Varnish removing tags incorrectly fromURL
cristian.c at istream.today
cristian.c at istream.today
Wed Mar 27 13:29:52 UTC 2019
Hello,
I would highly appreciate if I get some help on the following issu:
The query string from the end (== erstellen4) is being incorrectly
appended to the token because the Varnish is not removing the tags
correctly.
https://xxxxxx.my/aa/?ResetPasswordToken=4P/weCg49hetX25dVAJxGW0i2GcwuN3bB3z
xbMiYLo+3Kfpk199F9ZjwvSP3g8mrPq/opmCosoDmkTHYx3CYK+ABEFrF92y+R0V9icpnLep+f+z
fPJjVOZ+M6wa1egt+GNktWIdBIruXXREYAboEQyBtHmgGJQe25KoCUvfUe1ySZlcFre5Dk913ktB
D/wvwrtt/O6T2e9aUn2aiKkKdtA==&utm_source=acc_activation&utm_medium=email&utm
_campaign=FW_new_customer_activation_2-2019032713&utm_content=Zugangsdaten+e
rstellen4
This is what I get by looking at the logs:
After reset password token:
4P/weCg49hetX25dVAJxGW0i2GcwuN3bB3zxbMiYLo3Kfpk199F9ZjwvSP3g8mrPq/opmCosoDmk
THYx3CYK
ABEFrF92yR0V9icpnLepfzfPJjVOZM6wa1egtGNktWIdBIruXXREYAboEQyBtHmgGJQe25KoCUvf
Ue1ySZlcFre5Dk913ktBD/wvwrtt/O6T2e9aUn2aiKkKdtA== erstellen4
This is my varnish config :
#
# Marker to tell the VCL compiler that this VCL has been adapted to the
# new 4.0 format.
vcl 4.0;
import directors;
import std;
acl monitoring {
"localhost";
"192.xxx.xxx.xxx"/32; /* Collector */
"83.xxx.xxx.xxx"/32; /* LB */
}
acl purge {
"xxx.xxx.xxx.xxx"/32; /* */
"xxx.xxx.xxx.xxx"/32; /* */
}
include "/etc/varnish/backend.vcl";
sub vcl_init {
include "/etc/varnish/director.vcl";
}
sub vcl_recv {
# Happens before we check if we have this in cache already.
#
# Typically you clean up the request here, removing cookies you don't
need,
#A
#rewriting the request, etc.
#set req.backend_hint = vweb.backend(req.http.X-Forwarded-For);
#set req.backend_hint = fbdirector.backend();
#
# Set hash directory with hashing option X-Forwarded for becuase we use
nginx between the client and vanrish
#set req.backend_hint = hashdirector.backend(req.http.X-Forwarded-For);
#
# Monitoring for FortiADC if faild, the proxy is taken out, if all fails
then hit maintance page.
if (req.method == "GET" && req.url == "/varnish-status") {
if (client.ip ~ monitoring) {
#if (std.healthy(hashdirector.backend(req.http.X-Forwarded-For))) {
return(synth(200, "OK"));
#} else {
# return(synth(503, "No backends available"));
#}
} else {
return(synth(403, "Access denied."));
}
}
include "/etc/varnish/vhost.vcl";
# Remove the proxy header (see https://httpoxy.org/#mitigate-varnish)
unset req.http.proxy;
# Allow purging
if (req.method == "PURGE") {
if (!client.ip ~ purge) { # purge is the ACL defined at the begining
# Not from an allowed IP? Then die with an error.
return (synth(405, "IP: " + client.ip + " is not allowed to send
PURGE requests."));
}
# If you got this stage (and didn't error out above), purge the cached
result
return (purge);
}
# Only allow BAN requests from IP addresses in the 'purge' ACL.
if (req.method == "BAN") {
# Same ACL check as above:
if (!client.ip ~ purge) {
return (synth(405, "IP: " + client.ip + " is not allowed
to send BAN requests."));
}
# manual sudo varnishadm "ban req.http.host ~ www.mydomain.com"
ban("req.http.host ~ " + req.http.host);
# Throw a synthetic page so the request won't go to the backend.
return (synth(200, "BAN for " + req.http.host + " done"));
}
# Only cache GET or HEAD requests. This makes sure the POST requests are
always passed.
if (req.method != "GET" && req.method != "HEAD") {
return (pass);
}
# Some generic URL manipulation, useful for all templates that follow
# First remove the Google Analytics added parameters, useless for our
backend
if (req.url ~
"(\?|&)(utm_source|utm_medium|utm_campaign|utm_content|gclid|cx|ie|cof|siteu
rl)=") {
set req.url = regsuball(req.url,
"&(utm_source|utm_medium|utm_campaign|utm_content|gclid|cx|ie|cof|siteurl)=(
[A-z0-9_\-\.%25]+)", "");
set req.url = regsuball(req.url,
"\?(utm_source|utm_medium|utm_campaign|utm_content|gclid|cx|ie|cof|siteurl)=
([A-z0-9_\-\.%25]+)", "?");
set req.url = regsub(req.url, "\?&", "?");
set req.url = regsub(req.url, "\?$", "");
}
# Strip hash, server doesn't need it.
if (req.url ~ "\#") {
set req.url = regsub(req.url, "\#.*$", "");
}
# Strip a trailing ? if it exists
if (req.url ~ "\?$") {
set req.url = regsub(req.url, "\?$", "");
}
# Some generic cookie manipulation, useful for all templates that follow
# Remove the "has_js" cookie
set req.http.Cookie = regsuball(req.http.Cookie, "has_js=[^;]+(; )?", "");
# Remove any Google Analytics based cookies
set req.http.Cookie = regsuball(req.http.Cookie, "__utm.=[^;]+(; )?", "");
set req.http.Cookie = regsuball(req.http.Cookie, "_ga=[^;]+(; )?", "");
set req.http.Cookie = regsuball(req.http.Cookie, "_gat=[^;]+(; )?", "");
set req.http.Cookie = regsuball(req.http.Cookie, "utmctr=[^;]+(; )?", "");
set req.http.Cookie = regsuball(req.http.Cookie, "utmcmd.=[^;]+(; )?",
"");
set req.http.Cookie = regsuball(req.http.Cookie, "utmccn.=[^;]+(; )?",
"");
# Remove DoubleClick offensive cookies
set req.http.Cookie = regsuball(req.http.Cookie, "__gads=[^;]+(; )?", "");
# Remove the Quant Capital cookies (added by some plugin, all __qca)
set req.http.Cookie = regsuball(req.http.Cookie, "__qc.=[^;]+(; )?", "");
# Remove the AddThis cookies
set req.http.Cookie = regsuball(req.http.Cookie, "__atuv.=[^;]+(; )?",
"");
# Remove a ";" prefix in the cookie if present
set req.http.Cookie = regsuball(req.http.Cookie, "^;\s*", "");
# Are there cookies left with only spaces or that are empty?
if (req.http.cookie ~ "^\s*$") {
unset req.http.cookie;
}
# Large static files are delivered directly to the end-user without
# waiting for Varnish to fully read the file first.
# Varnish 4 fully supports Streaming, so set do_stream in
vcl_backend_response()
if (req.url ~
"^[^?]*\.(7z|avi|bz2|flac|flv|gz|mka|mkv|mov|mp3|mp4|mpeg|mpg|ogg|ogm|opus|r
ar|tar|tgz|tbz|txz|wav|webm|xz|zip)(\?.*)?$") {
unset req.http.Cookie;
return (hash);
}
#Remove all cookies for static files
if (req.url ~
"^[^?]*\.(7z|avi|bmp|bz2|css|csv|doc|docx|eot|flac|flv|gif|gz|ico|jpeg|jpg|j
s|less|mka|mkv|mov|mp3|mp4|mpeg|mpg|odt|otf|ogg|ogm|opus|pdf|png|ppt|pptx|ra
r|rtf|svg|svgz|swf|tar|tbz|tgz|ttf|txt|txz|wav|webm|webp|woff|woff2|xls|xlsx
|xml|xz|zip)(\?.*)?$") {
unset req.http.Cookie;
return (hash);
}
# Send Surrogate-Capability headers to announce ESI support to backend
set req.http.Surrogate-Capability = "key=ESI/1.0";
if (req.http.Authorization) {
# Not cacheable by default
return (pass);
}
if (req.url == "/checksite.aspx") {
# Dont cache monitoring url
return (pass);
}
return (hash);
}
sub vcl_backend_response {
# Happens after we have read the response headers from the backend.
#
# Here you clean the response headers, removing silly Set-Cookie headers
# and other mistakes your backend does.
#
#
set beresp.http.X-Backend = beresp.backend.name;
# Remove some headers: ASP version
unset beresp.http.X-Powered-By;
# Remove cookie with empty basketid useless... VL should fix on backend
if (beresp.http.set-cookie == "BasketID=; path=/") {
unset beresp.http.set-cookie;
}
# Pause ESI request and remove Surrogate-Control header
if (beresp.http.Surrogate-Control ~ "ESI/1.0") {
unset beresp.http.Surrogate-Control;
set beresp.do_esi = true;
}
# Enable cache for all static files
# The same argument as the static caches from above: monitor your cache
size, if you get data nuked out of it, consider giving up the static file
cache.
# Before you blindly enable this, have a read here:
https://ma.ttias.be/stop-caching-static-files/
if (bereq.url ~
"^[^?]*\.(7z|avi|bmp|bz2|css|csv|doc|docx|eot|flac|flv|gif|gz|ico|jpeg|jpg|j
s|less|mka|mkv|mov|mp3|mp4|mpeg|mpg|odt|otf|ogg|ogm|opus|pdf|png|ppt|pptx|ra
r|rtf|svg|svgz|swf|tar|tbz|tgz|ttf|txt|txz|wav|webm|webp|woff|woff2|xls|xlsx
|xml|xz|zip)(\?.*)?$") {
unset beresp.http.set-cookie;
}
# Large static files are delivered directly to the end-user without
# waiting for Varnish to fully read the file first.
# Varnish 4 fully supports Streaming, so use streaming here to avoid
locking.
if (bereq.url ~
"^[^?]*\.(7z|avi|bz2|flac|flv|gz|mka|mkv|mov|mp3|mp4|mpeg|mpg|ogg|ogm|opus|r
ar|tar|tgz|tbz|txz|wav|webm|xz|zip)(\?.*)?$") {
unset beresp.http.set-cookie;
set beresp.do_stream = true; # Check memory usage it'll grow in
fetch_chunksize blocks (128k by default) if the backend doesn't send a
Content-Length header, so only enable it for big objects
}
# Don't cache 50x responses
if (beresp.status == 500 || beresp.status == 502 || beresp.status == 503
|| beresp.status == 504) {
return (abandon);
}
if (bereq.http.Cookie ~ "(UserID|_session)") {
#set beresp.http.X-Cacheable = "NO:Got Session";
set beresp.uncacheable = true;
return (deliver);
} elsif (beresp.ttl <= 0s) {
# Varnish determined the object was not cacheable
#set beresp.http.X-Cacheable = "NO:Not Cacheable";
} elsif (beresp.http.set-cookie) {
# You don't wish to cache content for logged in users
#set beresp.http.X-Cacheable = "NO:Set-Cookie";
set beresp.uncacheable = true;
return (deliver);
} elsif (beresp.http.Cache-Control ~ "private") {
# You are respecting the Cache-Control=private header from the
backend
#set beresp.http.X-Cacheable = "NO:Cache-Control=private";
set beresp.uncacheable = true;
return (deliver);
} else {
# Varnish determined the object was cacheable
#set beresp.http.X-Cacheable = "YES";
}
return(deliver);
}
sub vcl_deliver {
# Happens when we have all the pieces we need, and are about to send the
# response to the client.
#
# You can do accounting or modifying the final object here.
if (obj.hits > 0) { # Add debug header to see if it's a HIT/MISS and the
number of hits, disable when not needed
set resp.http.X-Cache = "HIT";
} else {
set resp.http.X-Cache = "MISS";
}
# Unset some headers
unset resp.http.Via;
unset resp.http.X-Varnish;
# Please note that obj.hits behaviour changed in 4.0, now it counts per
objecthead, not per object
# and obj.hits may not be reset in some cases where bans are in use. See
bug 1492 for details.
# So take hits with a grain of salt
set resp.http.X-Cache-Hits = obj.hits;
}
Regards,
Cris
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://www.varnish-cache.org/lists/pipermail/varnish-misc/attachments/20190327/ad478e9f/attachment-0001.html>
More information about the varnish-misc
mailing list