How to send only whitelisted http headers to backend?

Geoff Simmons geoff at
Wed Oct 16 16:06:38 UTC 2019

On 10/15/19 16:21, Jeff Potter wrote:
> This seems like an easy task, but I haven’t been able to figure out
> how to do it or find any posts online. Is there a way to only send
> certain headers to a backend?
> I.e. in our application, we know we only need X-Forwarded-For and
> Cookie headers. I know I can unset other known headers (User-Agent, etc)
> — but how can I unset *all* other headers?

VMOD re2 has the .hdr_filter() method for the set object:

VOID myset.hdr_filter(HTTP, BOOL whitelist)

The HTTP parameter can be one of req, resp, bereq or beresp. If the
whitelist parameter is true (default true), then only matching headers
are retained. Otherwise it's a blacklist -- matching headers are removed.

So for your use case:

sub vcl_init {
	new whitelist = re2.set(anchor=start, case_sensitive=false);

sub vcl_backend_fetch {

I took the liberty of adding the Host header to your whitelist, since
it's required since HTTP/1.1. Even if your backends "happen" to work
without it, I wouldn't leave it out, since it's not well-formed HTTP
otherwise (might stop working, for example, if the backend apps are

** * * UPLEX - Nils Goroll Systemoptimierung

Scheffelstraße 32
22301 Hamburg

Tel +49 40 2880 5731
Mob +49 176 636 90917
Fax +49 40 42949753

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 833 bytes
Desc: OpenPGP digital signature
URL: <>

More information about the varnish-misc mailing list