hit-for-pass ignores Vary header

Jonathan Matthews contact at jpluscplusm.com
Fri Dec 5 00:23:08 CET 2014 

Hello all -

I'm running with an (almost) vanilla default.vcl. My backends are
returning cachable responses, with a single Vary: header - let's call
it X-Auth.

When a client requests an object which we already have cached, but
with a different value in its X-Auth header, I quite rightly see a
cache miss and a backend response.

If this response is a 401 with no cache-control header (as it entirely
valid in my setup), then this appears to force the previously cached
response to be inaccessible - even to requests with its original
X-Auth header set correctly.

What I believe is happening is that the resulting hit-for-pass object
that gets generated and cached seems to ignore the Vary header's
presence. All subsequent requests for that Host & URI combination get
hit-for-pass'ed, regardless of the previously valid object sitting in
the cache for the Host & URI & Vary-header-pointer combination.

More procedurally, I seem to be seeing this:

-------------------------------------------
Client A:
  GET /resource
  Host: api
  X-Auth: Key1

Backend:
  200 Here is some content #123
  Vary: X-Auth

Varnish:
 I'll cache "#123" with key(path:/resource & host:api & X-Auth:Key1)

Client B
 Get /resource
 Host: api
 X-Auth: BadKey

Backend
  401 Wrong key, sorry
  Vary: X-Auth

Varnish:
  401 and non-cachable content observed
  I'll create a hit-for-pass for key path:/resource & host:api

Client A:
  GET /resource
  Host: api
  X-Auth: Key1

Varnish:
  I have a hit-for-pass for path:/resource & host:api
  I won't check the cache for any matching content, but go straight to
the backend

-------------------------------------------

I'm wondering if there's a trick I'm missing to fix this behaviour?
I've generally found the stock default.vcl to do very sane things, so
I'm a little confused as to why this is the default behaviour.

I (believe) I can fix this by hard-coding the X-Auth header as a
component of the cache lookup key in vcl_hash(), but that would seem
to negate the entire point of using the Vary header!

[ I'm running 3.0.5 as it's the version shipped with the current
Ubuntu LTS, and am not looking to upgrade as part of fixing this.
Unless it turns out that my fix, above, doesn't work and there's no
other way to do so :-) ]

Many thanks for any help,
Jonathan

More information about the varnish-misc mailing list