Cannot stop Varnish from caching 403 responses

Marinos Yannikos mjy at geizhals.at
Fri Sep 2 10:23:18 CEST 2011 

Hi,

I cannot figure this out:

varnishd (varnish-3.0.0 revision 3bd5997)

host1 is not allowed to access <URL> due to IP address blacklisting:

host1:~# HEAD -S <URL>
HEAD <URL> --> 403 denied
Cache-Control: no-cache, no-store, private
Connection: close
Date: Fri, 02 Sep 2011 08:05:15 GMT
Pragma: no-cache
Vary: Accept-Encoding
Content-Type: text/html; charset=ISO-8859-1
Expires: Thu, 01 Sep 2011 08:05:15 GMT
Client-Date: Fri, 02 Sep 2011 08:05:15 GMT
Client-Peer: <...>
Client-Response-Num: 1
X-Varnish: 127539184

(from another IP address, which is allowed to access that URL, a few 
seconds later)

host2:~# HEAD -S <URL>
HEAD <URL> --> 403 denied
Cache-Control: no-cache, no-store, private
Connection: close
Date: Fri, 02 Sep 2011 08:05:17 GMT
Pragma: no-cache
Vary: Accept-Encoding
Content-Type: text/html; charset=ISO-8859-1
Expires: Thu, 01 Sep 2011 08:05:15 GMT
Client-Date: Fri, 02 Sep 2011 08:05:17 GMT
Client-Peer: <...>
Client-Response-Num: 1
X-Varnish: 127539465 127539184

(a while later)

host2:~# HEAD -S <URL>
...
HEAD <URL> --> 200 OK

So basically 403 reponses that are dependant on client IP address in our 
case, are getting cached despite all cache-defeating headers.

varnishlog reports in the second request:
    37 VCL_call     c recv lookup
    37 VCL_call     c hash
    37 Hash         c <URL>
    37 Hash         c <server name>
    37 VCL_return   c hash
    37 Hit          c 127539184
    37 VCL_call     c hit deliver
    37 VCL_call     c deliver deliver
    37 TxProtocol   c HTTP/1.1
    37 TxStatus     c 403
    37 TxResponse   c denied
    37 TxHeader     c Expires: Thu, 01 Sep 2011 08:05:15 GMT
    37 TxHeader     c Pragma: no-cache

So the object is getting stored in the cache despite all those headers - 
how can I prevent it (and why are 403 pages even cached)? default.vcl 
does nothing interesting, it only sets the backend based on server.ip 
and vcl_deliver clears a few headers:

sub vcl_deliver
{
#       remove resp.http.X-Varnish;
         remove resp.http.Via;
         remove resp.http.Age;
         unset resp.http.Server;
         set resp.http.Server = "GH";
}



Regards,
  Marinos

More information about the varnish-misc mailing list