2

I am trying to set the max request header size as 16KB in the varnishd command. Here is how varnishd command looks like:

/usr/sbin/varnishd \
        -P /var/run/varnish.pid \
        -f $VARNISH_VCL_CONF \
        -a ${VARNISH_LISTEN_ADDRESS}:${VARNISH_LISTEN_PORT} \
        -T ${VARNISH_ADMIN_LISTEN_ADDRESS}:${VARNISH_ADMIN_LISTEN_PORT} \
        -p http_req_hdr_len=16384 \
        -p http_resp_hdr_len=16384 \
        -t $VARNISH_TTL \
        -S $VARNISH_SECRET_FILE \
        -s $VARNISH_STORAGE \

With above configuration when I try to execute the request with header size more than 8KB, varnish doesn't accept the request. I have put in LOG statements in vcl_recv method but nothing is appearing in the varnishlog for these requests. I am sure these parameters (http_req_hdr_len) work because when I set these to minimum level (say 40 Bytes), varnish does not accept normal requests (e.g. requests with header size around 2KB).

Adding the list of headers as requested:

:scheme: https accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9 accept-encoding: gzip, deflate, br accept-language: en-GB,en-US;q=0.9,en;q=0.8 cache-control: no-cache cookie: heavy-cookie=heavy-cookie-heavy-cookie-heavy-cookie-heavy-cookie-heavy-cookie-heavy-cookie-heavy-cookie-heavy-cookie-heavy-cookie-heavy-cookie-heavy-cookie-heavy-cookie-heavy-cookie-heavy-cookie-heavy-cookie-heavy-cookie-heavy-cookie-heavy-cookie-heavy-cookie-heavy-cookie-heavy-cookie-heavy-cookie-heavy-cookie-heavy-cookie-heavy-cookie-heavy-cookie-heavy-cookie-heavy-cookie-heavy-cookie-heavy-cookie-heavy-cookie-heavy-cookie-heavy-cookie-heavy-cookie-heavy-cookie-heavy-cookie-heavy-cookie-heavy-cookie-heavy-cookie-heavy-cookie-heavy-cookie-heavy-cookie-heavy-cookie-heavy-cookie-heavy-cookie-heavy-cookie-heavy-cookie-heavy-cookie-heavy-cookie-heavy-cookie-heavy-cookie-heavy-cookie-heavy-cookie-heavy-cookie-heavy-cookie-heavy-cookie-heavy-cookie-heavy-cookie-heavy-cookie-heavy-cookie-heavy-cookie-heavy-cookie-heavy-cookie-heavy-cookie-heavy-cookie-heavy-cookie-heavy-cookie-heavy-cookie-heavy-cookie-heavy-cookie-heavy-cookie-heavy-cookie-heavy-cookie-heavy-cookie-heavy-cookie-heavy-cookie-heavy-cookie-heavy-cookie-heavy-cookie-heavy-cookie-heavy-cookie-heavy-cookie-heavy-cookie-heavy-cookie-heavy-cookie-heavy-cookie-heavy-cookie-heavy-cookie-heavy-cookie-heavy-cookie-heavy-cookie-heavy-cookie-heavy-cookie-heavy-cookie-heavy-cookie-heavy-cookie-heavy-cookie-heavy-cookie-heavy-cookie-heavy-cookie-heavy-cookie-heavy-cookie-heavy-cookie-heavy-cookie-heavy-cookie-heavy-cookie-heavy-cookie-heavy-cookie-heavy-cookie-heavy-cookie-heavy-cookie-heavy-cookie-heavy-cookie-heavy-cookie-heavy-cookie-heavy-cookie-heavy-cookie-heavy-cookie-heavy-cookie-heavy-cookie-heavy-cookie-heavy-cookie-heavy-cookie-heavy-cookie-heavy-cookie-heavy-cookie-heavy-cookie-heavy-cookie-heavy-cookie-heavy-cookie-heavy-cookie-heavy-cookie-heavy-cookie-heavy-cookie-heavy-cookie-heavy-cookie-heavy-cookie-heavy-cookie-heavy-cookie-heavy-cookie-heavy-cookie-heavy-cookie-heavy-cookie-heavy-cookie-heavy-cookie-heavy-cookie-heavy-cookie-heavy-cookie-heavy-cookie-heavy-cookie-heavy-cookie-heavy-cookie-heavy-cookie-heavy-cookie-heavy-cookie-heavy-cookieheavy-cookie-heavy-cookie-heavy-cookie-heavy-cookie-heavy-cookie-heavy-cookie-heavy-cookie-heavy-cookie-heavy-cookie-heavy-cookie-heavy-cookie-heavy-cookie-heavy-cookie-heavy-cookie-heavy-cookie-heavy-cookie-heavy-cookie-heavy-cookie-heavy-cookie-heavy-cookie-heavy-cookie-heavy-cookie-heavy-cookie-heavy-cookie-heavy-cookie-heavy-cookie-heavy-cookie-heavy-cookie-heavy-cookie-heavy-cookie-heavy-cookie-heavy-cookie-heavy-cookie-heavy-cookie-heavy-cookie-heavy-cookie-heavy-cookie-heavy-cookie-heavy-cookie-heavy-cookie-heavy-cookie-heavy-cookie-heavy-cookie-heavy-cookie-heavy-cookie-heavy-cookie-heavy-cookie-heavy-cookie-heavy-cookie-heavy-cookie-heavy-cookie-heavy-cookie-heavy-cookie-heavy-cookie-heavy-cookie-heavy-cookie-heavy-cookieheavy-cookie-heavy-cookie-heavy-cookie-heavy-cookie-heavy-cookie-heavy-cookie-heavy-cookie-heavy-cookie-heavy-cookie-heavy-cookie-heavy-cookie-heavy-cookie-heavy-cookie-heavy-cookie-heavy-cookie-heavy-cookie-heavy-cookie-heavy-cookie-heavy-cookie-heavy-cookie-heavy-cookie-heavy-cookie-heavy-cookie-heavy-cookie-heavy-cookie-heavy-cookie-heavy-cookie-heavy-cookie-heavy-cookie-heavy-cookie-heavy-cookie-heavy-cookie-heavy-cookie-heavy-cookie-heavy-cookie-heavy-cookie-heavy-cookie-heavy-cookie-heavy-cookie-heavy-cookie-heavy-cookie-heavy-cookie-heavy-cookie-heavy-cookie-heavy-cookie-heavy-cookie-heavy-cookie-heavy-ccookie-heavy-cookie-heavy-cookie-heavy-cookie-heavy-cookie-heavy-cookie-heavy-cookie-heavy-cookie-heavy-cookie-heavy-cookie-heavy-cookie-heavy-cookie-heavy-cookie-heavy-cookie-heavy-cookie-heavy-cookie-heavy-cookie-heavy-cookie-heavy-cookie-heavy-cookie-heavy-cookie-heavy-cookie-heavy-cookie-heavy-cookie-heavy-cookie-heavy-cookie-heavy-cookie-heavy-cookie-heavy-cookie-heavy-cookie-heavy-cookie-heavy-cookie-heavy-cookie-heavy-cookie-heavy-cookie-heavy-cookie-heavy-cookie-heavy-cookie-heavy-cookie-heavy-cookie-heavy-cookie-heavy-cookie-heavy-cookie-heavy-cookiokie-heavy-cookie-heavy-cookie-heavy-cookie-heavy-cookie-heavy-cookie-heavy-cookie-heavy-cookie-heavy-cookie-heavy-cookie-heavy-cookie-heavy-cookie-heavy-cookie-heavy-cookie-heavy-cookie-heavy-cookie-heavy-cookie-heavy-cookie-heavy-cookie-heavy-cookie-heavy-cookie-heavy-cookie-heavy-cookie-heavy-cookie-heavy-cookie-heavy-cookie-heavy-cookie-heavy-cookie-heavy-cookie-heavy-cookie-heavy-cookie-heavy-cookie-heavy-cookie-heavy-cookie-heavy-cookie-heavy-cookie-heavy-cookie-heavy-cookie-heavy-cookie-heavy-cookie-heavy-cookie-heavy-cookie-heavy-cookie-hea; at_check=true; AMCVS_AD455AA8591B70C90A495EA3%40AdobeOrg=1; geoPreference=denied;  ippo-ab.d=%7B%22vid%22%3A%2246604622306408834460545976289125483240%22%2C%22vehicles%22%3A%7B%22etc%22%3A%7B%22lvl%22%3A0%2C%22myy%22%3A%22%22%2C%22year%22%3A%22%22%2C%22make%22%3A%22%22%2C%22veh%22%3A%22%22%2C%22trim%22%3A%22%22%2C%22tpms%22%3A%22%22%2C%22dt%22%3A%22%22%7D%2C%22tce%22%3A%7B%22lvl%22%3A4%2C%22myy%22%3A%222016-Audi-allroad%22%2C%22year%22%3A%222016%22%2C%22make%22%3A%22Audi%22%2C%22model%22%3A%22allroad%22%2C%22trim%22%3A%22Premium%22%2C%22tpms%22%3A%221%22%2C%22dt%22%3A%2203%2F08%2F2021%2008%3A08%3A02%20GMT%22%7D%2C%22aux%22%3A%7B%22lvl%22%3A0%2C%22myy%22%3A%22%22%2C%22year%22%3A%22%22%2C%22make%22%3A%22%22%2C%22model%22%3A%22%22%2C%22engine%22%3A%22%22%2C%22dt%22%3A%22%22%7D%7D%2C%22site%22%3A%22FCAC%22%2C%22location%22%3A%7B%22deviceNumber%22%3A%22357166%22%2C%22locationLvl%22%3A2%2C%22myZip%22%3A%2227455%22%2C%22myCity%22%3A%22%22%2C%22myState%22%3A%22%22%2C%22autoZip%22%3A%2260605%22%7D%2C%22tires%22%3A%7B%22main%22%3A%7B%22lvl%22%3A0%2C%22cs%22%3A%22%22%2C%22ar%22%3A%22%22%2C%22rs%22%3A%22%22%2C%22tireSize%22%3A%22%22%2C%22dt%22%3A%22%22%7D%2C%22tce%22%3A%7B%22lvl%22%3A0%2C%22cs%22%3A%22%22%2C%22ar%22%3A%22%22%2C%22rs%22%3A%22%22%2C%22tireSize%22%3A%22%22%2C%22dt%22%3A%22%22%7D%7D%7D%3Bipe.34220.pageViewedCount%3D6%3Bipe_34220_fov%3D%7B%22numberOfVisits%22%3A2%2C
    ix-dev.devicecaresystem.com%252Fbsro%252Fservices%252Fheavy-cookie%252C38%252C38%252C414%252C1536%252C414%252C1536%252C864%252C1.25%252CP%3B%20s_ppv%3D404%25253Ahttps%25253A%252F%252Fix-dev.devicecaresystem.com%252Fbsro%252Fservices%252Fheavy-cookie%252C38%252C38%252C414%252C1536%252C330%252C1536%252C864%252C1.25%252CP%3B; s_pers=%20s_vnum%3D1622717469965%2526vn%253D6%7C1622717469965%3B%20s_invisit%3Dtrue%7C1615204800559%3B%20last_v%3D1615203000568%7C1709811000568%3B%20last_v_s%3DLess%2520than%25201%2520day%7C1615204800568%3B%20gpv%3D404%253Ahttps%253A%252F%252Fix-dev.devicecaresystem.com%252Fbsro%252Fservices%252Fheavy-cookie%7C1615204800576%3B%20s_nr%3D1615203000580-Repeat%7C1646739000580%3B%20s_depth%3D1%7C1615204800586%3B pragma: no-cache sec-ch-ua: "Chromium";v="88", "Google Chrome";v="88", ";Not A Brand";v="99" sec-ch-ua-mobile: ?0 sec-fetch-dest: document sec-fetch-mode: navigate sec-fetch-site: none sec-fetch-user: ?1 upgrade-insecure-requests: 1 user-agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/88.0.4324.190 Safari/537.36
Vivek
  • 137
  • 2
  • 17

2 Answers2

2

Header sizes

There are 5 parameters that you can tune to influence the size and length of request & response headers:

  • http_max_hdr: the maximum number of headers an HTTP request or response may contain. The default value is 64
  • http_req_hdr_len: the maximum size of an individual request header. By default this is 8KB
  • http_req_size: the maximum total size of the HTTP request. This defaults to 32 KB
  • http_resp_hdr_len: the maximum size of an individual response header. By default this is 8KB
  • http_resp_size: the maximum total size of the HTTP response headers. This defaults to 32 KB

So not only do you have to set the maximum size of individual request & response headers, but also the total size the request & response headers consume. Also keep in mind that the amount of headers is limited to 64 (by default).

Workspace settings

There is another limiting factor in play: the maximum amount of memory you can consume in a single request/response.

  • workspace_client: memory allocation for HTTP request handling. The default value is 64KB in total
  • workspace_backend: memory allocation for backend processing. The default value is 64KB in total

If request and responses coming have more than 64KB of headers in total, the workspace limits are going to kick in. So you need to tune these values as well.

Testing your long cookie use case

After having test your long cookie use case, I came to the conclusion that Varnish handles this well if http_req_hdr_len is increased to 16k.

Here's the cookie value I used for the request:

Cookie: heavy-cookie=heavy-cookie-heavy-cookie-heavy-cookie-heavy-cookie-heavy-cookie-heavy-cookie-heavy-cookie-heavy-cookie-heavy-cookie-heavy-cookie-heavy-cookie-heavy-cookie-heavy-cookie-heavy-cookie-heavy-cookie-heavy-cookie-heavy-cookie-heavy-cookie-heavy-cookie-heavy-cookie-heavy-cookie-heavy-cookie-heavy-cookie-heavy-cookie-heavy-cookie-heavy-cookie-heavy-cookie-heavy-cookie-heavy-cookie-heavy-cookie-heavy-cookie-heavy-cookie-heavy-cookie-heavy-cookie-heavy-cookie-heavy-cookie-heavy-cookie-heavy-cookie-heavy-cookie-heavy-cookie-heavy-cookie-heavy-cookie-heavy-cookie-heavy-cookie-heavy-cookie-heavy-cookie-heavy-cookie-heavy-cookie-heavy-cookie-heavy-cookie-heavy-cookie-heavy-cookie-heavy-cookie-heavy-cookie-heavy-cookie-heavy-cookie-heavy-cookie-heavy-cookie-heavy-cookie-heavy-cookie-heavy-cookie-heavy-cookie-heavy-cookie-heavy-cookie-heavy-cookie-heavy-cookie-heavy-cookie-heavy-cookie-heavy-cookie-heavy-cookie-heavy-cookie-heavy-cookie-heavy-cookie-heavy-cookie-heavy-cookie-heavy-cookie-heavy-cookie-heavy-cookie-heavy-cookie-heavy-cookie-heavy-cookie-heavy-cookie-heavy-cookie-heavy-cookie-heavy-cookie-heavy-cookie-heavy-cookie-heavy-cookie-heavy-cookie-heavy-cookie-heavy-cookie-heavy-cookie-heavy-cookie-heavy-cookie-heavy-cookie-heavy-cookie-heavy-cookie-heavy-cookie-heavy-cookie-heavy-cookie-heavy-cookie-heavy-cookie-heavy-cookie-heavy-cookie-heavy-cookie-heavy-cookie-heavy-cookie-heavy-cookie-heavy-cookie-heavy-cookie-heavy-cookie-heavy-cookie-heavy-cookie-heavy-cookie-heavy-cookie-heavy-cookie-heavy-cookie-heavy-cookie-heavy-cookie-heavy-cookie-heavy-cookie-heavy-cookie-heavy-cookie-heavy-cookie-heavy-cookie-heavy-cookie-heavy-cookie-heavy-cookie-heavy-cookie-heavy-cookie-heavy-cookie-heavy-cookie-heavy-cookie-heavy-cookie-heavy-cookie-heavy-cookie-heavy-cookie-heavy-cookie-heavy-cookie-heavy-cookie-heavy-cookie-heavy-cookie-heavy-cookie-heavy-cookie-heavy-cookie-heavy-cookie-heavy-cookie-heavy-cookie-heavy-cookie-heavy-cookie-heavy-cookie-heavy-cookie-heavy-cookie-heavy-cookie-heavy-cookie-heavy-cookieheavy-cookie-heavy-cookie-heavy-cookie-heavy-cookie-heavy-cookie-heavy-cookie-heavy-cookie-heavy-cookie-heavy-cookie-heavy-cookie-heavy-cookie-heavy-cookie-heavy-cookie-heavy-cookie-heavy-cookie-heavy-cookie-heavy-cookie-heavy-cookie-heavy-cookie-heavy-cookie-heavy-cookie-heavy-cookie-heavy-cookie-heavy-cookie-heavy-cookie-heavy-cookie-heavy-cookie-heavy-cookie-heavy-cookie-heavy-cookie-heavy-cookie-heavy-cookie-heavy-cookie-heavy-cookie-heavy-cookie-heavy-cookie-heavy-cookie-heavy-cookie-heavy-cookie-heavy-cookie-heavy-cookie-heavy-cookie-heavy-cookie-heavy-cookie-heavy-cookie-heavy-cookie-heavy-cookie-heavy-cookie-heavy-cookie-heavy-cookie-heavy-cookie-heavy-cookie-heavy-cookie-heavy-cookie-heavy-cookie-heavy-cookie-heavy-cookieheavy-cookie-heavy-cookie-heavy-cookie-heavy-cookie-heavy-cookie-heavy-cookie-heavy-cookie-heavy-cookie-heavy-cookie-heavy-cookie-heavy-cookie-heavy-cookie-heavy-cookie-heavy-cookie-heavy-cookie-heavy-cookie-heavy-cookie-heavy-cookie-heavy-cookie-heavy-cookie-heavy-cookie-heavy-cookie-heavy-cookie-heavy-cookie-heavy-cookie-heavy-cookie-heavy-cookie-heavy-cookie-heavy-cookie-heavy-cookie-heavy-cookie-heavy-cookie-heavy-cookie-heavy-cookie-heavy-cookie-heavy-cookie-heavy-cookie-heavy-cookie-heavy-cookie-heavy-cookie-heavy-cookie-heavy-cookie-heavy-cookie-heavy-cookie-heavy-cookie-heavy-cookie-heavy-cookie-heavy-ccookie-heavy-cookie-heavy-cookie-heavy-cookie-heavy-cookie-heavy-cookie-heavy-cookie-heavy-cookie-heavy-cookie-heavy-cookie-heavy-cookie-heavy-cookie-heavy-cookie-heavy-cookie-heavy-cookie-heavy-cookie-heavy-cookie-heavy-cookie-heavy-cookie-heavy-cookie-heavy-cookie-heavy-cookie-heavy-cookie-heavy-cookie-heavy-cookie-heavy-cookie-heavy-cookie-heavy-cookie-heavy-cookie-heavy-cookie-heavy-cookie-heavy-cookie-heavy-cookie-heavy-cookie-heavy-cookie-heavy-cookie-heavy-cookie-heavy-cookie-heavy-cookie-heavy-cookie-heavy-cookie-heavy-cookie-heavy-cookie-heavy-cookiokie-heavy-cookie-heavy-cookie-heavy-cookie-heavy-cookie-heavy-cookie-heavy-cookie-heavy-cookie-heavy-cookie-heavy-cookie-heavy-cookie-heavy-cookie-heavy-cookie-heavy-cookie-heavy-cookie-heavy-cookie-heavy-cookie-heavy-cookie-heavy-cookie-heavy-cookie-heavy-cookie-heavy-cookie-heavy-cookie-heavy-cookie-heavy-cookie-heavy-cookie-heavy-cookie-heavy-cookie-heavy-cookie-heavy-cookie-heavy-cookie-heavy-cookie-heavy-cookie-heavy-cookie-heavy-cookie-heavy-cookie-heavy-cookie-heavy-cookie-heavy-cookie-heavy-cookie-heavy-cookie-heavy-cookie-heavy-cookie-hea; at_check=true; AMCVS_AD455AA8591B70C90A495EA3%40AdobeOrg=1; geoPreference=denied; _ga=GA1.3.1808662474.1614941482; aam_uuid=46420618758273943980528347843026907968;_fbp=fb.1.1614941482362.1143768601; _hjTLDTest=1; _hjid=35fdf3da-a2a0-4cba-b177-38c15d200d0e; cp_ip={%22ip%22:%22103.81.78.10%22%2C%22date%22:1614941482717}; hasSetPreferredStore=false; ipe_s=844f4d31-5961-eefa-84bf-7968471b368b; dtCookie=v_4_srv_6_sn_29841A9B58710C97DCDA42CB2D66CD48_perc_100000_ol_0_mul_1; _gid=GA1.3.352287190.1615185283; _hjIncludedInSessionSample=1; ipe.34220.pageViewedDay=67; _hjIncludedInPageviewSample=1; cp_merchTemp=Homepage; ippo-ab.d=%7B%22vid%22%3A%2246604622306408834460545976289125483240%22%2C%22vehicles%22%3A%7B%22etc%22%3A%7B%22lvl%22%3A0%2C%22myy%22%3A%22%22%2C%22year%22%3A%22%22%2C%22make%22%3A%22%22%2C%22veh%22%3A%22%22%2C%22trim%22%3A%22%22%2C%22tpms%22%3A%22%22%2C%22dt%22%3A%22%22%7D%2C%22tce%22%3A%7B%22lvl%22%3A4%2C%22myy%22%3A%222016-Audi-allroad%22%2C%22year%22%3A%222016%22%2C%22make%22%3A%22Audi%22%2C%22model%22%3A%22allroad%22%2C%22trim%22%3A%22Premium%22%2C%22tpms%22%3A%221%22%2C%22dt%22%3A%2203%2F08%2F2021%2008%3A08%3A02%20GMT%22%7D%2C%22aux%22%3A%7B%22lvl%22%3A0%2C%22myy%22%3A%22%22%2C%22year%22%3A%22%22%2C%22make%22%3A%22%22%2C%22model%22%3A%22%22%2C%22engine%22%3A%22%22%2C%22dt%22%3A%22%22%7D%7D%2C%22site%22%3A%22FCAC%22%2C%22location%22%3A%7B%22deviceNumber%22%3A%22357166%22%2C%22locationLvl%22%3A2%2C%22myZip%22%3A%2227455%22%2C%22myCity%22%3A%22%22%2C%22myState%22%3A%22%22%2C%22autoZip%22%3A%2260605%22%7D%2C%22tires%22%3A%7B%22main%22%3A%7B%22lvl%22%3A0%2C%22cs%22%3A%22%22%2C%22ar%22%3A%22%22%2C%22rs%22%3A%22%22%2C%22tireSize%22%3A%22%22%2C%22dt%22%3A%22%22%7D%2C%22tce%22%3A%7B%22lvl%22%3A0%2C%22cs%22%3A%22%22%2C%22ar%22%3A%22%22%2C%22rs%22%3A%22%22%2C%22tireSize%22%3A%22%22%2C%22dt%22%3A%22%22%7D%7D%7D%3Bipe.34220.pageViewedCount%3D6%3Bipe_34220_fov%3D%7B%22numberOfVisits%22%3A2%2C%22sessionId%22%3A%22844f4d31-5961-eefa-84bf-7968471b368b%22%2C%22expiry%22%3A%222021-04-04T10%3A51%3A26.168Z%22%2C%22lastVisit%22%3A%222021-03-08T08%3A12%3A59.243Z%22%7D; ipe.34220.pageViewedCount=6; ipe_34220_fov=%7B%22numberOfVisits%22%3A2%2C%22sessionId%22%3A%22844f4d31-5961-eefa-84bf-7968471b368b%22%2C%22expiry%22%3A%222021-04-04T10%3A51%3A26.168Z%22%2C%22lastVisit%22%3A%222021-03-08T08%3A12%3A59.243Z%22%7D; mbox=PC#4955e053c82748ffb20226c9b4f90b6b.31_0#1678437442|session#ad2cd5695ceb42e290928be3de398df5#1615192748; geoIP={"ip":"103.81.78.10","timestamp":1615192642239}; AMCV_AD455AA8591B70C90A495EA3%40AdobeOrg=359503849%7CMCIDTS%7C18695%7CMCMID%7C46604622306408834460545976289125483240%7CMCAAMLH-1615797442%7C12%7CMCAAMB-1615797442%7CRKhpRz8krg2tLO6pguXWp5olkAcUniQYPHaMWWgdJ3xzPWQmdj0y%7CMCOPTOUT-1615199842s%7CNONE%7CMCSYNCSOP%7C411-18699%7CMCCIDH%7C216794536%7CvVersion%7C5.0.1;_uetsid=5e36f1507fd811eb91d95f1487a3dd0d; _uetvid=a840a0807cd711ebb16f2d42ae695b73; s_sess=%20s_sq%3D%3B%20s_cc%3Dtrue%3B%20s_ppvl%3D404%25253Ahttps%25253A%252F%252Fix-dev.devicecaresystem.com%252Fbsro%252Fservices%252Fheavy-cookie%252C38%252C38%252C414%252C1536%252C414%252C1536%252C864%252C1.25%252CP%3B%20s_ppv%3D404%25253Ahttps%25253A%252F%252Fix-dev.devicecaresystem.com%252Fbsro%252Fservices%252Fheavy-cookie%252C38%252C38%252C414%252C1536%252C330%252C1536%252C864%252C1.25%252CP%3B; s_pers=%20s_vnum%3D1622717469965%2526vn%253D6%7C1622717469965%3B%20s_invisit%3Dtrue%7C1615204800559%3B%20last_v%3D1615203000568%7C1709811000568%3B%20last_v_s%3DLess%2520than%25201%2520day%7C1615204800568%3B%20gpv%3D404%253Ahttps%253A%252F%252Fix-dev.devicecaresystem.com%252Fbsro%252Fservices%252Fheavy-cookie%7C1615204800576%3B%20s_nr%3D1615203000580-Repeat%7C1646739000580%3B%20s_depth%3D1%7C1615204800586%3B

Without the http_req_hdr_len upgrade, I got the same HTTP/400 error you received. After the upgrade I experienced a HTTP/431 Request Header Fields Too Large error.

I assumed there was another setting that needed to be tuned, but I came to the conclusion that this HTTP/431 error came from my backend server, and not from Varnish.

I then created the following VCL snippet to perform a synthetic response which would display the cookie

vcl 4.1;

backend default none;

sub vcl_recv {
    return(synth(200));
}

sub vcl_synth {
   set resp.http.Content-Type = "text/plain";
   set resp.body = req.http.Cookie;
   set resp.reason = "OK";
   return(deliver);
}

It turned out that the complete cookie was displayed by the synth, which allows me to conclude that setting http_req_hdr_len to a high enough value will solve the problem.

Thijs Feryn
  • 3,982
  • 1
  • 5
  • 10
  • I don't think my requests are exceeding any of these parameters. Meaning, if I set the http_req_hdr_len=16384 and http_resp_hdr_len=16384 and hit the API with header size of around 9KB, varnish blocks the request and nothing appears in the varnishlog. Is there any way I can check the blocked requests in varnish? – Vivek Mar 08 '21 at 06:04
  • 1
    Just run `varnishlog -g request -q "ReqUrl eq '/'"` and replace `/` with the actual URI of the blocked page. Add the output to your question and I'll examine what's going on. – Thijs Feryn Mar 08 '21 at 07:48
  • As instructed, I executed this command 'varnishlog -g request -q "ReqUrl ~ '/bsro/services/store/pricing-details'"' since there were dynamic parameters in the queryString. I got *400 Bad request* in browser and I got nothing in the varnishlog. I checked the size of the request, it was around and 9KB and the header size was around 8KB. Then, I removed one of the large cookie from browser and executed the request the same request. This time I got the response (200) in browser and also got the output for the above varnishlog command. I am adding the same to the question. – Vivek Mar 08 '21 at 08:48
  • As per this SO answer, varnish discards the requests with large Cookie headers, so vcl_recv wont be executed at all. But as mentioned in the think answer I did set those parameters in the varnishd command. Not sure what is the issue. https://stackoverflow.com/questions/58654385/how-to-ignore-big-cookies-in-varnish – Vivek Mar 08 '21 at 10:28
  • @Vivek Can you add the exact `Cookie` header that is causing these failures to your SO question? I'll run it on my own Varnish stack and see how I can tune the settings to make it work. – Thijs Feryn Mar 08 '21 at 11:07
  • I don't think any specific cookie is responsible for the failures. I mean there are multiple ways to increase the header size but in my case cookies are responsible for increasing the header size. I added the headers from one of the blocked requests to the question. heavy-cookie and ippo-ab.d are the main (big) cookies in my request. – Vivek Mar 08 '21 at 11:58
  • @Vivek I added something to my answer, based on some tests I performed. – Thijs Feryn Mar 08 '21 at 14:06
  • Let us [continue this discussion in chat](https://chat.stackoverflow.com/rooms/229654/discussion-between-vivek-and-thijs-feryn). – Vivek Mar 08 '21 at 14:58
0

The issue in my case was at the haproxy level. After setting the buffer size to certain level (> 16KB) in haproxy the requests are now reaching the varnish. I accepted Thijs's answer since it helped me conclude that the request are not reaching the varnish itself.

Vivek
  • 137
  • 2
  • 17