Hi Guillaume, I meant blocking them at the AWS WAF, before they even get to any of the web servers, i.e. less work for Varnish. I’d need to get the raw headers and I wasn’t having luck with that so far in the WAF CloudTrail logs, so I’ve opened up a support case about it, but I was hoping to possibly get some insight here, as well, since I don’t know whether the WAF support specialists will know much about using Varnish.
Thanks, Justin From: Guillaume Quintard <[email protected]> Sent: Monday, July 15, 2024 6:07 PM To: Justin Lloyd <[email protected]> Cc: [email protected] Subject: Re: 400 Bad Request and whitespace in headers Hi Justin! What do you mean by "blocking" those requests? As you can see from the logs, thye don't even reach vcl_recv before they are thrown out, so they are technically already being rejected. Kind regards, -- Guillaume Quintard On Mon, Jul 15, 2024 at 9:44 AM Justin Lloyd <[email protected]<mailto:[email protected]>> wrote: Hi all, I’m trying to figure out what the requests are that are resulting in the following Varnish responses and how to block them: * << Request >> 39071654 - Begin req 39071653 rxreq - Timestamp Start: 1721059686.537197 0.000000 0.000000 - Timestamp Req: 1721059686.537197 0.000000 0.000000 - BogoHeader Illegal char 0x20 in header name - HttpGarbage "GET%00" - RespProtocol HTTP/1.1 - RespStatus 400 - RespReason Bad Request - ReqAcct 535 0 535 28 0 28 - End These are on AWS EC2 instances that are behind an Application Load Balancer (ALB) that is connected to a Web Application Firewall (WAF), so in theory I should be able to figure out a rule to add to the WAF to block these. I’d just need to get more information to do so, and AWS support could probably help, but I wanted to check here first if there’s any way to get further information about such requests out of Varnish. FWIW, the 0x20 is a space character, but there are also similar requests reporting 0x09 (horizontal tab) characters. Thanks, Justin _______________________________________________ varnish-misc mailing list [email protected]<mailto:[email protected]> https://www.varnish-cache.org/lists/mailman/listinfo/varnish-misc
_______________________________________________ varnish-misc mailing list [email protected] https://www.varnish-cache.org/lists/mailman/listinfo/varnish-misc
