The example configuration of authcache_varnish makes use of the HTTP header X-Original-URL, which is sent to the backend request alongside the key request, to preserve the URL for evaluation when the key is present.

This can cause issues if the backend or an intermediate service objects to that particular header name, specifically, some WAF are now filtering for this header after this Symfony CVE https://symfony.com/blog/cve-2018-14773-remove-support-for-legacy-and-ri...

We discovered this on our hosting provider when upgrading to a newer PHP version which caused us to receive a "400 bad request". The fix is simple, just rename the header to a safe and unused name; e.g. X-Authcache-Original-URL.

This is likely to impact very few other sites but I'm documenting it here since it took us quite a while to track this down.

CommentFileSizeAuthor
#2 3029599-authcache_varnish_xoriginalurl-2.patch2.38 KBgrahl

Comments

grahl created an issue. See original summary.

grahl’s picture

grahl
he/him
Location Zürich
commented
Status: Active » Needs review
StatusFileSize
new 3029599-authcache_varnish_xoriginalurl-2.patch2.38 KB
sgdev’s picture

sgdev commented
Status: Needs review » Reviewed & tested by the community

I think this is an acceptable patch. Most probably will not have this issue, but it's a minor change that will work for everyone.

znerol’s picture

znerol commented

Right. This header does not have any significance for the backend. In principle it could be stripped from the bereq altogether. Prefixing it with X-Authcache like all the other authcache specific custom headers is a sensible change as well.

  • znerol committed a0c63b7 on 7.x-2.x authored by grahl 
    Issue #3029599 by grahl: X-Original-URL in Varnish configuration not...
znerol’s picture

znerol commented
Status: Reviewed & tested by the community » Fixed

Thanks for the patch as well as for the review.

Status: Fixed » Closed (fixed)

Automatically closed - issue fixed for 2 weeks with no activity.