TLS and HTTP/2 VCL features
Fastly has added several variables that expose information about the TLS and HTTP/2 attributes of a request.
- h2.push() — Triggers an HTTP/2 server push of the asset passed into the function as the input-string.
- fastly_info.h2.is_push — Whether or not this request was a server-initiated request generated to create an HTTP/2 Server-pushed response.
- fastly_info.h2.stream_id — If the request was made over HTTP/2, the underlying HTTP/2 stream ID.
- fastly_info.is_h2 — Whether or not the request was made using http2.
- tls.client.cipher — The cipher suite used to secure the client TLS connection.
- tls.client.ciphers_list_sha — A SHA-1 digest of the raw buffer containing the list of supported ciphers, represented in Base64.
- tls.client.ciphers_list_txt — The list of ciphers supported by the client, rendered as text, in a colon-separated list.
- tls.client.ciphers_list — The list of ciphers supported by the client, as sent over the network, hex encoded.
- tls.client.ciphers_sha — A SHA-1 of the cipher suite identifiers sent from the client as part of the TLS handshake, represented in Base64.
- tls.client.protocol — The TLS protocol version this connection is speaking over.
- tls.client.servername — The Server Name Indication (SNI) the client sent in the
- tls.client.tlsexts_list_sha — A SHA-1 digest of the TLS extensions supported by the client as little-endian, 16-bit integers, represented in Base64.
- tls.client.tlsexts_list_txt — The list of TLS extensions supported by the client, rendered as text in a colon-separated list.
- tls.client.tlsexts_list — The list of TLS extensions supported by the client as little-endian, 16-bit, unsigned integers, hex encoded.
- tls.client.tlsexts_sha — A SHA-1 of the TLS extension identifiers sent from the client as part of the TLS handshake, represented in Base64.
When using these variables, remember the following:
- These variables are currently only allowed to appear within the VCL hooks
- Requests made with HTTP/2 will appear in custom logs as HTTP1.1 because those requests will already have been decrypted by the time Varnish sees it. Specifically, the
%rvariable will not accurately represent the type of HTTPX request being processed.