Bug in 1.1.2: Multiple headers stripped (oops)

Poul-Henning Kamp phk at phk.freebsd.dk
Tue Aug 19 21:37:11 CEST 2008

Hi Adrian,

Good catch.

I created a ticket (#292, now closed) for this because we number
our regression tests by ticket number.

Fixed in #3110.


>I found the reason why I hit this bug, but I need some tips to  
>understand how to debug what's happening in the VCL code. First, I'll  
>explain the bug:
>1) My default.vcl is configured to strip the Cookie header in  
>vcl_recv like this:
>sub vcl_recv {
>         if(req.http.Cookie) {
>                 remove req.http.Cookie;
>                 lookup;
>         }
>2) The Connection header sent from the client browser specified that  
>the "TE" header should be stripped, and was so marked in position 13  
>of http_DoConnection::hp->hdf, indicating that header at index 13  
>should be skipped when headers are copied into the backend request.
>3) The VCL code ran to strip the cookie header, removed it, and  
>shifted the other elements in the array UP one position. The Host  
>header followed TE at position/index 14, and became position/index 13.
>4) The code for copying/morphing the client request to the backend  
>ran, and skipped position/index 13, which was the Host header.
>5) Varnish kindly noticed that there was no Host header present in  
>the backend connection, and added one of it's own using the IP  
>address of the backend server as the content of that header.
>6) The incorrect document was fetched for the backend because the  
>Host header was not correct.
Poul-Henning Kamp       | UNIX since Zilog Zeus 3.20
phk at FreeBSD.ORG         | TCP/IP since RFC 956
FreeBSD committer       | BSD since 4.3-tahoe    
Never attribute to malice what can adequately be explained by incompetence.

More information about the varnish-dev mailing list