CODEWITHSUNDEEP
securitynginxvarnish
luigifab
luigifab

Reputation: 394

How to return empty response with Varnish?

When a request come on a Varnish server, I would like to return an empty response or simply close the connection, if the requested server name is not known.

For example from nginx (the backend side of Varnish) I did that:

server {
    listen 80 default_server;
    listen [::]:80 default_server;
    return 444;
}
server {
    listen 80;
    listen [::]:80;
    server_name my.example.org
}

So, when an user/robot come on this nginx server with an address IP or an unknown host, it got: The connection was reset.

How do I?

With this configuration on nginx side and nothing more on Varnish side, if I try to access to the Varnish server with his public IP, I have: Error 503 Backend fetch failed - Backend fetch failed - Guru Meditation.

Perhaps there is a possibility on Varnish side, when response from backend (nginx) is 444, to simply close the connexion.

varnishlog says:

-   BereqMethod    GET
-   BereqURL       /
-   BereqProtocol  HTTP/1.1
...
-   BereqHeader    X-Varnish: 1540833
-   VCL_call       BACKEND_FETCH
-   VCL_return     fetch
-   BackendOpen    33 default X.X.X.X 80 X.X.X.X 34862
...
-   FetchError     HTC eof (-1)
-   BackendClose   33 default
...
-   BerespProtocol HTTP/1.1
-   BerespStatus   503
-   BerespReason   Backend fetch failed
-   BerespHeader   Date: Fri, 10 Feb 2023 10:10:48 GMT
-   BerespHeader   Server: Varnish
-   VCL_call       BACKEND_ERROR

I want to "process" this error.

Upvotes: 0

Views: 509

Answers (1)

Thijs Feryn
Thijs Feryn

Reputation: 4808

If Varnish is hosted on the same machine as your Nginx server, Varnish should be listening on port 80 and Nginx on port 8080.

Once Varnish can reach Nginx, the Backend fetch failed issue will go away.

In Varnish you don't need to configure anything special, whatever Nginx returns, Varnish will handle. However, if you want to handle this in Varnish before Nginx is reached, you could use the following VCL code:

sub vcl_recv {
    if(req.http.Host != "my.example.org") {
        return(synth(403));
    }
}

This assumes that my.example.org is the right Host header. This also assumes that returning a synthetic 403 Forbidden is an acceptable return value.

Upvotes: 1

Related Questions