How to send only whitelisted http headers to backend?

Wed Oct 16 16:06:38 UTC 2019

On 10/15/19 16:21, Jeff Potter wrote:
> 
> This seems like an easy task, but I haven’t been able to figure out
> how to do it or find any posts online. Is there a way to only send
> certain headers to a backend?
> 
> I.e. in our application, we know we only need X-Forwarded-For and
> Cookie headers. I know I can unset other known headers (User-Agent, etc)
> — but how can I unset *all* other headers?

VMOD re2 has the .hdr_filter() method for the set object:

https://code.uplex.de/uplex-varnish/libvmod-re2

https://code.uplex.de/uplex-varnish/libvmod-re2/blob/master/README.rst#L1775

VOID myset.hdr_filter(HTTP, BOOL whitelist)

The HTTP parameter can be one of req, resp, bereq or beresp. If the
whitelist parameter is true (default true), then only matching headers
are retained. Otherwise it's a blacklist -- matching headers are removed.

So for your use case:

sub vcl_init {
	new whitelist = re2.set(anchor=start, case_sensitive=false);
	whitelist.add("X-Forwarded-For:");
	whitelist.add("Cookie:");
	whitelist.add("Host:");
	whitelist.compile();
}

sub vcl_backend_fetch {
	whitelist.hdr_filter(bereq);
}

I took the liberty of adding the Host header to your whitelist, since
it's required since HTTP/1.1. Even if your backends "happen" to work
without it, I wouldn't leave it out, since it's not well-formed HTTP
otherwise (might stop working, for example, if the backend apps are
upgraded).

HTH,
Geoff
-- 
** * * UPLEX - Nils Goroll Systemoptimierung

Scheffelstraße 32
22301 Hamburg

Tel +49 40 2880 5731
Mob +49 176 636 90917
Fax +49 40 42949753

http://uplex.de

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 833 bytes
Desc: OpenPGP digital signature
URL: <https://www.varnish-cache.org/lists/pipermail/varnish-misc/attachments/20191016/7f853c2b/attachment.bin>