

I currently use a modified version of the Varnish Drupal vcl file from the smart folks at Lullabot. Their vcl works great overall and I'm quite happy with its cache hit rate performance while being transparent to customers. Recently I encountered issues where logging in via HTTPS caused an access denied issue.
Background
Drupal 7 sets different cookie prefixes to avoid session highjacking. When a user logs in on a regular HTTP connection, Drupal sets a cookie name prepended with SESS resulting in a name such as "SESS380c7d0a9d6f5cb6162ca908737ad01f". When initiating a new session via SSL, the cookie is prepended with SSESS which is similarly named "SSESS380c7d0a9d6f5cb6162ca908737ad01f" The Lullabot vcl file strips a series of unnecessary cookies to ensure a high cache-hit ratio for Varnish.
Unfortunately, the stripped cookies includes the cookie prefixed with SSESS for secure connections. In this case, users authenticating via non-SSL connections experience no issues while SSL authenticated users experience problems.
The Fix
To fix the issue, include the following line within your vcl:set req.http.Cookie = regsuball(req.http.Cookie, ";(SSESS[a-z0-9]+|NO_CACHE)=", "; \1=");
If you're using the default VCL by Lullabot, I have included a download of the SSL compatible version.