Provided by: varnish-re2_2.0.0-1_amd64
NAME
vmod_re2 - Varnish Module for access to the Google RE2 regular expression engine
SYNOPSIS
import re2; # regex object interface new OBJECT = re2.regex(STRING pattern [, <regex options>]) BOOL <obj>.match(STRING) STRING <obj>.backref(INT ref) STRING <obj>.namedref(STRING name) STRING <obj>.sub(STRING text, STRING rewrite) STRING <obj>.suball(STRING text, STRING rewrite) STRING <obj>.extract(STRING text, STRING rewrite) INT <obj>.cost() # regex function interface BOOL re2.match(STRING pattern, STRING subject [, <regex options>]) STRING re2.backref(INT ref) STRING re2.namedref(STRING name) STRING re2.sub(STRING pattern, STRING text, STRING rewrite [, <regex options>]) STRING re2.suball(STRING pattern, STRING text, STRING rewrite [, <regex options>]) STRING re2.extract(STRING pattern, STRING text, STRING rewrite [, <regex options>]) INT re2.cost(STRING pattern [, <regex options>]) # set object interface new OBJECT = re2.set([ENUM anchor] [, <regex options>]) VOID <obj>.add(STRING [, BOOL save] [, BOOL never_capture] [, STRING string] [, BACKEND backend] [, INT integer] [,SUB sub]) BOOL <obj>.match(STRING) INT <obj>.nmatches() BOOL <obj>.matched(INT) INT <obj>.which([ENUM select]) STRING <obj>.string([INT n,] [ENUM select]) BACKEND <obj>.backend([INT n,] [ENUM select]) INT <obj>.integer([INT n] [, ENUM select]) SUB <obj>.subroutine([INT n] [, ENUM select]) BOOL <obj>.check_call([INT n] [, ENUM select]) STRING <obj>.sub(STRING text, STRING rewrite [, INT n] [, ENUM select]) STRING <obj>.suball(STRING text, STRING rewrite [, INT n] [, ENUM select]) STRING <obj>.extract(STRING text, STRING rewrite [, INT n] [, ENUM select]) BOOL <obj>.saved([ENUM {REGEX, STR, BE, INT, SUB} which] [, INT n] [, ENUM select]) VOID <obj>.hdr_filter(HTTP [, BOOL]) # utility function STRING re2.quotemeta(STRING) # VMOD version STRING re2.version()
DESCRIPTION
Varnish Module (VMOD) for access to the Google RE2 regular expression engine. Varnish VCL uses the PCRE library (Perl Compatible Regular Expressions) for its native regular expressions, which runs very efficiently for many common uses of pattern matching in VCL, as attested by years of successful use of PCRE with Varnish. But for certain kinds of patterns, the worst-case running time of the PCRE matcher is exponential in the length of the string to be matched. The matcher uses backtracking, implemented with recursive calls to the internal match() function. In principle there is no upper bound to the possible depth of backtracking and recursion, except as imposed by the varnishd runtime parameters pcre_match_limit and pcre_match_limit_recursion; matches fail if either of these limits are met. Stack overflow caused by deep backtracking has occasionally been the subject of varnishd issues. RE2 differs from PCRE in that it limits the syntax of patterns so that they always specify a regular language in the formally strict sense. Most notably, backreferences within a pattern are not permitted, for example (foo|bar)\1 to match foofoo and barbar, but not foobar or barfoo. See the link in SEE ALSO for the specification of RE2 syntax. This means that an RE2 matcher runs as a finite automaton, which guarantees linear running time in the length of the matched string. There is no backtracking, and hence no risk of deep recursion or stack overflow. The relative advantages and disadvantages of RE2 and PCRE is a broad subject, beyond the scope of this manual. See the references in SEE ALSO for more in-depth discussion. regex object and function interfaces The VMOD provides regular expression operations by way of the regex object interface and a functional interface. For regex objects, the pattern is compiled at VCL initialization time, and the compiled pattern is re-used for each invocation of its methods. Compilation failures (due to errors in the pattern) cause failure at initialization time, and the VCL fails to load. The .backref() and .namedref() methods refer back to the last invocation of the .match() method for the same object. The functional interface provides the same set of operations, but the pattern is compiled at runtime on each invocation (and then discarded). Compilation failures are reported as errors in the Varnish log. The backref() and namedref() functions refer back to the last invocation of the match() function, for any pattern. Compiling a pattern at runtime on each invocation is considerably more costly than re-using a compiled pattern. So for patterns that are fixed and known at VCL initialization, the object interface should be used. The functional interface should only be used for patterns whose contents are not known until runtime. set object interface set objects provide a shorthand for constructing patterns that consist of an alternation -- a group of patterns combined with | for "or". For example: import re2; sub vcl_init { new myset = re2.set(); myset.add("foo"); # Pattern 1 myset.add("bar"); # Pattern 2 myset.add("baz"); # Pattern 3 } myset.match(<string>) can now be used to match a string against the pattern foo|bar|baz. When a match is successful, the matcher has determined all of the patterns that matched. These can then be retrieved with the method .nmatches() for the number of matched patterns, and with .matched(n), which returns true if the nth pattern matched, where the patterns are numbered in the order in which they were added: if (myset.match("foobar")) { std.log("Matched " + myset.nmatches() + " patterns"); if (myset.matched(1)) { # Pattern /foo/ matched call do_foo; } if (myset.matched(2)) { # Pattern /bar/ matched call do_bar; } if (myset.matched(3)) { # Pattern /baz/ matched call do_baz; } } An advantage of alternations and sets with RE2, as opposed to an alternation in PCRE or a series of separate matches in an if-elsif-elsif sequence, comes from the fact that the matcher is implemented as a state machine. That means that the matcher progresses through the string to be matched just once, following patterns in the set that match through the state machine, or determining that there is no match as soon as there are no more possible paths in the state machine. So a string can be matched against a large set of patterns in time that is proportional to the length of the string to be matched. In contrast, PCRE matches patterns in an alternation one after another, stopping after the first matching pattern, or attempting matches against all of them if there is no match. Thus a match against an alternation in PCRE is not unlike an if-elsif-elsif sequence of individual matches, and requires the time needed for each individual match, overall in proportion with the number of patterns to be matched. Another advantage of the VMOD's set object is the ability to associate strings or backends with the patterns added to the set with the .add() method: sub vcl_init { new prefix = re2.set(anchor=start); prefix.add("/foo", string="www.domain1.com"); prefix.add("/bar", string="www.domain2.com"); prefix.add("/baz", string="www.domain3.com"); prefix.add("/quux", string="www.domain4.com"); new appmatcher = re2.set(anchor=start); appmatcher.add("/foo", backend=app1); appmatcher.add("/bar", backend=app2); appmatcher.add("/baz", backend=app3); appmatcher.add("/quux", backend=app4); } After a successful match, the string or backend associated with the matching pattern can be retrieved with the .string() and .backend() methods. This makes it possible, for example, to construct a redirect response or choose the backend with code that is both efficient and compact, even with a large set of patterns to be matched: # Use the prefix object to construct a redirect response from # a matching request URL. sub vcl_recv { if (prefix.match(req.url)) { # Pass the string associated with the matching pattern # to vcl_synth. return(synth(1301, prefix.string())); } } sub vcl_synth { # The string associated with the matching pattern is in # resp.reason. if (resp.status == 1301) { set resp.http.Location = "http://" + resp.reason + req.url; set resp.status = 301; set resp.reason = "Moved Permanently"; } } # Use the appmatcher object to choose a backend based on the # request URL prefix. sub vcl_recv { if (appmatcher.match(req.url)) { set req.backend_hint = appmatcher.backend(); } } regex options Where a pattern is compiled -- in the regex and set constructors, and in functions that require compilation -- options may be specified that can affect the interpretation of the pattern or the operation of the matcher. There are default values for each option, and it is only necessary to specify options in VCL that differ from the defaults. Options specified in a set constructor apply to all of the patterns in the resulting alternation. utf8 If true, characters in a pattern match Unicode code points, and hence may match more than one byte. If false, the pattern and strings to be matched are interpreted as Latin-1 (ISO 8859-1), and a pattern character matches exactly one byte. Default is false. Note that this differs from the RE2 default. posix_syntax If true, patterns are restricted to POSIX (egrep) syntax. Otherwise, the pattern syntax resembles that of PCRE, with some deviations. See the link in SEE ALSO for the syntax specification. Default is false. The options perl_classes, word_boundary and one_line are only consulted when this option is true. longest_match If true, the matcher searches for the longest possible match where alternatives are possible. Otherwise, search for the first match. For example with the pattern a(b|bb) and the string abb, abb matches when longest_match is true, and backref 1 is bb. Otherwise, ab matches, and backref 1 is b. Default is false. max_mem An upper bound (in bytes) for the size of the compiled pattern. If max_mem is too small, the matcher may fall back to less efficient algorithms, or the pattern may fail to compile. Default is the RE2 default (8MB), which should suffice for typical patterns. literal If true, the pattern is interpreted as a literal string, and no regex metacharacters (such as *, +, ^ and so forth) have their special meaning. Default is false. never_nl If true, the newline character \n in a string is never matched, even if it appears in the pattern. Default is false. dot_nl If true, then the dot character . in a pattern matches everything, including newline. Otherwise, . never matches newline. Default is false. never_capture If true, parentheses in a pattern are interpreted as non-capturing, and all invocations of the backref and namedref methods or functions will lead to VCL faillure (see ERRORS), including backref(0) after a successful match. Default is false, except for set objects, for which never_capture is always true (and cannot be changed), since back references are not possible with sets. case_sensitive If true, matches are case-sensitive. A pattern can override this option with the (?i) flag, unless posix_syntax is true. Default is true. The following options are only consulted when posix_syntax is true. If posix_syntax is false, then these features are always enabled and cannot be turned off. perl_classes If true, then the perl character classes \d, \s, \w, \D, \S and \W are permitted in a pattern. Default is false. word_boundary If true, the perl assertions \b and \B (word boundary and not a word boundary) are permitted. Default is false. one_line If true, then ^ and $ only match at the beginning and end of the string to be matched, regardless of newlines. Otherwise, ^ also matches just after a newline, and $ also matches just before a newline. Default is false. new xregex = re2.regex(STRING pattern, BOOL utf8, BOOL posix_syntax, BOOL longest_match, INT max_mem, BOOL literal, BOOL never_nl, BOOL dot_nl, BOOL never_capture, BOOL case_sensitive, BOOL perl_classes, BOOL word_boundary, BOOL one_line) new xregex = re2.regex( STRING pattern, BOOL utf8=0, BOOL posix_syntax=0, BOOL longest_match=0, INT max_mem=8388608, BOOL literal=0, BOOL never_nl=0, BOOL dot_nl=0, BOOL never_capture=0, BOOL case_sensitive=1, BOOL perl_classes=0, BOOL word_boundary=0, BOOL one_line=0 ) Create a regex object from pattern and the given options (or option defaults). If the pattern is invalid, then VCL will fail to load and the VCC compiler will emit an error message. Example: sub vcl_init { new domainmatcher = re2.regex("^www\.([^.]+)\.com$"); new maxagematcher = re2.regex("max-age\s*=\s*(\d+)"); # Group possible subdomains without capturing new submatcher = re2.regex("^www\.(domain1|domain2)\.com$", never_capture=true); } BOOL xregex.match(STRING) Returns true if and only if the compiled regex matches the given string; corresponds to VCL's infix operator ~. Example: if (myregex.match(req.http.Host)) { call do_on_match; } STRING xregex.backref(INT ref, STRING fallback) STRING xregex.backref( INT ref, STRING fallback="**BACKREF METHOD FAILED**" ) Returns the nth captured subexpression from the most recent successful call of the .match() method for this object in the same client or backend context, or a fallback string in case the capture fails. Backref 0 indicates the entire matched string. Thus this function behaves like the \n notation in the native VCL functions regsub and regsuball, and the $1, $2 ... variables in Perl. Since Varnish client and backend operations run in different threads, .backref() can only refer back to a .match() call in the same thread. Thus a .backref() call in any of the vcl_backend_* subroutines -- the backend context -- refers back to a previous .match() in any of those same subroutines; and a call in any of the other VCL subroutines -- the client context -- refers back to a .match() in the same client context. .backref() may return fallback after a successful match, if no captured group in the matching string corresponds to the backref number. For example, when the pattern (a|(b))c matches the string ac, there is no backref 2, since nothing matches b in the string. The default value of fallback is "**BACKREF METHOD FAILED**", but you may set another value (such as the empty string). After unsuccessful matches, .backref() invokes VCL failure (see ERRORS). .backref() always fails after a failed match, even if .match() had been called successfully before the failure. The VCL infix operators ~ and !~ do not affect this method, nor do the functions regsub or regsuball. Nor is it affected by the matches performed by any other method or function in this VMOD (such as the sub(), suball() or extract() methods or functions, or the set object's .match() method). .backref() invokes VCL failure under the following conditions, even if a previous match was successful and a substring could have been captured (see ERRORS): • The fallback string is undefined, for example if set from an unset header variable. • The never_capture option was set to true for this object. In this case, even .backref(0) fails after a successful match (otherwise, backref 0 always returns the full matched string). • ref (the backref number) is out of range, i.e. it is larger than the highest number for a capturing group in the pattern. • .match() was never called for this object prior to calling .backref(). • There is insufficient workspace for the string to be returned. Example: if (domainmatcher.match(req.http.Host)) { set req.http.X-Domain = domainmatcher.backref(1); } STRING xregex.namedref(STRING name, STRING fallback) STRING xregex.namedref( STRING name, STRING fallback="**NAMEDREF METHOD FAILED**" ) Returns the captured subexpression designated by name from the most recent successful call to .match() in the current context (client or backend). Named capturing groups are written in RE2 as: (?P<name>re). (Note that this syntax with P, inspired by Python, differs from the notation for named capturing groups in PCRE.) Thus when (?P<foo>.+)bar$ matches bazbar, then .namedref("foo") returns baz. Note that a named capturing group can also be referenced as a numbered group. So in the previous example, .backref(1) also returns baz. fallback is returned when the named reference did not match. The default fallback is "**NAMEDREF METHOD FAILED**". Like .backref(), .namedref() is not affected by native VCL regex operations, nor by any other matches performed by methods or functions of the VMOD, except for a prior .match() for the same object. .namedref() invokes VCL failure (see ERRORS) if: • The fallback string is undefined. • name is undefined or the empty string. • The never_capture option was set to true. • There is no such named group. • .match() was not called for this object. • There is insufficient workspace for the string to be returned. Example: sub vcl_init { new domainmatcher = re2.regex("^www\.(?P<domain>[^.]+)\.com$"); } sub vcl_recv { if (domainmatcher.match(req.http.Host)) { set req.http.X-Domain = domainmatcher.namedref("domain"); } } STRING xregex.sub(STRING text, STRING rewrite, STRING fallback) STRING xregex.sub( STRING text, STRING rewrite, STRING fallback="**SUB METHOD FAILED**" ) If the compiled pattern for this regex object matches text, then return the result of replacing the first match in text with rewrite. Within rewrite, \1 through \9 can be used to insert the the numbered capturing group from the pattern, and \0 to insert the entire matching text. This method corresponds to the VCL native function regsub(). fallback is returned if the pattern does not match text. The default fallback is "**SUB METHOD FAILED**". .sub() invokes VCL failure (see ERRORS) if: • Any of text, rewrite or fallback are undefined. • There is insufficient workspace for the rewritten string. Example: sub vcl_init { new bmatcher = re2.regex("b+"); } sub vcl_recv { # If Host contains "www.yabba.dabba.doo.com", then this will # set X-Yada to "www.yada.dabba.doo.com". set req.http.X-Yada = bmatcher.sub(req.http.Host, "d"); } STRING xregex.suball(STRING text, STRING rewrite, STRING fallback) STRING xregex.suball( STRING text, STRING rewrite, STRING fallback="**SUBALL METHOD FAILED**" ) Like .sub(), except that all successive non-overlapping matches in text are replaced with rewrite. This method corresponds to VCL native regsuball(). The default fallback is "**SUBALL METHOD FAILED**". .suball() fails under the same conditions as .sub(). Since only non-overlapping matches are substituted, replacing "ana" within "banana" only results in one substitution, not two. Example: sub vcl_init { new bmatcher = re2.regex("b+"); } sub vcl_recv { # If Host contains "www.yabba.dabba.doo.com", then set X-Yada to # "www.yada.dada.doo.com". set req.http.X-Yada = bmatcher.suball(req.http.Host, "d"); } STRING xregex.extract(STRING text, STRING rewrite, STRING fallback) STRING xregex.extract( STRING text, STRING rewrite, STRING fallback="**EXTRACT METHOD FAILED**" ) If the compiled pattern for this regex object matches text, then return rewrite with substitutions from the matching portions of text. Non-matching substrings of text are ignored. The default fallback is "**EXTRACT METHOD FAILED**". Like .sub() and .suball(), .extract() fails if: • Any of text, rewrite or fallback are undefined. • There is insufficient workspace for the rewritten string. Example: sub vcl_init { new email = re2.regex("(.*)@([^.]*)"); } sub vcl_deliver { # Sets X-UUCP to "kremvax!boris" set resp.http.X-UUCP = email.extract("boris@kremvax.ru", "\2!\1"); } INT xregex.cost() Return a numeric measurement > 0 for this regex object from the RE2 library. According to the RE2 documentation: ... a very approximate measure of a regexp's "cost". Larger numbers are more expensive than smaller numbers. The absolute numeric values are opaque and not relevant, but they are meaningful relative to one another -- more complex regexen have a higher cost than less complex regexen. This may be useful during development and optimization of regular expressions. Example: std.log("r1 cost=" + r1.cost() + " r_alt cost=" + r_alt.cost());
REGEX FUNCTIONAL INTERFACE
BOOL match(STRING pattern, STRING subject, BOOL utf8, BOOL posix_syntax, BOOL longest_match, INT max_mem, BOOL literal, BOOL never_nl, BOOL dot_nl, BOOL never_capture, BOOL case_sensitive, BOOL perl_classes, BOOL word_boundary, BOOL one_line) BOOL match( STRING pattern, STRING subject, BOOL utf8=0, BOOL posix_syntax=0, BOOL longest_match=0, INT max_mem=8388608, BOOL literal=0, BOOL never_nl=0, BOOL dot_nl=0, BOOL never_capture=0, BOOL case_sensitive=1, BOOL perl_classes=0, BOOL word_boundary=0, BOOL one_line=0 ) Like the regex.match() method, return true if pattern matches subject, where pattern is compiled with the given options (or default options) on each invocation. If pattern fails to compile, then VCL failure is invoked (see ERRORS). Example: # Match the bereq Host header against a backend response header if (re2.match(pattern=bereq.http.Host, subject=beresp.http.X-Host)) { call do_on_match; } STRING backref(INT ref, STRING fallback) STRING backref( INT ref, STRING fallback="**BACKREF FUNCTION FAILED**" ) Returns the nth captured subexpression from the most recent successful call of the match() function in the current client or backend context, or a fallback string if the capture fails. The default fallback is "**BACKREF FUNCTION FAILED**". Similarly to the regex.backref() method, fallback is returned if there is no captured group corresponding to the backref number. The function is not affected by native VCL regex operations, or any other method or function of the VMOD except for the match() function. The function invokes VCL failure under the same conditions as the corresponding method (see ERRORS): • fallback is undefined. • never_capture was true in the previous invocation of the match() function. • ref is out of range. • The match() function was never called in this context, or if the previous match() call failed (returned false). • The pattern failed to compile for the previous match() call. • There is insufficient workspace for the captured subexpression. Example: # Match against a pattern provided in a beresp header, and capture # subexpression 1. if (re2.match(pattern=beresp.http.X-Pattern, bereq.http.X-Foo)) { set beresp.http.X-Capture = re2.backref(1); } STRING namedref(STRING name, STRING fallback) STRING namedref( STRING name, STRING fallback="**NAMEDREF FUNCTION FAILED**" ) Returns the captured subexpression designated by name from the most recent successful call to the match() function in the current context, or fallback if the corresponding group did not match. The default fallback is "**NAMEDREF FUNCTION FAILED**". The function invokes VCL failure under the same conditions as the corresponding method (see ERRORS): • fallback is undefined. • name is undefined or the empty string. • The never_capture option was set to true. • There is no such named group. • match() was not called in this context, or the previous call failed. • The pattern failed to compile for the previous match() call. • There is insufficient workspace for the captured expression. Example: if (re2.match(beresp.http.X-Pattern-With-Names, bereq.http.X-Foo)) { set beresp.http.X-Capture = re2.namedref("foo"); } STRING sub(STRING pattern, STRING text, STRING rewrite, STRING fallback, BOOL utf8, BOOL posix_syntax, BOOL longest_match, INT max_mem, BOOL literal, BOOL never_nl, BOOL dot_nl, BOOL never_capture, BOOL case_sensitive, BOOL perl_classes, BOOL word_boundary, BOOL one_line) STRING sub( STRING pattern, STRING text, STRING rewrite, STRING fallback="**SUB FUNCTION FAILED**", BOOL utf8=0, BOOL posix_syntax=0, BOOL longest_match=0, INT max_mem=8388608, BOOL literal=0, BOOL never_nl=0, BOOL dot_nl=0, BOOL never_capture=0, BOOL case_sensitive=1, BOOL perl_classes=0, BOOL word_boundary=0, BOOL one_line=0 ) Compiles pattern with the given options, and if it matches text, then return the result of replacing the first match in text with rewrite. As with the regex.sub() method, \0 through \9 may be used in rewrite to substitute captured groups from the pattern. fallback is returned if the pattern does not match text. The default fallback is "**SUB FUNCTION FAILED**". sub() invokes VCL failure (see ERRORS) if: • pattern cannot be compiled. • Any of text, rewrite or fallback are undefined. • There is insufficient workspace for the rewritten string. Example: # If the beresp header X-Sub-Letters contains "b+", and Host contains # "www.yabba.dabba.doo.com", then set X-Yada to # "www.yada.dabba.doo.com". set beresp.http.X-Yada = re2.sub(beresp.http.X-Sub-Letters, bereq.http.Host, "d"); STRING suball(STRING pattern, STRING text, STRING rewrite, STRING fallback, BOOL utf8, BOOL posix_syntax, BOOL longest_match, INT max_mem, BOOL literal, BOOL never_nl, BOOL dot_nl, BOOL never_capture, BOOL case_sensitive, BOOL perl_classes, BOOL word_boundary, BOOL one_line) STRING suball( STRING pattern, STRING text, STRING rewrite, STRING fallback="**SUBALL FUNCTION FAILED**", BOOL utf8=0, BOOL posix_syntax=0, BOOL longest_match=0, INT max_mem=8388608, BOOL literal=0, BOOL never_nl=0, BOOL dot_nl=0, BOOL never_capture=0, BOOL case_sensitive=1, BOOL perl_classes=0, BOOL word_boundary=0, BOOL one_line=0 ) Like the sub() function, except that all successive non-overlapping matches in text are replace with rewrite. The default fallback is "**SUBALL FUNCTION FAILED**". The suball() function fails under the same conditions as sub(). Example: # If the beresp header X-Sub-Letters contains "b+", and Host contains # "www.yabba.dabba.doo.com", then set X-Yada to # "www.yada.dada.doo.com". set beresp.http.X-Yada = re2.suball(beresp.http.X-Sub-Letters, bereq.http.Host, "d"); STRING extract(STRING pattern, STRING text, STRING rewrite, STRING fallback, BOOL utf8, BOOL posix_syntax, BOOL longest_match, INT max_mem, BOOL literal, BOOL never_nl, BOOL dot_nl, BOOL never_capture, BOOL case_sensitive, BOOL perl_classes, BOOL word_boundary, BOOL one_line) STRING extract( STRING pattern, STRING text, STRING rewrite, STRING fallback="**EXTRACT FUNCTION FAILED**", BOOL utf8=0, BOOL posix_syntax=0, BOOL longest_match=0, INT max_mem=8388608, BOOL literal=0, BOOL never_nl=0, BOOL dot_nl=0, BOOL never_capture=0, BOOL case_sensitive=1, BOOL perl_classes=0, BOOL word_boundary=0, BOOL one_line=0 ) Compiles pattern with the given options, and if it matches text, then return rewrite with substitutions from the matching portions of text, ignoring the non-matching portions. The default fallback is "**EXTRACT FUNCTION FAILED**". The extract() function fails under the same conditions as sub() and suball(). Example: # If beresp header X-Params contains "(foo|bar)=(baz|quux)", and the # URL contains "bar=quux", then set X-Query to "bar:quux". set beresp.http.X-Query = re2.extract(beresp.http.X-Params, bereq.url, "\1:\2"); INT cost(STRING pattern, BOOL utf8, BOOL posix_syntax, BOOL longest_match, INT max_mem, BOOL literal, BOOL never_nl, BOOL dot_nl, BOOL never_capture, BOOL case_sensitive, BOOL perl_classes, BOOL word_boundary, BOOL one_line) INT cost( STRING pattern, BOOL utf8=0, BOOL posix_syntax=0, BOOL longest_match=0, INT max_mem=8388608, BOOL literal=0, BOOL never_nl=0, BOOL dot_nl=0, BOOL never_capture=0, BOOL case_sensitive=1, BOOL perl_classes=0, BOOL word_boundary=0, BOOL one_line=0 ) Like the .cost() method above, return a numeric measurement > 0 from the RE2 library for pattern with the given options. More complex regexen have a higher cost than less complex regexen. Invokes VCL failure if pattern cannot be compiled (see ERRORS). Example: std.log("simple cost=" + re2.cost("simple") + " complex cost=" + re2.cost("complex{1,128}")); new xset = re2.set(ENUM anchor, BOOL utf8, BOOL posix_syntax, BOOL longest_match, INT max_mem, BOOL literal, BOOL never_nl, BOOL dot_nl, BOOL case_sensitive, BOOL perl_classes, BOOL word_boundary, BOOL one_line) new xset = re2.set( ENUM {none, start, both} anchor=none, BOOL utf8=0, BOOL posix_syntax=0, BOOL longest_match=0, INT max_mem=8388608, BOOL literal=0, BOOL never_nl=0, BOOL dot_nl=0, BOOL case_sensitive=1, BOOL perl_classes=0, BOOL word_boundary=0, BOOL one_line=0 ) Initialize a set object that represents several patterns combined by alternation -- | for "or". Optional parameters control the interpretation of the resulting composed pattern. The anchor parameter is an enum that can have the values none, start or both, where none is the default. start means that each pattern is matched as if it begins with ^ for start-of-text, and both means that each pattern is anchored with both ^ at the beginning and $ for end-of-text at the end. none means that each pattern is interpreted as a partial match (although individual patterns within the set may have either of ^ of $). For example, if a set is initialized with anchor=both, and the patterns foo and bar are added, then matches against the set match a string against ^foo$|^bar$, or equivalently ^(foo|bar)$. The usual regex options can be set, which then control matching against the resulting composed pattern. However, the never_capture option cannot be set, and is always implicitly true, since backrefs and namedrefs are not possible with sets. Sets are compiled automatically when vcl_init finishes (or when the deprecated .compile() method is called). Compilation fails if any of the added patterns cannot be compiled, or if no patterns were added to the set. It may also fail if the max_mem setting is not large enough for the composed pattern. In that case, the VCL load will fail with an error message (then consider a larger value for max_mem in the set constructor). Example: sub vcl_init { # Initialize a regex set for partial matches # with default options new foo = re2.set(); # Initialize a regex set for case insensitive matches # with anchors on both ends (^ and $). new bar = re2.set(anchor=both, case_sensitive=false); # Initialize a regex set using POSIX syntax, but allowing # Perl character classes, and anchoring at the left (^). new baz = re2.set(anchor=start, posix_syntax=true, perl_classes=true); } VOID xset.add(STRING, [STRING string], [BACKEND backend], [BOOL save], [BOOL never_capture], [INT integer], [SUB sub]) VOID xset.add( STRING, [STRING string], [BACKEND backend], [BOOL save], [BOOL never_capture], [INT integer], [SUB sub] ) Add the given pattern to the set. If the pattern is invalid, .add() fails, and the VCL will fail to load, with an error message describing the problem. If values for the string, backend, integer and/or sub parameters are provided, then these values can be retrieved with the .string(), .backend(), .integer() and .subroutine() methods, respectively, as described below. This makes it possible to associate data with the added pattern after it matches successfully. By default the pattern is not associated with any such value. If save is true, then the given pattern is compiled and saved as a regex object, just as if the regex constructor described above is invoked. This object is stored internally in the set object as an independent matcher, separate from "compound" pattern formed by the set as an alternation of the patterns added to it. By default, save is false. When the .match() method on the set is successful, and one of the patterns that matched is associated with a saved internal regex object, then that object may be used for subsequent method invocations such as .sub() on the set object, whose meanings are the same as documented above for regex objects. Details are described below. When an internal regex object is saved (i.e. when save is true), it is compiled with the same options that were provided to the set object in the constructor. The never_capture option can also be set to false for the individual regex, even though it is implicitly set to true for the full set object (default is false). .add() MUST be called in vcl_init, and MAY NOT be called after .compile(). VCL failure is invoked if .add() is called in any other subroutine (see ERRORS). If it is called in vcl_init after .compile(), then the VCL load will fail with an error message. Note that .compile() is now unneccessary and deprecated. When the .matched(INT) method is called after a successful match, the numbering corresponds to the order in which patterns were added. The same is true of the INT arguments that may be given for methods such as .string(), .backend() or .sub(), as described below. Example: sub vcl_init { # literal=true means that the dots are interpreted as literal # dots, not "match any character". new hostmatcher = re2.set(anchor=both, case_sensitive=false, literal=true); hostmatcher.add("www.domain1.com"); hostmatcher.add("www.domain2.com"); hostmatcher.add("www.domain3.com"); } # See the documentation of the .string() and .backend() methods # below for uses of the parameters string and backend for .add(). VOID xset.compile() This method is deprecated, and will be removed in a future version. .compile() may be omitted, since compilation now happens automatically when vcl_init finishes. Compile the compound pattern represented by the set -- an alternation of all patterns added by .add(). Compilation may fail for any of the reasons described for automatic compilation of set objects as described above. .compile() MUST be called in vcl_init, and MAY NOT be called more than once for a set object. VCL failure is invoked if it is called in any other subroutine. If it is called a second time in vcl_init, the VCL load will fail. BOOL xset.match(STRING) Returns true if the given string matches the compound pattern represented by the set, i.e. if it matches any of the patterns that were added to the set. The matcher identifies all of the patterns that were added to the set and match the given string. These can be determined after a successful match using the .matched(INT) and .nmatches() methods described below. A match may also fail (leading to VCL failure) if the internal memory limit imposed by the max_mem parameter in the constructor is exceeded. (With the default value of max_mem, this ordinarily requires very large patterns and/or a very large string to be matched.) Since about version 2017-12-01, the RE2 library reports this condition. If matches fail due to the out-of-memory condition, increase the max_mem parameter in the constructor. Example: if (hostmatcher.match(req.http.Host)) { call do_when_a_host_matched; } BOOL xset.matched(INT) Returns true after a successful match if the nth pattern that was added to the set is among the patterns that matched, false otherwise. The numbering of the patterns corresponds to the order in which patterns were added in vcl_init, counting from 1. The method refers back to the most recent invocation of .match() for the same object in the same client or backend context. It always returns false, for every value of the parameter, if it is called after an unsuccessful match (.match() returned false). .matched() invokes VCL failure (see ERRORS) if: • The .match() method was not called for this object in the same client or backend scope. • The integer parameter is out of range; that is, if it is less than 1 or greater than the number of patterns added to the set. Example: if (hostmatcher.match(req.http.Host)) { if (hostmatcher.matched(1)) { call do_domain1; } if (hostmatcher.matched(2)) { call do_domain2; } if (hostmatcher.matched(3)) { call do_domain3; } } INT xset.nmatches() Returns the number of patterns that were matched by the most recent invocation of .match() for the same object in the same client or backend context. The method always returns 0 after an unsuccessful match (.match() returned false). If .match() was not called for this object in the same client or backend scope, .nmatches() invokes VCL failure (see ERRORS). Example: if (myset.match(req.url)) { std.log("URL matched " + myset.nmatches() + " patterns from the set"); } INT xset.which(ENUM {FIRST, LAST, UNIQUE} select=UNIQUE) Returns a number indicating which pattern in a set matched in the most recent invocation of .match() in the client or backend context. The number corresponds to the order in which patterns were added to the set in vcl_init, counting from 1. If exactly one pattern matched in the most recent .match() call (so that .nmatches() returns 1), and the select ENUM is set to UNIQUE, then the number for that pattern is returned. select defaults to UNIQUE, so it can be left out in this case. If more than one pattern matched in the most recent .match() call (.nmatches() > 1), then the select ENUM determines the integer that is returned. The values FIRST and LAST specify that, of the patterns that matched, the first or last one added via the .add() method is chosen, and the number for that pattern is returned. .which() invokes VCL failure (see ERRORS) if: • .match() was not called for the set in the current client or backend transaction, or if the previous call returned false. • More than one pattern in the set matched in the previous .match() call, but the select parameter is set to UNIQUE (or left out, since select defaults to UNIQUE). Examples: sub vcl_init { new myset = re2.set(); myset.add("foo"); # Pattern 1 myset.add("bar"); # Pattern 2 myset.add("baz"); # Pattern 3 myset.compile(); } sub vcl_recv { if (myset.match("bar")) { # myset.which() returns 2. } if (myset.which("foobaz")) { # myset.which() fails and returns 0, with a log # message indicating that 2 patterns # matched. # myset.which(FIRST) returns 1. # myset.which(LAST) returns 3. } if (myset.match("quux")) { # ... } else { # myset.which() fails and returns 0, with either or # no value for the select ENUM, with a log message # indicating that the previous .match() call was # unsuccessful. } STRING xset.string(INT n, ENUM select) STRING xset.string( INT n=0, ENUM {FIRST, LAST, UNIQUE} select=UNIQUE ) Returns the string associated with the nth pattern added to the set, or with the pattern in the set that matched in the most recent call to .match() in the same task scope (client or backend context). The string set with the string parameter of the .add() method during vcl_init is returned. The pattern is identified with the parameters n and select according to these rules, which also hold for all further set methods documented in the following. • If n > 0, then select the nth pattern added to the set with the .add() method, counting from 1. This identifies the nth pattern in any context, regardless of whether .match() was called previously, or whether a previous call returned true or false. The select parameter is ignored in this case. • If n <= 0, then select a pattern in the set that matched successfully in the most recent call to .match() in the same task scope. Since n is 0 by default, n can be left out for this purpose. • If n <= 0 and exactly one pattern in the set matched in the most recent invocation of .match() (and hence .nmatches() returns 1), and select is set to UNIQUE, then select that pattern. select defaults to UNIQUE, so when exactly one pattern in the set matched, both n and select can be left out. • If n <= 0 and more than one pattern matched in the most recent .match() call (.nmatches() > 1), then the selection of a pattern is determined by the select parameter. As with .which(), FIRST and LAST specify the first or last matching pattern added via the .add() method. For the pattern selected by these rules, return the string that was set with the string parameter in the .add() method that added the pattern to the set. .string() invokes VCL failure (see ERRORS) if: • The values of n and select are invalid: • n is greater than the number of patterns in the set. • n <= 0 (or left to the default), but .match() was not called earlier in the same task scope (client or backend context). • n <= 0, but the previous .match() call returned false. • n <= 0 and the select ENUM is UNIQUE (or default), but more than one pattern matched in the previous .match() call. This can be avoided by checking for .nmatches() == 1. • No string was associated with the pattern selected by n and select; that is, the string parameter was not set in the .add() call that added the pattern. This can be avoided by checking the .saved() method (see below). Examples: # Match the request URL against a set of patterns, and generate # a synthetic redirect response with a Location header derived # from the string assoicated with the matching pattern. # In the first example, exactly one pattern in the set matches. sub vcl_init { # With anchor=both, we specify exact matches. new matcher = re2.set(anchor=both); matcher.add("/foo/bar", "/baz/quux"); matcher.add("/baz/bar/foo", "/baz/quux/foo"); matcher.add("/quux/bar/baz/foo", "/baz/quux/foo/bar"); matcher.compile(); } sub vcl_recv { if (matcher.match(req.url)) { # Confirm that there was exactly one match if (matcher.nmatches() != 1) { return(fail); } # Divert to vcl_synth, sending the string associated # with the matching pattern in the "reason" field. return(synth(1301, matcher.string())); } } sub vcl_synth { # Construct a redirect response, using the path set in # resp.reason. if (resp.status == 1301) { set resp.http.Location = "http://otherdomain.org" + resp.reason; set resp.status = 301; set resp.reason = "Moved Permanently"; return(deliver); } } # In the second example, the patterns that may match have # common prefixes, and more than one pattern may match. We # add patterns to the set in a "more specific" to "less # specific" order, and we choose the most specific pattern # that matches, by specifying the first matching pattern in # the set. sub vcl_init { # With anchor=start, we specify matching prefixes. new matcher = re2.set(anchor=start); matcher.add("/foo/bar/baz/quux", "/baz/quux"); matcher.add("/foo/bar/baz", "/baz/quux/foo"); matcher.add("/foo/bar", "/baz/quux/foo/bar"); matcher.add("/foo", "/baz"); matcher.compile(); } sub vcl_recv { if (matcher.match(req.url)) { # Select the first matching pattern return(synth(1301, matcher.string(select=FIRST))); } } # vcl_synth is implemented as shown above BACKEND xset.backend(INT n, ENUM select) BACKEND xset.backend( INT n=0, ENUM {FIRST, LAST, UNIQUE} select=UNIQUE ) Returns the backend associated with the nth pattern added to the set, or with the pattern in the set that matched in the most recent call to .match() in the same task scope (client or backend context). The rules for selecting a pattern from the set and its associated backend based on n and select are the same as described above for .string(). .backend() invokes VCL failure under the same conditions described for .string() above -- n and select are invalid, or no backend was associated with the selected pattern with the .add() method (see ERRORS). Example: # Choose a backend based on the URL prefix. # In this example, assume that backends b1 through b4 # have been defined. sub vcl_init { # Use anchor=start to match prefixes. # The prefixes are unique, so exactly one will match. new matcher = re2.set(anchor=start); matcher.add("/foo", backend=b1); matcher.add("/bar", backend=b2); matcher.add("/baz", backend=b3); matcher.add("/quux", backend=b4); matcher.compile(); } sub vcl_recv { if (matcher.match(req.url)) { # Confirm that there was exactly one match if (matcher.nmatches() != 1) { return(fail); } # Set the backend hint to the backend associated # with the matching pattern. set req.backend_hint = matcher.backend(); } } INT xset.integer(INT n, ENUM select) INT xset.integer( INT n=0, ENUM {FIRST, LAST, UNIQUE} select=UNIQUE ) Returns the integer associated with the nth pattern added to the set, or with the pattern in the set that matched in the most recent call to .match() in the same task scope. The rules for selecting a pattern from the set and its associated integer based on n and select are the same as described above for .string(). .integer() invokes VCL failure under the same error conditions described for .string() above -- n and select are invalid, or no integer was associated with the selected pattern with the .add() method (see ERRORS). Example: # Generate redirect responses based on the Host header. In the # example, subdomains are removed in the new Location, and the # associated integer is used to set the redirect status code. sub vcl_init { # No more than one pattern can match the same string. So it # is safe to call .integer() with default select=UNIQUE in # vcl_recv below (no risk of VCL failure). new redir = re2.set(anchor=both); redir.add("www\.[^.]+\.foo\.com", integer=301, string="www.foo.com"); redir.add("www\.[^.]+\.bar\.com", integer=302, string="www.bar.com"); redir.add("www\.[^.]+\.baz\.com", integer=303, string="www.baz.com"); redir.add("www\.[^.]+\.quux\.com", integer=307, string="www.quux.com"); redir.compile(); } sub vcl_recv { if (redir.match(req.http.Host)) { # Construct a Location header that will be used in the # synthetic redirect response. set req.http.Location = "http://" + redir.string() + req.url; # Set the response status from the associated integer. return( synth(redir.integer()) ); } } sub vcl_synth { if (resp.status >= 301 && resp.status <= 307) { # We come here from the synth return for the redirect # response. The status code was set from .integer(). set resp.http.Location = req.http.Location; return(deliver); } } STRING xset.sub(STRING text, STRING rewrite, STRING fallback, INT n, ENUM select) STRING xset.sub( STRING text, STRING rewrite, STRING fallback="**SUB METHOD FAILED**", INT n=0, ENUM {FIRST, LAST, UNIQUE} select=UNIQUE ) Returns the result of the method call .sub(text, rewrite, fallback), as documented above for the regex interface, invoked on the nth pattern added to the set, or on the pattern in the set that matched in the most recent call to .match() in the same task scope. .sub() requires that the pattern it identifies was saved as an internal regex object, by setting save to true when it was added with the .add() method. The associated pattern is determined by n and select according to the rules given above. If an internal regex object was saved for that pattern, then the result of the .sub() method invoked on that object is returned. .sub() invokes VCL failkure (see ERRORS) if: • The values of n and select are invalid, according to the rules given above. • save was false in the .add() method for the pattern identified by n and select; that is, no internal regex object was saved on which the .sub() method could have been invoked. • The .sub() method invoked on the regex object fails for any of the reasons described for regex.sub(). Examples: # Generate synthethic redirect responses on URLs that match a set of # patterns, rewriting the URL according to the matched pattern. # In this example, we set the new URL in the redirect location to # the path that comes after the prefix of the original req.url. sub vcl_init { new matcher = re2.set(anchor=start); matcher.add("/foo/(.*)", save=true); matcher.add("/bar/(.*)", save=true); matcher.add("/baz/(.*)", save=true); matcher.compile(); } sub vcl_recv { if (matcher.match(req.url)) { if (matcher.nmatches() != 1) { return(fail); } return(synth(1301)); } } sub vcl_synth { if (resp.status == 1301) { # matcher.sub() rewrites the URL to the subpath after the # original prefix. set resp.http.Location = "http://www.otherdomain.org" + matcher.sub(req.url, "/\1"); return(deliver); } } STRING xset.suball(STRING text, STRING rewrite, STRING fallback, INT n, ENUM select) STRING xset.suball( STRING text, STRING rewrite, STRING fallback="**SUBALL METHOD FAILED**", INT n=0, ENUM {FIRST, LAST, UNIQUE} select=UNIQUE ) Like the .sub() method, this returns the result of calling .suball(text, rewrite, fallback) from the regex interface on the nth pattern added to the set, or the pattern that most recently matched in a .match() call. .suball() is subject to the same conditions as the .sub() method: • The pattern to which it is applied is identified by n and select according to the rules given above. • It fails if: • The pattern that it identifies was not saved with .add(save=true). • The values of n or select are invalid. • The .suball() method invoked on the saved regex object fails. Example: # In any URL that matches one of the words given below, replace all # occurrences of the matching word with "quux" (for example to # rewrite path components or elements of query strings). sub vcl_init { new matcher = re2.set(); matcher.add("\bfoo\b", save=true); matcher.add("\bbar\b", save=true); matcher.add("\bbaz\b", save=true); matcher.compile(); } sub vcl_recv { if (matcher.match(req.url)) { if (matcher.nmatches() != 1) { return(fail); } set req.url = matcher.suball(req.url, "quux"); } } STRING xset.extract(STRING text, STRING rewrite, STRING fallback, INT n, ENUM select) STRING xset.extract( STRING text, STRING rewrite, STRING fallback="**EXTRACT METHOD FAILED**", INT n=0, ENUM {FIRST, LAST, UNIQUE} select=UNIQUE ) Like the .sub() and .suball() methods, this method returns the result of calling .extract(text, rewrite, fallback) from the regex interface on the nth pattern added to the set, or the pattern that most recently matched in a .match() call. .extract() is subject to the same conditions as the other rewrite methods: • The pattern to which it is applied is identified by n and select according to the rules given above. • It fails if: • The pattern that it identifies was not saved with .add(save=true). • The values of n or select are invalid. • The .extract() method invoked on the saved regex object fails. Example: # Rewrite any URL that matches one of the patterns in the set # by exchanging the path components. sub vcl_init { new matcher = re2.set(anchor=both); matcher.add("/(foo)/(bar)/", save=true); matcher.add("/(bar)/(baz)/", save=true); matcher.add("/(baz)/(quux)/", save=true); matcher.compile(); } sub vcl_recv { if (matcher.match(req.url)) { if (matcher.nmatches() != 1) { return(fail); } set req.url = matcher.extract(req.url, "/\2/\1/"); } } SUB xset.subroutine(INT n, ENUM select) SUB xset.subroutine( INT n=0, ENUM {FIRST, LAST, UNIQUE} select=UNIQUE ) Returns the subroutine set by the sub parameter for the element of the set indicated by n and select, according to the rules given above. The subroutine may be invoked with VCL call. Note: you must ensure that the subroutine may invoked legally in the context in which it is called. This means that: • The subroutine may only refer to VCL elements that are legal in the invocation context. For example, if the subroutine only refers to headers in req.http.*, then it may be called in vcl_recv, but not if it refers to any header in resp.http.*. See vcl-var(7) for the specification of which VCL variables may be used in which contexts. • Recursive subroutine calls are not permitted in VCL. The subroutine invocation may not appear anywhere in its own call stack. For standard subroutine invocations with call, the VCL compiler checks these conditions and issues a compile-time error if either one is violated. This is not possible with invocations using .subroutine(); the error can only be determined at runtime. So it is advisable to test the use of .subroutine() carefully before using it in production. You can use the .check_call() method described below to determine if the subroutine call is legal. .subroutine() invokes VCL failure (See ERRORS) if: • The rules for n and select indicate failure. • No subroutine was set with the sub parameter in .add(). • The subroutine is invoked with call, but the call is not legal in the invocation context, for the reasons given above. Example: # Due to the use of resp.http.*, this subroutine may only be invoked # in vcl_deliver or vcl_synth, as documented in vcl-var(7). Note # that subroutine definitions must appear before vcl_init to # permitted for the sub parameter in .add(). sub resp_sub { set resp.http.Call-Me = "but only in deliver or synth"; } sub vcl_init { new myset = re2.set(); myset.add("/foo", sub=resp_sub); myset.add("/foo/bar", sub=some_other_sub); # ... } sub vcl_deliver { if (myset.match(req.url)) { call myset.subroutine(select=FIRST); } } BOOL xset.check_call(INT n, ENUM select) BOOL xset.check_call( INT n=0, ENUM {FIRST, LAST, UNIQUE} select=UNIQUE ) Returns true iff the subroutine returned by .subroutine() for the element of the set indicated by n and select may be invoked legally in the current context. The conditions for legal invocation are documented for .subroutine() above. .check_call() never invokes VCL failure, but rather returns false under conditions for which the use of .subroutine() would invoke VCL failure. In that case, a message is emitted to the Vanrish log using the Notice tag (the same message that would appear with the VCL_Error tag if the subroutine were called). Notice messages in the log produced by this VMOD are always prefixed with the string `` vmod_re2: `` . System Message: WARNING/2 (vmod_re2.man.rst:, line 1748) Inline literal start-string without end-string. System Message: WARNING/2 (vmod_re2.man.rst:, line 1748) Inline literal start-string without end-string. Example: # Assume that myset is declared as in the example above. sub vcl_deliver { if (myset.match(req.url)) { if (myset.check_call(select=FIRST)) { call myset.subroutine(select=FIRST); } else { call do_if_resp_sub_is_illegal; } } } BOOL xset.saved(ENUM which, INT n, ENUM select) BOOL xset.saved( ENUM {REGEX, STR, BE, INT, SUB} which=REGEX, INT n=0, ENUM {FIRST, LAST, UNIQUE} select=UNIQUE ) Returns true if and only if an object of the type indicated by which was saved at initialization time for the nth pattern added to the set, or for the pattern indicated by select after the most recent .match() call. In other words, .saved() returns true: • for which=REGEX if the individual regex was saved with .add(save=true) for the indicated pattern • for which=STR if a string was stored with the string parameter in .add() • for which=BE if a backend was stored with the backend attribute. • for which=INT if an integer was stored with the integer attribute. • for which=SUB if an integer was stored with the sub attribute. The default value of which is REGEX. The pattern in the set is identified by n and select according to the rules given above. .saved() invokes VCL failure if the values of n or select are invalid (see ERRORS). Example: sub vcl_init { new s = re2.set(); s.add("1", save=true, string="1", backend=b1); s.add("2", save=true, string="2"); s.add("3", save=true, backend=b3); s.add("4", save=true); s.add("5", string="5", backend=b5); s.add("6", string="6"); s.add("7", backend=b7); s.add("8"); s.compile(); } # Then the following holds for this set: # s.saved(n=1) == true # for any value of which # s.saved(which=REGEX, n=2) == true # s.saved(which=STR, n=2) == true # s.saved(which=BE, n=2) == false # s.saved(which=REGEX, n=3) == true # s.saved(which=STR, n=3) == false # s.saved(which=BE, n=3) == true # s.saved(which=REGEX, n=4) == true # s.saved(which=STR, n=4) == false # s.saved(which=BE, n=4) == false # s.saved(which=REGEX, n=5) == false # s.saved(which=STR, n=5) == true # s.saved(which=BE, n=5) == true # s.saved(which=REGEX, n=6) == false # s.saved(which=STR, n=6) == true # s.saved(which=BE, n=6) == false # s.saved(which=REGEX, n=7) == false # s.saved(which=STR, n=7) == false # s.saved(which=BE, n=7) == true # s.saved(n=8) == false # for any value of which if (s.match("4")) { # The fourth pattern has been uniquely matched. # So in this context: s.saved() == true # Since save=true was used in .add() for the 4th pattern, # and which=REGEX by default. } VOID xset.hdr_filter(HTTP, BOOL whitelist=1) Filters the headers in the HTTP object, which may be one of req, resp, bereq, or beresp. In other words, filter the headers in the client or backend request or response. If whitelist is true, then headers that match one of the patterns in the set are retained, and all other headers are removed. Otherwise, headers that match a pattern in the set are removed, and all others are retained. By default, whitelist is true. Example: sub vcl_init { # Header whitelist new white = re2.set(anchor=start); white.add("Foo:"); white.add("Bar:"); white.add("Baz: baz$"); white.compile(); # Header blacklist new black = re2.set(anchor=start); black.add("Chaotic:"); black.add("Evil:"); black.add("Wicked: wicked$"); black.compile(); } sub vcl_recv { # Filter the client request header with the whitelist. # Headers that do not match any pattern in the set are removed. white.hdr_filter(req); } sub vcl_deliver { # Filter the client response header with the blacklist. # Headers that match any pattern in the set are removed. black.hdr_filter(resp, false); } STRING quotemeta(STRING) Returns a copy of the argument string with all regex metacharacters escaped via backslash. When the returned string is used as a regular expression, it will exactly match the original string, regardless of any special characters. This function has a purpose similar to a \Q..\E sequence within a regex, or the literal=true setting in a regex constructor. The function invokes VCL failure if there is insufficient workspace for the return string (see ERRORS). Example: # The following are always true: re2.quotemeta("1.5-2.0?") == "1\.5\-2\.0\?" re2.match(re2.quotemeta("1.5-2.0?"), "1.5-2.0?") STRING version() Return the version string for this VMOD. Example: std.log("Using VMOD re2 version: " + re2.version());
ERRORS
Functions and methods of the VMOD may invoke VCL failure under unrecoverable error conditions. The effects of VCL failure depend on the VCL subroutine in which it takes place: • If invoked during vcl_init, then the VCL load fails, and an error message is returned over the CLI (reported by varnishadm(1)). • If invoked during any other subroutine besides vcl_synth, then an error message is recorded in the log with the VCL_Error tag, further processing is aborted immediately, and a response with status 503 (Service Not Available) is returned with the reason string "VCL failed". • If invoked during vcl_synth, then further processing is aborted, the error message is logged with VCL_Error, and the client connection is immediately closed -- the client receives no response. Errors that lead to VCL failure include: • Any regex compilation failure. • Out of workspace errors (see LIMITATIONS). • Failures reported by the RE2 library for: matches, backrefs, namedrefs, the rewrite operations (sub, suball and extract), the .cost() function or method, and the .quotemeta() function. The VMOD detects most common errors that would lead to library errors, and invokes VCL failure in such cases without calling the library. But library errors may happen under conditions such as out of memory. • Functions and methods that require a previous successful match when there was no prior match, or when the previous match was unsuccessful. These include backrefs, namedrefs, and the data retrieval methods for set objects. • Any of the following parameters are undefined, for example when set from an unset header: fallbacks; patterns for the regex functions (which are compiled at runtime); the text and rewrite parameters for rewrite operations; the name parameter for namedrefs. • The name parameter for namedrefs is the empty string. • Backref number is out of range (greater than the number of backrefs in the pattern). • Backref or namedref attempted when the never_capture option was set to true for the pattern. • For set objects: • Numeric index (parameter n) is out of range (greater than the number of patterns in the set). • Use of select=UNIQUE after more than one pattern was matched. The .nmatches() can be used to check for this condition, to avoid VCL failure -- UNIQUE will fail in .namtches() > 1. • Retrieval of data from a set (such as a string, backend etc) by numeric index (n) or "associatively" (after a match) when no such object was saved for the corresponding pattern. Use the .saved() and .check_call() methods to check for this. • Calling the subroutine returned by .subrooutine() may be illegal, if it is not permitted in the subroutine from which it is called, or if it would lead to recursive calls. Use the .check_call() method to check for this.
REQUIREMENTS
The VMOD requires Varnish since version 6.6, or the master branch. See the source repository for versions of the VMOD that are compatible with other Varnish versions. It requires the RE2 library, and has been tested against RE2 versions since 2015-06-01 (through 2021-04-01 at the time of writing). If the VMOD is built against versions of RE2 since 2017-12-01, it uses a version of the set match operation that reports out-of-memory conditions during a match. (Versions of RE2 since June 2019 no longer have this error, but nevertheless the different internal call is used for set matches.) In that case, the VMOD is not compatible with earlier versions of RE2. This is only a problem if the runtime version of the library differs from the version against which the VMOD was built. If you encounter this error, consider re-building the VMOD against the runtime version of RE2, or installing a newer version of RE2.
INSTALLATION
See INSTALL.rst in the source repository.
LIMITATIONS
The VMOD allocates Varnish workspace for captured groups and rewritten strings. If operations fail with "insufficient workspace" error messages in the Varnish log (with the VCL_Error tag), increase the varnishd runtime parameters workspace_client and/or workspace_backend. The RE2 documentation states that successful matches are slowed quite a bit when they also capture substrings. There is also additional overhead from the VMOD, unless the never_capture flag is true, to manage data about captured groups in the workspace. This overhead is incurred even if there are no capturing expressions in a pattern, since it is always possible to call backref(0) to obtain the matched portion of a string. So if you are using a pattern only to match against strings, and never to capture subexpressions, consider setting the never_capture option to true, to eliminate the extra work for both RE2 and the VMOD.
AUTHOR
• Geoffrey Simmons <geoff@uplex.de> UPLEX Nils Goroll Systemoptimierung
SEE ALSO
• varnishd(1) • vcl(7) • VMOD source repository: https://code.uplex.de/uplex-varnish/libvmod-re2 • Gitlab mirror: https://gitlab.com/uplex/varnish/libvmod-re2 • RE2 git repo: https://github.com/google/re2 • RE2 syntax: https://github.com/google/re2/wiki/Syntax • "Implementing Regular Expressions": https://swtch.com/~rsc/regexp/ • Series of articles motivating the design of RE2, with discussion of how RE2 compares with PCRE
COPYRIGHT
Copyright (c) 2016-2018 UPLEX Nils Goroll Systemoptimierung All rights reserved Author: Geoffrey Simmons <geoffrey.simmons@uplex.de> See LICENSE VMOD_RE2(3)