How to send only whitelisted http headers to backend?

Dridi Boukelmoune dridi at varni.sh
Wed Oct 16 17:36:56 UTC 2019


On Wed, Oct 16, 2019 at 4:08 PM Geoff Simmons <geoff at uplex.de> wrote:
>
> On 10/15/19 16:21, Jeff Potter wrote:
> >
> > This seems like an easy task, but I haven’t been able to figure out
> > how to do it or find any posts online. Is there a way to only send
> > certain headers to a backend?
> >
> > I.e. in our application, we know we only need X-Forwarded-For and
> > Cookie headers. I know I can unset other known headers (User-Agent, etc)
> > — but how can I unset *all* other headers?
>
> VMOD re2 has the .hdr_filter() method for the set object:
>
> https://code.uplex.de/uplex-varnish/libvmod-re2
>
> https://code.uplex.de/uplex-varnish/libvmod-re2/blob/master/README.rst#L1775
>
> VOID myset.hdr_filter(HTTP, BOOL whitelist)
>
> The HTTP parameter can be one of req, resp, bereq or beresp. If the
> whitelist parameter is true (default true), then only matching headers
> are retained. Otherwise it's a blacklist -- matching headers are removed.
>
> So for your use case:
>
> sub vcl_init {
>         new whitelist = re2.set(anchor=start, case_sensitive=false);
>         whitelist.add("X-Forwarded-For:");
>         whitelist.add("Cookie:");
>         whitelist.add("Host:");
>         whitelist.compile();
> }
>
> sub vcl_backend_fetch {
>         whitelist.hdr_filter(bereq);
> }

TIL, thanks!

> I took the liberty of adding the Host header to your whitelist, since
> it's required since HTTP/1.1. Even if your backends "happen" to work
> without it, I wouldn't leave it out, since it's not well-formed HTTP
> otherwise (might stop working, for example, if the backend apps are
> upgraded).

Agreed, there are other control headers that one may want to keep in
the whitelist, otherwise you may break conditional or partial requests,
and everything else I don't remember off the top of my head.


Dridi


More information about the varnish-misc mailing list