VCL: Can we craft and send a HTTP request to an Auth server?



  • Justin

    Can we craft a HTTP request to my auth server from vcl_recv?

    You can change the host to connect to, the path and query string, and add headers before a restart. So in effect you can create a whole new request. Check here and here for more information on this.

    Payload of this will be json format auth request and based on response from auth server proceed to allow or deny access to the web content.

    However, as far as I know, you can't add a body, so that won't be possible.

    OR can i use any of the vmod's like curl for doing this? Is there support to achieve this.

    No, you can't use vmods either. We've encorporated many into our core Varnish, but not curl. The restart capability is the closest thing.

  • techreb

    Hi Justin, thank you for this information. I was trying to solve the problem based on your inputs. But now I am stuck with my POST form requests. I see that after a restart my form data in payload is lost. Am i missing something? -Michael

  • Justin

    Yes, that's expected. After a restart the body of a POST request will not be preserved. You could stash req.postbody in a header so that you can pass it on in the other requests and have it available that way.

  • techreb

    Thank you so much for the reply. You are right, i can stash it in a separate HTTP header field. But, req.postbody cannot be attached back to the REQ in second pass, after successful authentication.

    Thanks, Michael

  • Justin

    Yes, that's also true! There's no way to change or amend the body of the request, GET or POST.

  • ryantownsend

    Is there a solution for this use-case? We're looking at authenticating requests, but we need it to work for POST / PATCH / DELETE etc, not just GET requests.

  • gocoy

    Do you have an example with vcl? I need to change request host between first request and the second one. But your link doesn't help me.

  • Andrew Betts

    Hi @gocoy,

    I've recently been working on a tool that helps our customers to try out VCL. You can see an example of what I call 'preflighting', which is sending one request and then using the response to determine whether to send another, in this fiddle:

    You specifically mention changing the host, and you will indeed have to do that, though currently the fiddle does this invisibly rather than allowing you to do it yourself. So when you set the backend with set req.backend = F_originname;, in practice you will also need to do set = "host header of new backend";.

    Let me know how you get on, and I'm sorry the tool currently has very little documentation. It's very much an early alpha.

  • gocoy

    Hi, I'm already using fiddle fastly, thanks. Your answer partially resolve my problem, because my second origin is based on first origin's response. I see that origin are modificable only with API, right?

    Any others idea?

    Thanks F.

  • Andrew Betts

    You can't specify an origin dynamically, but you can have a number of origins. So if you know what all the possibilities are, set all of those up as differently-named origins, and then switch to the one that you want based on the content of your preflight response.

    We do have API functions for creating backends versionlessly (ie. without activating a new version of your entire configuration):

  • Jacek Kunicki


    I stumbled upon this thread while looking for a way to send custom requests to an external service from VCL. Has anything changed in this matter over those two years?

    We are a SaaS solution that analyzes customers traffic, and provides API protection. To do so, we are occupying an agent on the customer side, which mirrors traffic to our backend.

    In case our customer is using Fastly, we would like the ability to mirror API traffic (HTTP request/response) to our backend.

    Are there any plans to support the curl module from Varnish? Or any other way to achieve what we need?




  • Hiro

    Hi Jacek,

    You could mirror the request traffic to your backend, but unfortunately, we don't have any support for mirroring the response traffic to your backend.

    As discussed in this thread, we could set the initial backend to your backend server in vcl_recv (and you retrieve the data), and have Varnish to restart the request over to the actual backend (origin) in the case of cache MISS/PASS. However, if you restart the request again after fetching the origin response in vcl_deliver to mirror the origin response to your backend, the response state from the origin wouldn't persist to the client.

    We don't have a roadmap for cURL module support in VCL at this moment, but you can always set up the logging to deliver the request/response data to your logging endpoint.


  • Jacek Kunicki

    Thanks Hiro. Can you please elaborate on using the logging for sending request/response data to an external service? Do the logs include the request/response bodies? I was looking at, but couldn't find any reference to body data.

  • Hiro

    Hi Jacek, I assumed your backend server wouldn't need to receive the response body itself. The log aggregator won't deliver the response body itself, but it could stream the request/response date like body size (, and geolocation ( We have another documentation for the useful variables to log here:

    Also, I wanted to mention that the req.body (request body from Client to Fastly) is available for logging, but it's subject to the resource limit (



Please sign in to leave a comment.