Make Varnish ignore requests with Cookie header

Question

Varnish default behaviour is to never lookup for requests containing a Cookie header. In other words, a request containing a Cookie header will never be cached. I need to override this behaviour to just ignore requests with a Cookie header.

Consider the next user behaviour in my application:

User enters application home page (/), page should be cached, backend returns a public cache-control, everything is fine, page gets cached by Varnish.
User navigates to a custom page (/not-cacheable) which is not cacheable, backend returns a private cache-control. Also returns a Set-Cookie header in the response. Varnish ignores this request and the user ends up with a cookie. So far so good.
User navigates back to the home page (/), which, remember, is already cached. Problem is, the user request now carries a Cookie header. This causes Varnish to ignore the request and delegate to the backend.

Deleting the Cookie won't work because when the user returns to the /not-cacheable route, he won't see his personalized page, as the Cookie header has been striped out. Instead, the backend returns a newly generated session with a new id in the Set-Cookie.

Also, having every Cookie request to lookup in Varnish caused every request, regarding the method, or the backend response, to be cached.

If there was some way of telling Varnish to just ignore the Cookie header, this way I could cache requests with that header, by letting the backend decide if the request should be cacheable or not.

Any ideas?

score 1 · Accepted Answer · answered Apr 18 '14 at 18:53

Just for the record, I finally came up with a VCL script that solves this problem using custom headers and restarting the request:

backend default
{
    .host = "127.0.0.1";
    .port = "8080";
}

sub vcl_recv
{
    if(req.http.X-Force-Backend)
    {
        return(pass);
    }

    if(req.http.Cookie && req.request ~ "(GET|HEAD)")
    {
        set req.http.X-Cookie = req.http.Cookie;
        remove req.http.Cookie;

        return(lookup);
    }
}

sub vcl_deliver
{
    if(resp.http.Cache-control ~ "(private|no-cache|no-store)" 
        && !req.http.X-Force-Backend
        && req.request ~ "(GET|HEAD)"
    )
    {
        set req.http.X-Force-Backend = "YES";
        set req.http.Cookie = req.http.X-Cookie;

        remove req.http.X-Cookie;

        return(restart);
    }
}

As you can see, by always deleting the Cookie header and restarting the request when we have a non-cacheable response from the backend, we can achieve the desired effect. I don't know about possible performance drawbacks, but I'm using it in production and it works quite well.

I also wrote a blog post about this specific problem, if anyone is using Symfony and Varnish aswell, it might be interesting: http://albertofem.com/post/symfony-varnish-and-http-practical-considerations.html

I have implemented this with a similar method, but instead of adding the cookies back in vcl_deliver and restarting the request, I simply add the cookies back in on vcl_miss and vcl_pass, before it's passed to the backend. — sorohan, Jun 27 '14 at 04:27

Mohammad AbuShady · Answer 2 · 2014-04-09T23:54:32.740

-1

I think removing the cookie header in the vcl_recv should do the trick, here's something I've used on my wordpress to ignore front end but not backend, you can easily remove the if condition to make it over the whole server

sub vcl_recv {
  if (req.url !~ "^/wp-"){
    unset req.http.cookie;
  }
}

edited Apr 09 '14 at 23:54

answered Apr 09 '14 at 23:12

Mohammad AbuShady

40,884
11
78
89

I already tried this, but the effect is that no `Cookie` header is passed to the backend, thus the backend acts like it's a new request and generate a new session. – Alberto Fernández Apr 10 '14 at 09:58
only in the frontend, the backend would function normally – Mohammad AbuShady Apr 10 '14 at 10:02
does your app generate cookies for the frontend too ? – Mohammad AbuShady Apr 10 '14 at 10:03
Yes, because I have an special view that needs cookies in order to remember user settings. I mean, what I need is a method for Varnish to *ignore* cookies, acting as if the wouldn't exist, but leaving the header passed to the backend intact.. The `unset` method just removes the header, it's just gone when the backend receives the request. – Alberto Fernández Apr 10 '14 at 14:10
you could try returning `lookup` when cookie is present like in the 3rd example https://www.varnish-cache.org/trac/wiki/VCLExampleCacheCookies – Mohammad AbuShady Apr 10 '14 at 14:18
I already tried that. Doing that caused Varnish to cache every request with a `Cookie` in the header, regardless of the backend response. – Alberto Fernández Apr 10 '14 at 15:19
do you remove the `set-cookie` response in the `vcl_fetch` ? – Mohammad AbuShady Apr 10 '14 at 15:20
Nope. Why should I? The responses with `Set-Cookie`s are those I don't want to be cached. – Alberto Fernández Apr 10 '14 at 16:15
the thing is I think the response it self with `set-cookie` gets cached, so any random user visits that cached page will get the cookie of the person who got his request cached. – Mohammad AbuShady Apr 10 '14 at 16:24
Yes, of course, if you explicitly call `return(lookup)`, Varnish will cache whatever the response it from the backend. I sent a `Cache-control: private` response, and got cached anyway. – Alberto Fernández Apr 10 '14 at 16:31

Make Varnish ignore requests with Cookie header

2 Answers2