Varnish 403 Debugging

Too many headers from CSP module / Cache headers

Varnish has a set maximum length value for headers accepted, this can be easily overloaded by Magento cache tags or CSP allow headers. Varnish will output an error message in varnishlog complaining that the headers are too long/large.

To fix this issue, ensure that your Magento cache tags are not ridiculously large and check your application code.

If the issue is CSP headers, this will also show in the logs at the point the error is encountered. Unfortunately CSP is required for security, so the only way to resolve this is to update Varnish start up config.

You can edit SystemD configuration directly by running.

# As root
systemctl edit varnish.service --full

This will show the full configuration for the service that SystemD will use in full.

Add -p http_resp_hdr_len=64000 to the end of the ExecStart line

The full line will look like this.

ExecStart=/usr/sbin/varnishd -a 127.0.0.1:8000 -T 127.0.0.1:6082 -P /run/varnishd.pid -f /etc/varnish/default.vcl -S /etc/varnish/secret -s malloc,256M -p http_resp_hdr_len=64000

Warning

Do not use this to fix massive header counts for badly configured cache tags, this approach is only really applicable CSP header count/length issues.

Once the SystemD service is updated, be sure to run systemctl daemon-reload and restart Varnish.

If you use Docker or Ansible to provision a container, ensure you update your setup permanently.