Update workaround with suggestions from @nigoroll

f51fad75 · Martin Blix Grydeland · f816c487 · f51fad75
Commit f51fad75 authored Jan 11, 2022 by Martin Blix Grydeland
Hide whitespace changes
Inline Side-by-side

Showing with 9 additions and 13 deletions

VSV00008.rst R1/source/security/VSV00008.rst +9 -13

No files found.
--- a/R1/source/security/VSV00008.rst
+++ b/R1/source/security/VSV00008.rst
@@ -44,24 +44,20 @@ Mitigation
 If upgrading Varnish is not possible, it is possible to mitigate the
 problem by ensuring that the Varnish Server does not allow connection
-reuse on HTTP/1 client connections.  Be advised that this comes with a
+reuse on HTTP/1 client connections once a request body has been seen on
-performance penalty, and should for this reason only be considered as a
+the connection. To deploy the workaround, put the following VCL
-temporary workaround in environments where this performance penalty is
+configuration towards the top of the VCL configuration::
-acceptable. To deploy the workaround, put the following VCL configuration
-towards the top of the VCL configuration::
-  sub vcl_synth {
-      if (req.proto != "HTTP/2.0") {
-          set resp.http.Connection = "close";
-      }
-  }
-  sub vcl_deliver {
+  sub vsv8 {
-      if (req.proto != "HTTP/2.0") {
+      if ((req.http.Content-Length || req.http.Transfer-Encoding) &&
+        req.proto != "HTTP/2.0") {
          set resp.http.Connection = "close";
      }
  }
+  sub vcl_synth { call vsv8; }
+  sub vcl_deliver { call vsv8; }
 Credits
 -------