Hello,
I would highly appreciate if I get some help on the following issu: The query string from the end (== erstellen4) is being incorrectly appended to the token because the Varnish is not removing the tags correctly. https://xxxxxx.my/aa/?ResetPasswordToken=4P/weCg49hetX25dVAJxGW0i2GcwuN3bB3z xbMiYLo+3Kfpk199F9ZjwvSP3g8mrPq/opmCosoDmkTHYx3CYK+ABEFrF92y+R0V9icpnLep+f+z fPJjVOZ+M6wa1egt+GNktWIdBIruXXREYAboEQyBtHmgGJQe25KoCUvfUe1ySZlcFre5Dk913ktB D/wvwrtt/O6T2e9aUn2aiKkKdtA==&utm_source=acc_activation&utm_medium=email&utm _campaign=FW_new_customer_activation_2-2019032713&utm_content=Zugangsdaten+e rstellen4 This is what I get by looking at the logs: After reset password token: 4P/weCg49hetX25dVAJxGW0i2GcwuN3bB3zxbMiYLo3Kfpk199F9ZjwvSP3g8mrPq/opmCosoDmk THYx3CYK ABEFrF92yR0V9icpnLepfzfPJjVOZM6wa1egtGNktWIdBIruXXREYAboEQyBtHmgGJQe25KoCUvf Ue1ySZlcFre5Dk913ktBD/wvwrtt/O6T2e9aUn2aiKkKdtA== erstellen4 This is my varnish config : # # Marker to tell the VCL compiler that this VCL has been adapted to the # new 4.0 format. vcl 4.0; import directors; import std; acl monitoring { "localhost"; "192.xxx.xxx.xxx"/32; /* Collector */ "83.xxx.xxx.xxx"/32; /* LB */ } acl purge { "xxx.xxx.xxx.xxx"/32; /* */ "xxx.xxx.xxx.xxx"/32; /* */ } include "/etc/varnish/backend.vcl"; sub vcl_init { include "/etc/varnish/director.vcl"; } sub vcl_recv { # Happens before we check if we have this in cache already. # # Typically you clean up the request here, removing cookies you don't need, #A #rewriting the request, etc. #set req.backend_hint = vweb.backend(req.http.X-Forwarded-For); #set req.backend_hint = fbdirector.backend(); # # Set hash directory with hashing option X-Forwarded for becuase we use nginx between the client and vanrish #set req.backend_hint = hashdirector.backend(req.http.X-Forwarded-For); # # Monitoring for FortiADC if faild, the proxy is taken out, if all fails then hit maintance page. if (req.method == "GET" && req.url == "/varnish-status") { if (client.ip ~ monitoring) { #if (std.healthy(hashdirector.backend(req.http.X-Forwarded-For))) { return(synth(200, "OK")); #} else { # return(synth(503, "No backends available")); #} } else { return(synth(403, "Access denied.")); } } include "/etc/varnish/vhost.vcl"; # Remove the proxy header (see https://httpoxy.org/#mitigate-varnish) unset req.http.proxy; # Allow purging if (req.method == "PURGE") { if (!client.ip ~ purge) { # purge is the ACL defined at the begining # Not from an allowed IP? Then die with an error. return (synth(405, "IP: " + client.ip + " is not allowed to send PURGE requests.")); } # If you got this stage (and didn't error out above), purge the cached result return (purge); } # Only allow BAN requests from IP addresses in the 'purge' ACL. if (req.method == "BAN") { # Same ACL check as above: if (!client.ip ~ purge) { return (synth(405, "IP: " + client.ip + " is not allowed to send BAN requests.")); } # manual sudo varnishadm "ban req.http.host ~ www.mydomain.com" ban("req.http.host ~ " + req.http.host); # Throw a synthetic page so the request won't go to the backend. return (synth(200, "BAN for " + req.http.host + " done")); } # Only cache GET or HEAD requests. This makes sure the POST requests are always passed. if (req.method != "GET" && req.method != "HEAD") { return (pass); } # Some generic URL manipulation, useful for all templates that follow # First remove the Google Analytics added parameters, useless for our backend if (req.url ~ "(\?|&)(utm_source|utm_medium|utm_campaign|utm_content|gclid|cx|ie|cof|siteu rl)=") { set req.url = regsuball(req.url, "&(utm_source|utm_medium|utm_campaign|utm_content|gclid|cx|ie|cof|siteurl)=( [A-z0-9_\-\.%25]+)", ""); set req.url = regsuball(req.url, "\?(utm_source|utm_medium|utm_campaign|utm_content|gclid|cx|ie|cof|siteurl)= ([A-z0-9_\-\.%25]+)", "?"); set req.url = regsub(req.url, "\?&", "?"); set req.url = regsub(req.url, "\?$", ""); } # Strip hash, server doesn't need it. if (req.url ~ "\#") { set req.url = regsub(req.url, "\#.*$", ""); } # Strip a trailing ? if it exists if (req.url ~ "\?$") { set req.url = regsub(req.url, "\?$", ""); } # Some generic cookie manipulation, useful for all templates that follow # Remove the "has_js" cookie set req.http.Cookie = regsuball(req.http.Cookie, "has_js=[^;]+(; )?", ""); # Remove any Google Analytics based cookies set req.http.Cookie = regsuball(req.http.Cookie, "__utm.=[^;]+(; )?", ""); set req.http.Cookie = regsuball(req.http.Cookie, "_ga=[^;]+(; )?", ""); set req.http.Cookie = regsuball(req.http.Cookie, "_gat=[^;]+(; )?", ""); set req.http.Cookie = regsuball(req.http.Cookie, "utmctr=[^;]+(; )?", ""); set req.http.Cookie = regsuball(req.http.Cookie, "utmcmd.=[^;]+(; )?", ""); set req.http.Cookie = regsuball(req.http.Cookie, "utmccn.=[^;]+(; )?", ""); # Remove DoubleClick offensive cookies set req.http.Cookie = regsuball(req.http.Cookie, "__gads=[^;]+(; )?", ""); # Remove the Quant Capital cookies (added by some plugin, all __qca) set req.http.Cookie = regsuball(req.http.Cookie, "__qc.=[^;]+(; )?", ""); # Remove the AddThis cookies set req.http.Cookie = regsuball(req.http.Cookie, "__atuv.=[^;]+(; )?", ""); # Remove a ";" prefix in the cookie if present set req.http.Cookie = regsuball(req.http.Cookie, "^;\s*", ""); # Are there cookies left with only spaces or that are empty? if (req.http.cookie ~ "^\s*$") { unset req.http.cookie; } # Large static files are delivered directly to the end-user without # waiting for Varnish to fully read the file first. # Varnish 4 fully supports Streaming, so set do_stream in vcl_backend_response() if (req.url ~ "^[^?]*\.(7z|avi|bz2|flac|flv|gz|mka|mkv|mov|mp3|mp4|mpeg|mpg|ogg|ogm|opus|r ar|tar|tgz|tbz|txz|wav|webm|xz|zip)(\?.*)?$") { unset req.http.Cookie; return (hash); } #Remove all cookies for static files if (req.url ~ "^[^?]*\.(7z|avi|bmp|bz2|css|csv|doc|docx|eot|flac|flv|gif|gz|ico|jpeg|jpg|j s|less|mka|mkv|mov|mp3|mp4|mpeg|mpg|odt|otf|ogg|ogm|opus|pdf|png|ppt|pptx|ra r|rtf|svg|svgz|swf|tar|tbz|tgz|ttf|txt|txz|wav|webm|webp|woff|woff2|xls|xlsx |xml|xz|zip)(\?.*)?$") { unset req.http.Cookie; return (hash); } # Send Surrogate-Capability headers to announce ESI support to backend set req.http.Surrogate-Capability = "key=ESI/1.0"; if (req.http.Authorization) { # Not cacheable by default return (pass); } if (req.url == "/checksite.aspx") { # Dont cache monitoring url return (pass); } return (hash); } sub vcl_backend_response { # Happens after we have read the response headers from the backend. # # Here you clean the response headers, removing silly Set-Cookie headers # and other mistakes your backend does. # # set beresp.http.X-Backend = beresp.backend.name; # Remove some headers: ASP version unset beresp.http.X-Powered-By; # Remove cookie with empty basketid useless... VL should fix on backend if (beresp.http.set-cookie == "BasketID=; path=/") { unset beresp.http.set-cookie; } # Pause ESI request and remove Surrogate-Control header if (beresp.http.Surrogate-Control ~ "ESI/1.0") { unset beresp.http.Surrogate-Control; set beresp.do_esi = true; } # Enable cache for all static files # The same argument as the static caches from above: monitor your cache size, if you get data nuked out of it, consider giving up the static file cache. # Before you blindly enable this, have a read here: https://ma.ttias.be/stop-caching-static-files/ if (bereq.url ~ "^[^?]*\.(7z|avi|bmp|bz2|css|csv|doc|docx|eot|flac|flv|gif|gz|ico|jpeg|jpg|j s|less|mka|mkv|mov|mp3|mp4|mpeg|mpg|odt|otf|ogg|ogm|opus|pdf|png|ppt|pptx|ra r|rtf|svg|svgz|swf|tar|tbz|tgz|ttf|txt|txz|wav|webm|webp|woff|woff2|xls|xlsx |xml|xz|zip)(\?.*)?$") { unset beresp.http.set-cookie; } # Large static files are delivered directly to the end-user without # waiting for Varnish to fully read the file first. # Varnish 4 fully supports Streaming, so use streaming here to avoid locking. if (bereq.url ~ "^[^?]*\.(7z|avi|bz2|flac|flv|gz|mka|mkv|mov|mp3|mp4|mpeg|mpg|ogg|ogm|opus|r ar|tar|tgz|tbz|txz|wav|webm|xz|zip)(\?.*)?$") { unset beresp.http.set-cookie; set beresp.do_stream = true; # Check memory usage it'll grow in fetch_chunksize blocks (128k by default) if the backend doesn't send a Content-Length header, so only enable it for big objects } # Don't cache 50x responses if (beresp.status == 500 || beresp.status == 502 || beresp.status == 503 || beresp.status == 504) { return (abandon); } if (bereq.http.Cookie ~ "(UserID|_session)") { #set beresp.http.X-Cacheable = "NO:Got Session"; set beresp.uncacheable = true; return (deliver); } elsif (beresp.ttl <= 0s) { # Varnish determined the object was not cacheable #set beresp.http.X-Cacheable = "NO:Not Cacheable"; } elsif (beresp.http.set-cookie) { # You don't wish to cache content for logged in users #set beresp.http.X-Cacheable = "NO:Set-Cookie"; set beresp.uncacheable = true; return (deliver); } elsif (beresp.http.Cache-Control ~ "private") { # You are respecting the Cache-Control=private header from the backend #set beresp.http.X-Cacheable = "NO:Cache-Control=private"; set beresp.uncacheable = true; return (deliver); } else { # Varnish determined the object was cacheable #set beresp.http.X-Cacheable = "YES"; } return(deliver); } sub vcl_deliver { # Happens when we have all the pieces we need, and are about to send the # response to the client. # # You can do accounting or modifying the final object here. if (obj.hits > 0) { # Add debug header to see if it's a HIT/MISS and the number of hits, disable when not needed set resp.http.X-Cache = "HIT"; } else { set resp.http.X-Cache = "MISS"; } # Unset some headers unset resp.http.Via; unset resp.http.X-Varnish; # Please note that obj.hits behaviour changed in 4.0, now it counts per objecthead, not per object # and obj.hits may not be reset in some cases where bans are in use. See bug 1492 for details. # So take hits with a grain of salt set resp.http.X-Cache-Hits = obj.hits; } Regards, Cris
_______________________________________________ varnish-misc mailing list [email protected] https://www.varnish-cache.org/lists/mailman/listinfo/varnish-misc
