Varnish returns incorrect backend content from User-Agent rule -

i have simple rule redirect traffic special backend if user-agent == globalsign or if request url /globalsign. have noticed on rare occasion varnish return content special backend incorrectly. seems happens randomly , not repeat.

if (req.http.user-agent ~ "(?i)globalsign" ||  req.url ~ "^/globalsign" ) {     set req.url = "/";     set req.backend = dgs1;     return(pipe); } 

backend rules

    backend b1 {      //backend 1     .host = "10.8.8.16";     .port = "80";     .probe = {         .url = "/service_up";         .timeout = 1s;         .interval = 5s;         .window = 10;         .threshold = 8;     } }   backend gs1 {          // set host: globalsign          .host = "10.8.8.15";         .port = "80";         .probe = {             .url = "/service_up";             .timeout = 5s;             .interval = 5s;             .window = 10;             .threshold = 8;         }     }  director dgs1 random {    {         .backend =   gs1;         .weight  = 1;     }  }  director d01 random {       {         .backend =   b1;         .weight  = 1;     } } 

full vcl

include "backends.vcl"; include "bans.vcl"; include "acl.vcl";  sub vcl_recv {      // use director set above answer request if it's not cached.     set req.backend = d01;     if( req.url ~ "^/service_up" ) {         return(lookup);     }      if(client.ip ~ evil_networks){         error 403 "forbidden";     }      if (req.http.user-agent ~ "(?i)globalsign" ||  req.url ~ "^/globalsign" ) {         set req.url = "/";         set req.backend = dgs1;         return(pipe);     }      return(pass) }  sub vcl_fetch {     set beresp.grace = 24h;      if (beresp.status >= 400) {          return (hit_for_pass);     }      // new set longer cache     if (req.http.user-agent ~ "(googlebot|msnbot|yandex|slurp|bot|crawl|bot|baid|mediapartners-google)") {         unset beresp.http.set-cookie;         set beresp.ttl = 5d;         return (deliver);     }     if (req.request == "get" && req.url ~ "\.(css|xml|txt)$") {         set beresp.ttl = 5d;         unset beresp.http.set-cookie;         return (deliver);     }     // multimedia     if (req.request == "get" && req.url ~ "\.(gif|jpg|jpeg|bmp|png|tiff|tif|ico|img|tga|woff|eot|ttf|svg|wmf|js|swf|ico)$") {         unset beresp.http.set-cookie;         set beresp.ttl = 5d;         return (deliver);     }     set beresp.ttl = 5d;     return (deliver); }  include "errors.vcl";  sub vcl_deliver {      return(deliver); } 

i guess return(pipe); suspect one.

if have keep-alive http client making 1 request globalsign user agent or /globalsign url, subsequent requests piped dgs1, if not meet criteria.

try avoid piping if possible, it's common source of lot of hard track issues. , possibly security hole too.