400 Bad Request and whitespace in headers

[Geoff Simmons]

On 7/16/24 03:15, Justin Lloyd wrote:
> 
> I meant blocking them at the AWS WAF, before they even get to any of
> the web servers, i.e. less work for Varnish. I’d need to get the raw
> headers and I wasn’t having luck with that so far in the WAF CloudTrail
> logs, so I’ve opened up a support case about it, but I was hoping to
> possibly get some insight here, as well, since I don’t know whether the
> WAF support specialists will know much about using Varnish.

 From what you've described, there were evidently requests with 
whitespace in header field names, a violation of HTTP syntax. That 
should be intelligible to WAF support, without any reference to Varnish 
at all.

Why isn't a WAF rejecting requests like that by default?

The invalid header names, and also your previous Varnish log excerpt 
showing "GET" followed by a nul byte, have the whiff of someone 
attempting a request smuggling attack. But it could be just a 
de-synchronized HTTP client. Either way, I would have expected a WAF to 
filter such requests, without having to ask support.

And to agree with what Guillaume said, Varnish is not getting much 
additional work when it rejects those requests. The one in your previous 
example was probably taken care of in single-digit microseconds. It is 
true that the client connection would be spared if the request hadn't 
been forwarded at all. And it helps to use connections efficiently at a 
heavily loaded site.


Best,
Geoff
-- 
** * * UPLEX - Nils Goroll Systemoptimierung

Scheffelstraße 32
22301 Hamburg

Tel +49 40 2880 5731
Mob +49 176 636 90917
Fax +49 40 42949753

http://uplex.de

-------------- next part --------------
A non-text attachment was scrubbed...
Name: OpenPGP_signature.asc
Type: application/pgp-signature
Size: 840 bytes
Desc: OpenPGP digital signature
URL: <https://www.varnish-cache.org/lists/pipermail/varnish-misc/attachments/20240716/a822ab55/attachment.bin>