400 Bad Request and whitespace in headers

Justin Lloyd justinl at arena.net
Tue Jul 16 01:15:47 UTC 2024 

Hi Guillaume,

I meant blocking them at the AWS WAF, before they even get to any of the web servers, i.e. less work for Varnish. I’d need to get the raw headers and I wasn’t having luck with that so far in the WAF CloudTrail logs, so I’ve opened up a support case about it, but I was hoping to possibly get some insight here, as well, since I don’t know whether the WAF support specialists will know much about using Varnish.

Thanks,
Justin

From: Guillaume Quintard <guillaume.quintard at gmail.com>
Sent: Monday, July 15, 2024 6:07 PM
To: Justin Lloyd <justinl at arena.net>
Cc: varnish-misc at varnish-cache.org
Subject: Re: 400 Bad Request and whitespace in headers

Hi Justin!

What do you mean by "blocking" those requests? As you can see from the logs, thye don't even reach vcl_recv before they are thrown out, so they are technically already being rejected.

Kind regards,

--
Guillaume Quintard


On Mon, Jul 15, 2024 at 9:44 AM Justin Lloyd <justinl at arena.net<mailto:justinl at arena.net>> wrote:
Hi all,

I’m trying to figure out what the requests are that are resulting in the following Varnish responses and how to block them:

*   << Request  >> 39071654
-   Begin          req 39071653 rxreq
-   Timestamp      Start: 1721059686.537197 0.000000 0.000000
-   Timestamp      Req: 1721059686.537197 0.000000 0.000000
-   BogoHeader     Illegal char 0x20 in header name
-   HttpGarbage    "GET%00"
-   RespProtocol   HTTP/1.1
-   RespStatus     400
-   RespReason     Bad Request
-   ReqAcct        535 0 535 28 0 28
-   End

These are on AWS EC2 instances that are behind an Application Load Balancer (ALB) that is connected to a Web Application Firewall (WAF), so in theory I should be able to figure out a rule to add to the WAF to block these. I’d just need to get more information to do so, and AWS support could probably help, but I wanted to check here first if there’s any way to get further information about such requests out of Varnish.

FWIW, the 0x20 is a space character, but there are also similar requests reporting 0x09 (horizontal tab) characters.

Thanks,
Justin

_______________________________________________
varnish-misc mailing list
varnish-misc at varnish-cache.org<mailto:varnish-misc at varnish-cache.org>
https://www.varnish-cache.org/lists/mailman/listinfo/varnish-misc
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://www.varnish-cache.org/lists/pipermail/varnish-misc/attachments/20240716/fbb08027/attachment-0001.html>

More information about the varnish-misc mailing list