Update ordering of GOV.UK Chat matching rules

We do some stuff with cookies on requests coming to GOV.UK Chat, but the ordering is currently wrong and so sometimes cookies are being stripped before we get to these rules.
alphagov · Nov 21, 2024 · 35f196b · 35f196b
1 parent 2b77369
commit 35f196b
Showing 1 changed file with 19 additions and 19 deletions.
diff --git a/www/www.vcl.tftpl b/www/www.vcl.tftpl
@@ -363,6 +363,20 @@ sub vcl_recv {
 
   ${indent(2, ab_tests_rendered)}
 
+  # Strip cookies for requests to /chat or /chat/* that lack a session cookie,
+  # otherwise pass through
+  if (req.url.path ~ "^/chat(/.*)?$") {
+    if (req.http.cookie:_govuk_chat_session) {
+      return(pass);
+    # These endpoints make use of HEAD requests and we don't want these
+    # to be converted to GET requests (https://www.fastly.com/documentation/reference/vcl/subroutines/recv/)
+    } elsif (req.url ~ "^/chat/(sign-in|unsubscribe)" && req.request == "HEAD") {
+      return(pass);
+    } else {
+      unset req.http.Cookie;
+    }
+  }
+
   # Strip cookies from inbound requests. Corresponding rule in vcl_fetch{}
   # For simplicity and security most applications should not use cookies.
   # With the exception of:
@@ -380,20 +394,6 @@ sub vcl_recv {
   }
 %{ endif ~}
 
-  # Strip cookies for requests to /chat or /chat/* that lack a session cookie,
-  # otherwise pass through
-  if (req.url.path ~ "^/chat(/.*)?$") {
-    if (req.http.cookie:_govuk_chat_session) {
-      return(pass);
-    # These endpoints make use of HEAD requests and we don't want these
-    # to be converted to GET requests (https://www.fastly.com/documentation/reference/vcl/subroutines/recv/)
-    } elsif (req.url ~ "^/chat/(sign-in|unsubscribe)" && req.request == "HEAD") {
-      return(pass);
-    } else {
-      unset req.http.Cookie;
-    }
-  }
-
   if (req.url.path ~ "^\/assets(\/.*)?\z") {
     set req.backend = F_staticAssetsS3;
     set req.http.host = "${s3_static_assets_hostname}";
@@ -510,16 +510,16 @@ sub vcl_fetch {
     }
   }
 
-  # Strip cookies from outbound requests. Corresponding rule in vcl_recv{}
-  if (req.url !~ "^/(apply-for-a-licence|email|sign-in/callback/)") {
-    unset beresp.http.Set-Cookie;
-  }
-
   # We don't want to cache any /chat or /chat/* responses that set a cookie
   if (req.url.path ~ "^/chat(/.*)?$" && beresp.http.Set-Cookie) {
     return (pass);
   }
 
+  # Strip cookies from outbound requests. Corresponding rule in vcl_recv{}
+  if (req.url !~ "^/(apply-for-a-licence|email|sign-in/callback/)") {
+    unset beresp.http.Set-Cookie;
+  }
+
   # Override default.vcl behaviour of return(pass).
   if (beresp.http.Set-Cookie) {
     return (deliver);