Skip to content

Instantly share code, notes, and snippets.

@benclark
Created May 14, 2012 17:17
Show Gist options
  • Save benclark/2695148 to your computer and use it in GitHub Desktop.
Save benclark/2695148 to your computer and use it in GitHub Desktop.
Varnish config file w/ basic auth
backend default {
.host = "127.0.0.1";
.port = "8080";
.connect_timeout = 600s;
.first_byte_timeout = 600s;
.between_bytes_timeout = 600s;
}
acl purge {
"localhost";
"127.0.0.1";
}
sub vcl_recv {
if (req.request == "GET" && req.url ~ "^/varnishcheck$") {
error 200 "Varnish is Ready";
}
if (req.request != "GET" &&
req.request != "HEAD" &&
req.request != "PUT" &&
req.request != "POST" &&
req.request != "TRACE" &&
req.request != "OPTIONS" &&
req.request != "PURGE" &&
req.request != "DELETE") {
# Non-RFC2616 or CONNECT which is weird.
return (pipe);
}
# We only deal with GET, PURGE and HEAD by default.
if (req.request != "GET" && req.request != "HEAD" && req.request != "PURGE") {
return (pass);
}
# --- PURGE ---
if (req.request == "PURGE") {
# Check if the ip coresponds with the acl purge
if (!client.ip ~ purge) {
# Return error code 405 (Forbidden) when not
error 405 "Not allowed.";
}
return (lookup);
}
# --- PASSTHROUGH ---
# Always cache things with these extensions.
if (req.url ~ "\.(js|css|jpg|jpeg|png|gif|gz|tgz|bz2|tbz|mp3|ogg|swf)$") {
unset req.http.cookie;
return (lookup);
}
# Handle basic HTTP authentication for a specific base64 hash of user:pass.
if (! req.http.Authorization ~ "Basic ZGV2OmRldnBhc3M=" ) {
error 401 "Restricted";
}
# Skip the Varnish cache for install, update, and cron.
if (req.url ~ "install\.php|update\.php|cron\.php") {
return (pass);
}
# Pass server-status.
if (req.url ~ ".*/server-status$") {
return (pass);
}
# Support for Pressflow Cookie-Cache Bypass.
if (req.http.cookie ~ "NO_CACHE") {
return (pass);
}
# Force lookup if the request is a no-cache request from the client.
if (req.http.Cache-Control ~ "no-cache") {
return (pass);
}
# Don't check cache if Drupal SESSION is set.
if (req.http.cookie ~ "SESS") {
return (pass);
}
# We "hide" the non-session cookies.
if (req.http.cookie) {
set req.http.X-Varnish-Cookie = req.http.cookie;
unset req.http.cookie;
}
# --- MISC ---
# Normalize the Accept-Encoding header
# as per: http://varnish-cache.org/wiki/FAQ/Compression
if (req.http.Accept-Encoding) {
if (req.url ~ "\.(jpg|png|gif|gz|tgz|bz2|tbz|mp3|ogg)$") {
# No point in compressing these.
unset req.http.Accept-Encoding;
}
else if (req.http.Accept-Encoding ~ "gzip") {
set req.http.Accept-Encoding = "gzip";
}
else if (req.http.Accept-Encoding ~ "deflate") {
# Next, try deflate if it is supported.
set req.http.Accept-Encoding = "deflate";
}
else {
# Unknown or deflate algorithm.
unset req.http.Accept-Encoding;
}
}
# Let's have a little grace.
set req.grace = 5m;
return (lookup);
}
sub vcl_hash {
if (req.http.cookie) {
hash_data(req.http.cookie);
}
}
# Strip any cookies before an image/js/css is inserted into cache.
sub vcl_fetch {
set beresp.grace = 5m;
# These status codes should always pass through and never cache.
if (beresp.status == 503 || beresp.status == 500) {
set beresp.http.X-Cacheable = "NO: obj.status";
set beresp.http.X-Cacheable-status = beresp.status;
return (hit_for_pass);
}
if (req.url ~ "\.(js|css|jpg|jpeg|png|gif|gz|tgz|bz2|tbz|mp3|ogg|swf)(\?[a-z0-9]+)?$") {
unset beresp.http.set-cookie;
}
else if (beresp.http.Cache-Control) {
unset beresp.http.Expires;
}
if (beresp.status == 301) {
set beresp.ttl = 1h;
return(deliver);
}
# All tests passed, therefore item is cacheable
set beresp.http.X-Cacheable = "YES";
}
# Set a header to track a cache HIT/MISS.
sub vcl_deliver {
if (obj.hits > 0) {
set resp.http.X-Varnish-Cache = "HIT";
set resp.http.X-Varnish-Hits = obj.hits;
}
else {
set resp.http.X-Varnish-Cache = "MISS";
}
# Set a header to track the webhead.
set resp.http.X-Varnish-IP = server.ip;
}
sub vcl_hit {
if (req.request == "PURGE") {
purge;
error 200 "Purged.";
}
}
sub vcl_miss {
if (req.http.X-Varnish-Cookie) {
set bereq.http.cookie = req.http.X-Varnish-Cookie;
unset bereq.http.X-Varnish-Cookie;
}
if (req.request == "PURGE") {
purge;
error 200 "Purged.";
}
}
sub vcl_error {
set obj.http.Content-Type = "text/html; charset=utf-8";
if (obj.status == 401) {
# Prompt for password.
set obj.http.WWW-Authenticate = "Basic realm=Secured";
}
synthetic {"
<?xml version="1.0" encoding="utf-8"?>
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN"
"http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html>
<head>
<title>"} + obj.status + " " + obj.response + {"</title>
</head>
<body>
<div id="page">
<h1>Page Could Not Be Loaded</h1>
<p>We're very sorry, but the page could not be loaded properly. This should be fixed very soon, and we apologize for any inconvenience.</p>
<hr />
<h4>Debug Info:</h4>
<pre>Status: "} + obj.status + {"
Response: "} + obj.response + {"
XID: "} + req.xid + {"</pre>
</div>
</body>
</html>
"};
return (deliver);
}
@benclark
Copy link
Author

File: /etc/varnish/default.vcl

backend default {
.host = "10.0.0.1";
.port = "80";
}
backend default2 {
.host = "10.0.0.2";
.port = "80";
}
backend default3 {
.host = "10.0.0.3";
.port = "80";
}

acl defaultip
{ "10.0.0.1"; }
acl default2ip
{ "10.0.0.2"; }
acl default3ip
{ "10.0.0.3"; }

sub vcl_recv {

if (server.ip ~ defaultip) {
set req.backend = default;
}

if (server.ip ~ default2ip) {
set req.backend = default2;
}

if (server.ip ~ default3ip) {
set req.backend = default3;
}

}

@jgardezi
Copy link

Hi,

I am using your configurations and the issue is that I am facing is that client ip is not being forward to apache. In my pressflow application client ip is required client.ip.

Please let me know how to achieve this. How do it use the below code in your configurations

if (req.restarts == 0) {
if (req.http.x-forwarded-for) {
set req.http.X-Forwarded-For = req.http.X-Forwarded-For + ", " + client.ip;
}
else {
set req.http.X-Forwarded-For = client.ip;
}
}

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment