Ok, so I'm currently devving a box with Varnish 4 and I'm curious what a normal (although if all online examples are any indication it's stripping out known cookies only) cookie approach is? Is it stripping out all cookies and white-listing known cookies? That seems a little more sensible, so that's what I'm curious of. After looking at https://www.varnish-cache.org/trac/wiki/VCLExampleRemovingSomeCookies the very bottom they show how to remove all but SOME (white-listing) and then directly under the headline say (warning - not pretty).
Here's the snippet:
sub vcl_recv {
if (req.http.Cookie) {
set req.http.Cookie = ";" + req.http.Cookie;
set req.http.Cookie = regsuball(req.http.Cookie, "; +", ";");
set req.http.Cookie = regsuball(req.http.Cookie, ";(COOKIE1|COOKIE2)=", "; \1=");
set req.http.Cookie = regsuball(req.http.Cookie, ";[^ ][^;]*", "");
set req.http.Cookie = regsuball(req.http.Cookie, "^[; ]+|[; ]+$", "");
if (req.http.Cookie == "") {
remove req.http.Cookie;
}
}
Firstly, did someone just throw that (warning - not pretty) part because it's not really the optimal setup or in the sense of "hey this is going to be a nightmare trying to take user reports on" or something?
The second thing I'm curious of (reassurance! :P), that will literally strip out any and all cookies outside of one names COOKIE1|COOKIE2, correct?
And the last thing I'm curious of about that snippet, where COOKIE1|COOKIE2 is, (I don't know regex very well) does that mean I can replace COOKIE1 with say __bilbobaggins (real cookie name __bilbobaggins=1;134;onewasaring) and then COOKIE2 with 1_2_3__4_cookiename (real cookie name 1_2_3__4_cookiename=this,is,another,cookie) and it will allow those all through without any need for regexes or something for the actual cookie data to pass?
I'm sadly not thinking it's as simple as that though?
Also, regardless of the above approach is there any Varnish 4 varnishlog syntax I can use to monitor ONLY cookies that are hitting the back-end?
