Search code examples
varnishvarnish-vclvarnish-4

Varnish http_req_hdr_len parameter not working for request header size > 8KB

I am trying to set the max request header size as 16KB in the varnishd command. Here is how varnishd command looks like:

/usr/sbin/varnishd \
        -P /var/run/varnish.pid \
        -f $VARNISH_VCL_CONF \
        -a ${VARNISH_LISTEN_ADDRESS}:${VARNISH_LISTEN_PORT} \
        -T ${VARNISH_ADMIN_LISTEN_ADDRESS}:${VARNISH_ADMIN_LISTEN_PORT} \
        -p http_req_hdr_len=16384 \
        -p http_resp_hdr_len=16384 \
        -t $VARNISH_TTL \
        -S $VARNISH_SECRET_FILE \
        -s $VARNISH_STORAGE \

With above configuration when I try to execute the request with header size more than 8KB, varnish doesn't accept the request. I have put in LOG statements in vcl_recv method but nothing is appearing in the varnishlog for these requests. I am sure these parameters (http_req_hdr_len) work because when I set these to minimum level (say 40 Bytes), varnish does not accept normal requests (e.g. requests with header size around 2KB).

Adding the list of headers as requested:

:scheme: https accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9 accept-encoding: gzip, deflate, br accept-language: en-GB,en-US;q=0.9,en;q=0.8 cache-control: no-cache cookie: heavy-cookie=heavy-cookie-heavy-cookie-heavy-cookie-heavy-cookie-heavy-cookie-heavy-cookie-heavy-cookie-heavy-cookie-heavy-cookie-heavy-cookie-heavy-cookie-heavy-cookie-heavy-cookie-heavy-cookie-heavy-cookie-heavy-cookie-heavy-cookie-heavy-cookie-heavy-cookie-heavy-cookie-heavy-cookie-heavy-cookie-heavy-cookie-heavy-cookie-heavy-cookie-heavy-cookie-heavy-cookie-heavy-cookie-heavy-cookie-heavy-cookie-heavy-cookie-heavy-cookie-heavy-cookie-heavy-cookie-heavy-cookie-heavy-cookie-heavy-cookie-heavy-cookie-heavy-cookie-heavy-cookie-heavy-cookie-heavy-cookie-heavy-cookie-heavy-cookie-heavy-cookie-heavy-cookie-heavy-cookie-heavy-cookie-heavy-cookie-heavy-cookie-heavy-cookie-heavy-cookie-heavy-cookie-heavy-cookie-heavy-cookie-heavy-cookie-heavy-cookie-heavy-cookie-heavy-cookie-heavy-cookie-heavy-cookie-heavy-cookie-heavy-cookie-heavy-cookie-heavy-cookie-heavy-cookie-heavy-cookie-heavy-cookie-heavy-cookie-heavy-cookie-heavy-cookie-heavy-cookie-heavy-cookie-heavy-cookie-heavy-cookie-heavy-cookie-heavy-cookie-heavy-cookie-heavy-cookie-heavy-cookie-heavy-cookie-heavy-cookie-heavy-cookie-heavy-cookie-heavy-cookie-heavy-cookie-heavy-cookie-heavy-cookie-heavy-cookie-heavy-cookie-heavy-cookie-heavy-cookie-heavy-cookie-heavy-cookie-heavy-cookie-heavy-cookie-heavy-cookie-heavy-cookie-heavy-cookie-heavy-cookie-heavy-cookie-heavy-cookie-heavy-cookie-heavy-cookie-heavy-cookie-heavy-cookie-heavy-cookie-heavy-cookie-heavy-cookie-heavy-cookie-heavy-cookie-heavy-cookie-heavy-cookie-heavy-cookie-heavy-cookie-heavy-cookie-heavy-cookie-heavy-cookie-heavy-cookie-heavy-cookie-heavy-cookie-heavy-cookie-heavy-cookie-heavy-cookie-heavy-cookie-heavy-cookie-heavy-cookie-heavy-cookie-heavy-cookie-heavy-cookie-heavy-cookie-heavy-cookie-heavy-cookie-heavy-cookie-heavy-cookie-heavy-cookie-heavy-cookie-heavy-cookie-heavy-cookie-heavy-cookie-heavy-cookie-heavy-cookie-heavy-cookie-heavy-cookie-heavy-cookie-heavy-cookie-heavy-cookie-heavy-cookie-heavy-cookie-heavy-cookie-heavy-cookie-heavy-cookie-heavy-cookie-heavy-cookie-heavy-cookie-heavy-cookieheavy-cookie-heavy-cookie-heavy-cookie-heavy-cookie-heavy-cookie-heavy-cookie-heavy-cookie-heavy-cookie-heavy-cookie-heavy-cookie-heavy-cookie-heavy-cookie-heavy-cookie-heavy-cookie-heavy-cookie-heavy-cookie-heavy-cookie-heavy-cookie-heavy-cookie-heavy-cookie-heavy-cookie-heavy-cookie-heavy-cookie-heavy-cookie-heavy-cookie-heavy-cookie-heavy-cookie-heavy-cookie-heavy-cookie-heavy-cookie-heavy-cookie-heavy-cookie-heavy-cookie-heavy-cookie-heavy-cookie-heavy-cookie-heavy-cookie-heavy-cookie-heavy-cookie-heavy-cookie-heavy-cookie-heavy-cookie-heavy-cookie-heavy-cookie-heavy-cookie-heavy-cookie-heavy-cookie-heavy-cookie-heavy-cookie-heavy-cookie-heavy-cookie-heavy-cookie-heavy-cookie-heavy-cookie-heavy-cookie-heavy-cookie-heavy-cookieheavy-cookie-heavy-cookie-heavy-cookie-heavy-cookie-heavy-cookie-heavy-cookie-heavy-cookie-heavy-cookie-heavy-cookie-heavy-cookie-heavy-cookie-heavy-cookie-heavy-cookie-heavy-cookie-heavy-cookie-heavy-cookie-heavy-cookie-heavy-cookie-heavy-cookie-heavy-cookie-heavy-cookie-heavy-cookie-heavy-cookie-heavy-cookie-heavy-cookie-heavy-cookie-heavy-cookie-heavy-cookie-heavy-cookie-heavy-cookie-heavy-cookie-heavy-cookie-heavy-cookie-heavy-cookie-heavy-cookie-heavy-cookie-heavy-cookie-heavy-cookie-heavy-cookie-heavy-cookie-heavy-cookie-heavy-cookie-heavy-cookie-heavy-cookie-heavy-cookie-heavy-cookie-heavy-cookie-heavy-ccookie-heavy-cookie-heavy-cookie-heavy-cookie-heavy-cookie-heavy-cookie-heavy-cookie-heavy-cookie-heavy-cookie-heavy-cookie-heavy-cookie-heavy-cookie-heavy-cookie-heavy-cookie-heavy-cookie-heavy-cookie-heavy-cookie-heavy-cookie-heavy-cookie-heavy-cookie-heavy-cookie-heavy-cookie-heavy-cookie-heavy-cookie-heavy-cookie-heavy-cookie-heavy-cookie-heavy-cookie-heavy-cookie-heavy-cookie-heavy-cookie-heavy-cookie-heavy-cookie-heavy-cookie-heavy-cookie-heavy-cookie-heavy-cookie-heavy-cookie-heavy-cookie-heavy-cookie-heavy-cookie-heavy-cookie-heavy-cookie-heavy-cookiokie-heavy-cookie-heavy-cookie-heavy-cookie-heavy-cookie-heavy-cookie-heavy-cookie-heavy-cookie-heavy-cookie-heavy-cookie-heavy-cookie-heavy-cookie-heavy-cookie-heavy-cookie-heavy-cookie-heavy-cookie-heavy-cookie-heavy-cookie-heavy-cookie-heavy-cookie-heavy-cookie-heavy-cookie-heavy-cookie-heavy-cookie-heavy-cookie-heavy-cookie-heavy-cookie-heavy-cookie-heavy-cookie-heavy-cookie-heavy-cookie-heavy-cookie-heavy-cookie-heavy-cookie-heavy-cookie-heavy-cookie-heavy-cookie-heavy-cookie-heavy-cookie-heavy-cookie-heavy-cookie-heavy-cookie-heavy-cookie-hea; at_check=true; AMCVS_AD455AA8591B70C90A495EA3%40AdobeOrg=1; geoPreference=denied;  ippo-ab.d=%7B%22vid%22%3A%2246604622306408834460545976289125483240%22%2C%22vehicles%22%3A%7B%22etc%22%3A%7B%22lvl%22%3A0%2C%22myy%22%3A%22%22%2C%22year%22%3A%22%22%2C%22make%22%3A%22%22%2C%22veh%22%3A%22%22%2C%22trim%22%3A%22%22%2C%22tpms%22%3A%22%22%2C%22dt%22%3A%22%22%7D%2C%22tce%22%3A%7B%22lvl%22%3A4%2C%22myy%22%3A%222016-Audi-allroad%22%2C%22year%22%3A%222016%22%2C%22make%22%3A%22Audi%22%2C%22model%22%3A%22allroad%22%2C%22trim%22%3A%22Premium%22%2C%22tpms%22%3A%221%22%2C%22dt%22%3A%2203%2F08%2F2021%2008%3A08%3A02%20GMT%22%7D%2C%22aux%22%3A%7B%22lvl%22%3A0%2C%22myy%22%3A%22%22%2C%22year%22%3A%22%22%2C%22make%22%3A%22%22%2C%22model%22%3A%22%22%2C%22engine%22%3A%22%22%2C%22dt%22%3A%22%22%7D%7D%2C%22site%22%3A%22FCAC%22%2C%22location%22%3A%7B%22deviceNumber%22%3A%22357166%22%2C%22locationLvl%22%3A2%2C%22myZip%22%3A%2227455%22%2C%22myCity%22%3A%22%22%2C%22myState%22%3A%22%22%2C%22autoZip%22%3A%2260605%22%7D%2C%22tires%22%3A%7B%22main%22%3A%7B%22lvl%22%3A0%2C%22cs%22%3A%22%22%2C%22ar%22%3A%22%22%2C%22rs%22%3A%22%22%2C%22tireSize%22%3A%22%22%2C%22dt%22%3A%22%22%7D%2C%22tce%22%3A%7B%22lvl%22%3A0%2C%22cs%22%3A%22%22%2C%22ar%22%3A%22%22%2C%22rs%22%3A%22%22%2C%22tireSize%22%3A%22%22%2C%22dt%22%3A%22%22%7D%7D%7D%3Bipe.34220.pageViewedCount%3D6%3Bipe_34220_fov%3D%7B%22numberOfVisits%22%3A2%2C
    ix-dev.devicecaresystem.com%252Fbsro%252Fservices%252Fheavy-cookie%252C38%252C38%252C414%252C1536%252C414%252C1536%252C864%252C1.25%252CP%3B%20s_ppv%3D404%25253Ahttps%25253A%252F%252Fix-dev.devicecaresystem.com%252Fbsro%252Fservices%252Fheavy-cookie%252C38%252C38%252C414%252C1536%252C330%252C1536%252C864%252C1.25%252CP%3B; s_pers=%20s_vnum%3D1622717469965%2526vn%253D6%7C1622717469965%3B%20s_invisit%3Dtrue%7C1615204800559%3B%20last_v%3D1615203000568%7C1709811000568%3B%20last_v_s%3DLess%2520than%25201%2520day%7C1615204800568%3B%20gpv%3D404%253Ahttps%253A%252F%252Fix-dev.devicecaresystem.com%252Fbsro%252Fservices%252Fheavy-cookie%7C1615204800576%3B%20s_nr%3D1615203000580-Repeat%7C1646739000580%3B%20s_depth%3D1%7C1615204800586%3B pragma: no-cache sec-ch-ua: "Chromium";v="88", "Google Chrome";v="88", ";Not A Brand";v="99" sec-ch-ua-mobile: ?0 sec-fetch-dest: document sec-fetch-mode: navigate sec-fetch-site: none sec-fetch-user: ?1 upgrade-insecure-requests: 1 user-agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/88.0.4324.190 Safari/537.36
Solution

  • Header sizes

    There are 5 parameters that you can tune to influence the size and length of request & response headers:

    • http_max_hdr: the maximum number of headers an HTTP request or response may contain. The default value is 64
    • http_req_hdr_len: the maximum size of an individual request header. By default this is 8KB
    • http_req_size: the maximum total size of the HTTP request. This defaults to 32 KB
    • http_resp_hdr_len: the maximum size of an individual response header. By default this is 8KB
    • http_resp_size: the maximum total size of the HTTP response headers. This defaults to 32 KB

    So not only do you have to set the maximum size of individual request & response headers, but also the total size the request & response headers consume. Also keep in mind that the amount of headers is limited to 64 (by default).

    Workspace settings

    There is another limiting factor in play: the maximum amount of memory you can consume in a single request/response.

    • workspace_client: memory allocation for HTTP request handling. The default value is 64KB in total
    • workspace_backend: memory allocation for backend processing. The default value is 64KB in total

    If request and responses coming have more than 64KB of headers in total, the workspace limits are going to kick in. So you need to tune these values as well.

    Testing your long cookie use case

    After having test your long cookie use case, I came to the conclusion that Varnish handles this well if http_req_hdr_len is increased to 16k.

    Here's the cookie value I used for the request:

    Cookie: heavy-cookie=heavy-cookie-heavy-cookie-heavy-cookie-heavy-cookie-heavy-cookie-heavy-cookie-heavy-cookie-heavy-cookie-heavy-cookie-heavy-cookie-heavy-cookie-heavy-cookie-heavy-cookie-heavy-cookie-heavy-cookie-heavy-cookie-heavy-cookie-heavy-cookie-heavy-cookie-heavy-cookie-heavy-cookie-heavy-cookie-heavy-cookie-heavy-cookie-heavy-cookie-heavy-cookie-heavy-cookie-heavy-cookie-heavy-cookie-heavy-cookie-heavy-cookie-heavy-cookie-heavy-cookie-heavy-cookie-heavy-cookie-heavy-cookie-heavy-cookie-heavy-cookie-heavy-cookie-heavy-cookie-heavy-cookie-heavy-cookie-heavy-cookie-heavy-cookie-heavy-cookie-heavy-cookie-heavy-cookie-heavy-cookie-heavy-cookie-heavy-cookie-heavy-cookie-heavy-cookie-heavy-cookie-heavy-cookie-heavy-cookie-heavy-cookie-heavy-cookie-heavy-cookie-heavy-cookie-heavy-cookie-heavy-cookie-heavy-cookie-heavy-cookie-heavy-cookie-heavy-cookie-heavy-cookie-heavy-cookie-heavy-cookie-heavy-cookie-heavy-cookie-heavy-cookie-heavy-cookie-heavy-cookie-heavy-cookie-heavy-cookie-heavy-cookie-heavy-cookie-heavy-cookie-heavy-cookie-heavy-cookie-heavy-cookie-heavy-cookie-heavy-cookie-heavy-cookie-heavy-cookie-heavy-cookie-heavy-cookie-heavy-cookie-heavy-cookie-heavy-cookie-heavy-cookie-heavy-cookie-heavy-cookie-heavy-cookie-heavy-cookie-heavy-cookie-heavy-cookie-heavy-cookie-heavy-cookie-heavy-cookie-heavy-cookie-heavy-cookie-heavy-cookie-heavy-cookie-heavy-cookie-heavy-cookie-heavy-cookie-heavy-cookie-heavy-cookie-heavy-cookie-heavy-cookie-heavy-cookie-heavy-cookie-heavy-cookie-heavy-cookie-heavy-cookie-heavy-cookie-heavy-cookie-heavy-cookie-heavy-cookie-heavy-cookie-heavy-cookie-heavy-cookie-heavy-cookie-heavy-cookie-heavy-cookie-heavy-cookie-heavy-cookie-heavy-cookie-heavy-cookie-heavy-cookie-heavy-cookie-heavy-cookie-heavy-cookie-heavy-cookie-heavy-cookie-heavy-cookie-heavy-cookie-heavy-cookie-heavy-cookie-heavy-cookie-heavy-cookie-heavy-cookie-heavy-cookie-heavy-cookie-heavy-cookie-heavy-cookie-heavy-cookie-heavy-cookie-heavy-cookie-heavy-cookie-heavy-cookie-heavy-cookie-heavy-cookie-heavy-cookie-heavy-cookieheavy-cookie-heavy-cookie-heavy-cookie-heavy-cookie-heavy-cookie-heavy-cookie-heavy-cookie-heavy-cookie-heavy-cookie-heavy-cookie-heavy-cookie-heavy-cookie-heavy-cookie-heavy-cookie-heavy-cookie-heavy-cookie-heavy-cookie-heavy-cookie-heavy-cookie-heavy-cookie-heavy-cookie-heavy-cookie-heavy-cookie-heavy-cookie-heavy-cookie-heavy-cookie-heavy-cookie-heavy-cookie-heavy-cookie-heavy-cookie-heavy-cookie-heavy-cookie-heavy-cookie-heavy-cookie-heavy-cookie-heavy-cookie-heavy-cookie-heavy-cookie-heavy-cookie-heavy-cookie-heavy-cookie-heavy-cookie-heavy-cookie-heavy-cookie-heavy-cookie-heavy-cookie-heavy-cookie-heavy-cookie-heavy-cookie-heavy-cookie-heavy-cookie-heavy-cookie-heavy-cookie-heavy-cookie-heavy-cookie-heavy-cookie-heavy-cookieheavy-cookie-heavy-cookie-heavy-cookie-heavy-cookie-heavy-cookie-heavy-cookie-heavy-cookie-heavy-cookie-heavy-cookie-heavy-cookie-heavy-cookie-heavy-cookie-heavy-cookie-heavy-cookie-heavy-cookie-heavy-cookie-heavy-cookie-heavy-cookie-heavy-cookie-heavy-cookie-heavy-cookie-heavy-cookie-heavy-cookie-heavy-cookie-heavy-cookie-heavy-cookie-heavy-cookie-heavy-cookie-heavy-cookie-heavy-cookie-heavy-cookie-heavy-cookie-heavy-cookie-heavy-cookie-heavy-cookie-heavy-cookie-heavy-cookie-heavy-cookie-heavy-cookie-heavy-cookie-heavy-cookie-heavy-cookie-heavy-cookie-heavy-cookie-heavy-cookie-heavy-cookie-heavy-cookie-heavy-ccookie-heavy-cookie-heavy-cookie-heavy-cookie-heavy-cookie-heavy-cookie-heavy-cookie-heavy-cookie-heavy-cookie-heavy-cookie-heavy-cookie-heavy-cookie-heavy-cookie-heavy-cookie-heavy-cookie-heavy-cookie-heavy-cookie-heavy-cookie-heavy-cookie-heavy-cookie-heavy-cookie-heavy-cookie-heavy-cookie-heavy-cookie-heavy-cookie-heavy-cookie-heavy-cookie-heavy-cookie-heavy-cookie-heavy-cookie-heavy-cookie-heavy-cookie-heavy-cookie-heavy-cookie-heavy-cookie-heavy-cookie-heavy-cookie-heavy-cookie-heavy-cookie-heavy-cookie-heavy-cookie-heavy-cookie-heavy-cookie-heavy-cookiokie-heavy-cookie-heavy-cookie-heavy-cookie-heavy-cookie-heavy-cookie-heavy-cookie-heavy-cookie-heavy-cookie-heavy-cookie-heavy-cookie-heavy-cookie-heavy-cookie-heavy-cookie-heavy-cookie-heavy-cookie-heavy-cookie-heavy-cookie-heavy-cookie-heavy-cookie-heavy-cookie-heavy-cookie-heavy-cookie-heavy-cookie-heavy-cookie-heavy-cookie-heavy-cookie-heavy-cookie-heavy-cookie-heavy-cookie-heavy-cookie-heavy-cookie-heavy-cookie-heavy-cookie-heavy-cookie-heavy-cookie-heavy-cookie-heavy-cookie-heavy-cookie-heavy-cookie-heavy-cookie-heavy-cookie-heavy-cookie-hea; at_check=true; AMCVS_AD455AA8591B70C90A495EA3%40AdobeOrg=1; geoPreference=denied; _ga=GA1.3.1808662474.1614941482; aam_uuid=46420618758273943980528347843026907968;_fbp=fb.1.1614941482362.1143768601; _hjTLDTest=1; _hjid=35fdf3da-a2a0-4cba-b177-38c15d200d0e; cp_ip={%22ip%22:%22103.81.78.10%22%2C%22date%22:1614941482717}; hasSetPreferredStore=false; ipe_s=844f4d31-5961-eefa-84bf-7968471b368b; dtCookie=v_4_srv_6_sn_29841A9B58710C97DCDA42CB2D66CD48_perc_100000_ol_0_mul_1; _gid=GA1.3.352287190.1615185283; _hjIncludedInSessionSample=1; ipe.34220.pageViewedDay=67; _hjIncludedInPageviewSample=1; cp_merchTemp=Homepage; ippo-ab.d=%7B%22vid%22%3A%2246604622306408834460545976289125483240%22%2C%22vehicles%22%3A%7B%22etc%22%3A%7B%22lvl%22%3A0%2C%22myy%22%3A%22%22%2C%22year%22%3A%22%22%2C%22make%22%3A%22%22%2C%22veh%22%3A%22%22%2C%22trim%22%3A%22%22%2C%22tpms%22%3A%22%22%2C%22dt%22%3A%22%22%7D%2C%22tce%22%3A%7B%22lvl%22%3A4%2C%22myy%22%3A%222016-Audi-allroad%22%2C%22year%22%3A%222016%22%2C%22make%22%3A%22Audi%22%2C%22model%22%3A%22allroad%22%2C%22trim%22%3A%22Premium%22%2C%22tpms%22%3A%221%22%2C%22dt%22%3A%2203%2F08%2F2021%2008%3A08%3A02%20GMT%22%7D%2C%22aux%22%3A%7B%22lvl%22%3A0%2C%22myy%22%3A%22%22%2C%22year%22%3A%22%22%2C%22make%22%3A%22%22%2C%22model%22%3A%22%22%2C%22engine%22%3A%22%22%2C%22dt%22%3A%22%22%7D%7D%2C%22site%22%3A%22FCAC%22%2C%22location%22%3A%7B%22deviceNumber%22%3A%22357166%22%2C%22locationLvl%22%3A2%2C%22myZip%22%3A%2227455%22%2C%22myCity%22%3A%22%22%2C%22myState%22%3A%22%22%2C%22autoZip%22%3A%2260605%22%7D%2C%22tires%22%3A%7B%22main%22%3A%7B%22lvl%22%3A0%2C%22cs%22%3A%22%22%2C%22ar%22%3A%22%22%2C%22rs%22%3A%22%22%2C%22tireSize%22%3A%22%22%2C%22dt%22%3A%22%22%7D%2C%22tce%22%3A%7B%22lvl%22%3A0%2C%22cs%22%3A%22%22%2C%22ar%22%3A%22%22%2C%22rs%22%3A%22%22%2C%22tireSize%22%3A%22%22%2C%22dt%22%3A%22%22%7D%7D%7D%3Bipe.34220.pageViewedCount%3D6%3Bipe_34220_fov%3D%7B%22numberOfVisits%22%3A2%2C%22sessionId%22%3A%22844f4d31-5961-eefa-84bf-7968471b368b%22%2C%22expiry%22%3A%222021-04-04T10%3A51%3A26.168Z%22%2C%22lastVisit%22%3A%222021-03-08T08%3A12%3A59.243Z%22%7D; ipe.34220.pageViewedCount=6; ipe_34220_fov=%7B%22numberOfVisits%22%3A2%2C%22sessionId%22%3A%22844f4d31-5961-eefa-84bf-7968471b368b%22%2C%22expiry%22%3A%222021-04-04T10%3A51%3A26.168Z%22%2C%22lastVisit%22%3A%222021-03-08T08%3A12%3A59.243Z%22%7D; mbox=PC#4955e053c82748ffb20226c9b4f90b6b.31_0#1678437442|session#ad2cd5695ceb42e290928be3de398df5#1615192748; geoIP={"ip":"103.81.78.10","timestamp":1615192642239}; AMCV_AD455AA8591B70C90A495EA3%40AdobeOrg=359503849%7CMCIDTS%7C18695%7CMCMID%7C46604622306408834460545976289125483240%7CMCAAMLH-1615797442%7C12%7CMCAAMB-1615797442%7CRKhpRz8krg2tLO6pguXWp5olkAcUniQYPHaMWWgdJ3xzPWQmdj0y%7CMCOPTOUT-1615199842s%7CNONE%7CMCSYNCSOP%7C411-18699%7CMCCIDH%7C216794536%7CvVersion%7C5.0.1;_uetsid=5e36f1507fd811eb91d95f1487a3dd0d; _uetvid=a840a0807cd711ebb16f2d42ae695b73; s_sess=%20s_sq%3D%3B%20s_cc%3Dtrue%3B%20s_ppvl%3D404%25253Ahttps%25253A%252F%252Fix-dev.devicecaresystem.com%252Fbsro%252Fservices%252Fheavy-cookie%252C38%252C38%252C414%252C1536%252C414%252C1536%252C864%252C1.25%252CP%3B%20s_ppv%3D404%25253Ahttps%25253A%252F%252Fix-dev.devicecaresystem.com%252Fbsro%252Fservices%252Fheavy-cookie%252C38%252C38%252C414%252C1536%252C330%252C1536%252C864%252C1.25%252CP%3B; s_pers=%20s_vnum%3D1622717469965%2526vn%253D6%7C1622717469965%3B%20s_invisit%3Dtrue%7C1615204800559%3B%20last_v%3D1615203000568%7C1709811000568%3B%20last_v_s%3DLess%2520than%25201%2520day%7C1615204800568%3B%20gpv%3D404%253Ahttps%253A%252F%252Fix-dev.devicecaresystem.com%252Fbsro%252Fservices%252Fheavy-cookie%7C1615204800576%3B%20s_nr%3D1615203000580-Repeat%7C1646739000580%3B%20s_depth%3D1%7C1615204800586%3B

    Without the http_req_hdr_len upgrade, I got the same HTTP/400 error you received. After the upgrade I experienced a HTTP/431 Request Header Fields Too Large error.

    I assumed there was another setting that needed to be tuned, but I came to the conclusion that this HTTP/431 error came from my backend server, and not from Varnish.

    I then created the following VCL snippet to perform a synthetic response which would display the cookie

    vcl 4.1;

backend default none;

sub vcl_recv {
    return(synth(200));
}

sub vcl_synth {
   set resp.http.Content-Type = "text/plain";
   set resp.body = req.http.Cookie;
   set resp.reason = "OK";
   return(deliver);
}

    It turned out that the complete cookie was displayed by the synth, which allows me to conclude that setting http_req_hdr_len to a high enough value will solve the problem.