Changes in Varnish-Cache 7.7¶
For information about updating your current Varnish deployment to the new version, see Upgrading to Varnish-Cache 7.7.
NOTE: In this Varnish-Cache release, we changed how timestamps are taken for the http2 protocol, which could look like a performance regression, but is not. See http2 related timestamps.
A more detailed and technical account of changes in Varnish-Cache, with links to issues that have been fixed and pull requests that have been merged, may be found in the change log.
Security¶
VSV 15:¶
The client connection is now always closed when a malformed request is received.
varnishd¶
Parameters¶
The bitfield parameters debug, experimental, feature,
vcc_feature and vsl_mask now consistently support the special values
all and none. The output format of varnishadm param.show has been
adjusted to always output the parameter value relative to either all or
none in a format which would also be accepted by varnishadm param.set
and the varnishd -p option.
The new http_req_overflow_status parameter now allows to optionally send a
response with a status between 400 and 499 (inclusive) if a request
exceeds http_req_size. The default of 0 keeps the existing behavior
to just close the connection in this case.
The new ban_any_variant parameter allows to configure the maximum number
of possibly non matching variants evaluated against the ban list during
lookup. The default value of 10000 avoids excessive time spent for ban checks
during lookups, which could cause noticeable delays for cases with a very high
number of bans and/or variants (in the 1000s).
Setting ban_any_variant to 0 changes the behavior of the lookup-time
ban check to only consider matching objects for tests against the ban list,
which can be considered a bugfix, depending on the exact interpretation of the
semantics of ban expressions with regards to variants. 0 will become the
new default in a future release of Varnish-Cache.
The varnishd parameters max_restarts and max_retries have been
made more consistent, which prevents a potential panic that could be
triggered when reducing the value of max_restarts under certain
conditions.
Jails¶
The linux jail gained control of transparent huge pages (THP) settings: The
transparent_hugepage suboption can be set to ignore to do nothing,
enable to enable THP (actually, disable the disable), disable to disable
THP or try-disable to try do disable, but not emit an error if disabling
fails. try-disable is the default.
Error handling from the jail subsystem has been streamlined to avoid some confusing and/or contradictory error messages as well as turn assertion failures into error messages.
Other changes in varnishd¶
An issue has been fixed which could cause a crash when varnishd receives
an invalid Content-Range header from a backend.
The management process now logs the PID of the process from which it received a signal.
Changes to VCL¶
VCL variables¶
Two new VCL variables req.filters and bereq.filters can now be used to
pass request bodies through a list of VFPs and backend request bodies through a
list of VDPs respectively. This can be useful for processing or transforming
request bodies as they go through varnish. See VCL-Variables for more
details.
VCL now supports unset req.grace and unset req.ttl to reset the
respective variables to the “no effect” value, which is also the default.
The scope of VCL variables req.is_hitmiss and req.is_hitpass is now
restricted to vcl_miss, vcl_deliver, vcl_pass, vcl_synth and vcl_pass,
vcl_deliver, vcl_synth, respectively.
The Content-Length header is now consistently removed after unset
bereq.body on the backend side.
req.hash is now also readable from vcl_synth and vcl_pipe.
Other changes to VCL¶
Behavior of the VCL include statement with the +glob option has been
clarified to not search directories in vcl_path. Using +glob includes
with a relative path that does not start with “./” will now result in a VCL
compile failure.
Validation of the PROXY2 PP2_TYPE_AUTHORITY TLV sent with .via
backends has been corrected: IP addresses are no longer accepted as an
authority and port numbers are automatically removed.
return (fail(...)) can now take strings returned from a vmod.
varnishadm¶
The CLI command
backend.list -jnow outputs IPs/port information.
Generic Logging (VSL)¶
affecting varnishlog, varnishncsa and varnishtop:
http2 logging¶
For http/2, normal client behavior like timeouts or closed connection was logged
with a SessError tag and ENHANCE_YOUR_CALM in additional Debug log
records. This behavior was misleading and has been corrected.
http/2 error detail reporting in Debug log records has been clarified:
Connection errors are now prefixed with H2CE_, and stream errors with
H2SE_, respectively.
http/2 BogoHeader log records now contain the first offending byte value in
hex.
Interactive mode in varnishstat, varnishtop and varnishhist¶
Handling of curses errors in the interactive mode of varnishstat,
varnishtop and varnishhist has been streamlined and one wrong assertion
has been fixed, which could cause a crash with certain terminal types as set
through the TERM environment variable.
varnishncsa¶
The hitmiss and hitpass handling indicators have been added to the
Varnish:handling format of varnishncsa.
varnishncsa now handles headers unset and changed from VCL more
consistently: request headers are logged as they were received from the client
and as they were sent to the backend, while response headers are logged as they
were sent to the client and as they were received from the backend.
varnishstat¶
Pressing the 0 key in varnishstat interactive (curses) mode now resets
averages.
The backend happy VSC bitfield is now set to all ones for backends with no
configured probe.
varnishtest¶
varnishtest can now send arbitrary http/2 settings frames and arbitrary
PROXY2 tlvs.
varnishtest has been changed to always set a VARNISH_DEFAULT_N
environment variable to ensure that varnish invoked from varnishtest
always has a valid workdir.