Whitelist query params with VCL

Follow

ryantownsend

• January 14, 2016 22:01

I’ve read about Boltsort helping improve caching by sorting the query params, is there something akin to this that will filter params to a given whitelist? (ideally with means of regex matching)

This way we can prevent someone simply adding v=<a_number_here> to the end of the query params to force a cache miss…

0

• 

  Cassandra Dixon

  • January 16, 2016 02:52

  Hi Ryan,

  There isn't a specific query whitelisting function. This is a request on our feature list. However, you can whitelist URL parameters using VCL in the following manner:

  • Have a list of query parameters that should be accepted

  • Parse them into headers

  ``` Example:

  set req.http.X-Param_xxx = regsub(req.url, ".&|?.", "\1"); ```

  • Then strip query parameters from URL path

  ``` Example:

  set req.http.X-URL = req.url.path ```

  • Rebuild the URL with the accepted query parameters

  ``` Example:

  set req.url = req.http.X-URL req.http.X-Param_xxx ...; ```

  Let me know if this helps.

  Best

  0

  Comment actions Permalink
• 

  chrisboylan

  • August 01, 2016 23:33

  For future reference (we saw this page from searching) - Check out here: https://docs.fastly.com/guides/vcl/query-string-manipulation-vcl-features

  There is functionality that does this more cleanly now.

  0

  Comment actions Permalink
• 

  lukebussey

  • November 18, 2016 16:16

  I use the following in vcl_recv to remove any UTM or gclid parameters:

  import querystring;
  
  /* remove client-side tracking parameters from querystring */
  if (req.url ~ "\?") {
      set req.url = querystring.clean(req.url);
      set req.url = querystring.regfilter(req.url, "utm_[a-z]+|gclid");
      set req.url = querystring.sort(req.url);
  }
  

  0

  Comment actions Permalink

Please sign in to leave a comment.