" "http://localhost:6081/" -H "Cookie: _ga=GA1.2.XXXXXXXXX.XXXXXXXXX; _ga_XXXXXXXXX=GS1.1.1111111111.5.1.2222222222.0; CLAUDIOTESTCOOKIE=adasfasfdasfasdfasdfasdf; ASP.NET_SessionId=5v3oxrpmereww5r5lfdfyalh; _STTT=1222,12.01.2022 00:00:00; cookieOptIn=1; ip-login=1; _gid=GA1.2.1234567891.1641981198; WP-XSRF-TOKEN=XXXXXXXXXXXXXXXXXXXXXXXXXXXX_XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX; WP-XSRF-V=-XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX; WP_UCONTEXT=WP_UCONTEXT=xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx_xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx_xxxxxxxxxxxxxxxxxxx;; WP_UPDCHK=1;" -H "Upgrade-Insecure-Requests: 1"
$ sudo varnishlog
[...]- ReqHeader Cookie: _ga=GA1.2.XXXXXXXXX.XXXXXXXXX; _ga_XXXXXXXXX=GS1.1.1111111111.5.1.2222222222.0; CLAUDIOTESTCOOKIE=adasfasfdasfasdfasdfasdf; ASP.NET_SessionId=5v3oxrpmereww5r5lfdfyalh; _STTT=1222,12.01.2022 00:00:00; cookieOptIn=1; ip-login=1; _gid=GA1.2.1234567891.1641981198; WP-XSRF-TOKEN=XXXXXXXXXXXXXXXXXXXXXXXXXXXX_XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX; WP-XSRF-V=-XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX; WP_UCONTEXT=WP_UCONTEXT=xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx_xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx_xxxxxxxxxxxxxxxxxxx;; WP_UPDCHK=1;
Thanks to the adjusted line size in the output, all the Cookies could finally be analyzed. This is especially important, when Cookie trimming or replacement happens in the VCL.
No comments yet.
AWS Android Ansible Apache Apple Atlassian BSD Backup Bash Bluecoat CMS Chef Cloud Coding Consul Containers CouchDB DB DNS Database Databases Docker ELK Elasticsearch Filebeat FreeBSD Galera Git GlusterFS Grafana Graphics HAProxy HTML Hacks Hardware Icinga Influx Internet Java KVM Kibana Kodi Kubernetes LVM LXC Linux Logstash Mac Macintosh Mail MariaDB Minio MongoDB Monitoring Multimedia MySQL NFS Nagios Network Nginx OSSEC OTRS Office OpenSearch PGSQL PHP Perl Personal PostgreSQL Postgres PowerDNS Proxmox Proxy Python Rancher Rant Redis Roundcube SSL Samba Seafile Security Shell SmartOS Solaris Surveillance Systemd TLS Tomcat Ubuntu Unix VMWare VMware Varnish Virtualization Windows Wireless Wordpress Wyse ZFS Zoneminder