Session issues when using Varnish

David Helkowski dhelkowski at
Wed Mar 16 19:51:35 CET 2011

The vcl you are showing may be standard, but as you have noticed it will 
not work properly when
query strings end in a file extension. I encountered this same problem 
after blindly copying from
example varnish configurations.
Before the check is done, the query parameter needs to be stripped from 
the url.
Example of an alternate way to check the extensions:

sub vcl_recv {
     set req.http.ext = regsub( req.url, "\?.+$", "" );
     set req.http.ext = regsub( req.http.ext, ".+\.([a-zA-Z]+)$", "\1" );
     if( req.http.ext ~ 
"^(js|gif|jpg|jpeg|png|ico|css|html|ehtml|shtml|swf)$" ) {

Doubtless others will say this approach is wrong for some reason or 
another. I use it in a production
environment and it works fine though. Pass it along to your hosting 
provider and request that they
consider changing their config.

Note that the above code will cause the end user to receive a 'ext' 
header with the file extension.
You can add a 'remove req.http.ext' after the code if you don't want 
that to happen...

Another thing to consider is that whether it this is a bug or not; it is 
a common problem with varnish
configurations, and as such can be used on most varnish servers to force 
them to return things
differently then they normally would. IE: if some backend script is a 
huge request and eats up resources, sending
it a '?.jpg' could be used to hit it repeatedly and bring about a denial 
of service.

On 3/16/2011 11:55 AM, Chris Bloom wrote:
> Thank you, Bjorn, for your response.
> Our hosting provider tells me that the following routines have been 
> added to the default config.
> sub vcl_recv {
>   # Cache things with these extensions
>   if (req.url ~ 
> "\.(js|css|JPG|jpg|jpeg|png|gif|gz|tgz|bz2|tbz|mp3|ogg|swf)$") {
>     unset req.http.cookie;
>     return (lookup);
>   }
> }
> sub vcl_fetch {
>   # Cache things with these extensions
>   if (req.url ~ 
> "\.(js|css|JPG|jpg|jpeg|png|gif|gz|tgz|bz2|tbz|mp3|ogg|swf)$") {
>     unset req.http.set-cookie;
>     set obj.ttl = 1h;
>   }
> }
> Clearly the req.url variable contains the entire request URL, 
> including the querystring. Is there another variable that I should be 
> using instead that would only include the script name? If this is the 
> default behavior, I'm inclined to cry "bug".
> You can test that other script for yourself by substituting 
> <> for the domain in the 
> example URLs I provided.
> PS: We are using Varnish 2.0.6
> _______________________________________________
> varnish-misc mailing list
> varnish-misc at

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <>

More information about the varnish-misc mailing list