hn-support/shopware6.vcl Secret

## shopware6.vcl
vcl 4.0;

import std;

# You should specify here all your app nodes and use round robin to select a backend
backend default {
    .host = "127.0.0.1";
    .port = "8080";
}

# ACL for purgers IP. (This needs to contain app server ips)
acl purgers {
    "127.0.0.1";
    "localhost";
    "::1";
}
### To allow Blackfire requests to bypass Varnish, uncomment the below block and whitelist the profilers IP. ###
#acl blackfire {
#    "<YOUR IP HERE>";
#}

sub vcl_recv {
    # Mitigate httpoxy application vulnerability, see: https://httpoxy.org/
    unset req.http.Proxy;

    # Strip query strings only needed by browser javascript. Customize to used tags.
    if (req.url ~ "(\?|&)(pk_campaign|piwik_campaign|pk_kwd|piwik_kwd|pk_keyword|pixelId|kwid|kw|adid|chl|dv|nk|pa|camid|adgid|cx|ie|cof|siteurl|utm_[a-z]+|_ga|gclid)=") {
        # see rfc3986#section-2.3 "Unreserved Characters" for regex
        set req.url = regsuball(req.url, "(pk_campaign|piwik_campaign|pk_kwd|piwik_kwd|pk_keyword|pixelId|kwid|kw|adid|chl|dv|nk|pa|camid|adgid|cx|ie|cof|siteurl|utm_[a-z]+|_ga|gclid)=[A-Za-z0-9\-\_\.\~]+&?", "");
    }
    set req.url = regsub(req.url, "(\?|\?&|&)$", "");

    # Normalize query arguments
    set req.url = std.querysort(req.url);

    # Make sure that the client ip is forward to the client.
    if (req.http.x-forwarded-for) {
        set req.http.X-Forwarded-For = req.http.X-Forwarded-For + ", " + client.ip;
    } else {
        set req.http.X-Forwarded-For = client.ip;
    }

    # Handle BAN
    if (req.method == "BAN") {
        if (!client.ip ~ purgers) {
            return (synth(405, "Method not allowed"));
        }

        ban("req.url ~ "+req.url);
        return (synth(200, "BAN URLs containing (" + req.url + ") done."));
    }

    # Normalize Accept-Encoding header
    # straight from the manual: https://www.varnish-cache.org/docs/3.0/tutorial/vary.html
    if (req.http.Accept-Encoding) {
        if (req.url ~ "\.(jpg|png|gif|gz|tgz|bz2|tbz|mp3|ogg)$") {
            # No point in compressing these
            unset req.http.Accept-Encoding;
        } elsif (req.http.Accept-Encoding ~ "gzip") {
            set req.http.Accept-Encoding = "gzip";
        } elsif (req.http.Accept-Encoding ~ "deflate") {
            set req.http.Accept-Encoding = "deflate";
        } else {
            # unkown algorithm
            unset req.http.Accept-Encoding;
        }
    }

    if (req.method != "GET" &&
        req.method != "HEAD" &&
        req.method != "PUT" &&
        req.method != "POST" &&
        req.method != "TRACE" &&
        req.method != "OPTIONS" &&
        req.method != "DELETE") {
        /* Non-RFC2616 or CONNECT which is weird. */
        return (pipe);
    }

    # We only deal with GET and HEAD by default
    if (req.method != "GET" && req.method != "HEAD") {
        return (pass);
    }

    # Don't cache Authenticate & Authorization
    if (req.http.Authenticate || req.http.Authorization) {
        return (pass);
    }

    # Always pass these paths directly to php without caching
    # Note: virtual URLs might bypass this rule (e.g. /en/checkout)
    if (req.url ~ "^/(checkout|account|admin|api)(/.*)?$") {
        return (pass);
    }

    if (req.url ~ "^/(bundles|css|fonts|js|media|sitemap|theme|thumbnail)(/.*)?$") {
        return (pass);
    }
### To allow Blackfire requests to bypass Varnish, uncomment the below block. ###
    #if (req.esi_level > 0) {
    #    unset req.http.X-Blackfire-Query;
    #}

#	if (req.http.X-Blackfire-Query && std.ip(req.http.X-Real-IP,"0.0.0.0") ~ blackfire) {
#        return (pass);
#    }

    return (hash);
}

sub vcl_hash {
    # Consider Shopware http cache cookies
    if (req.http.cookie ~ "sw-cache-hash=") {
        hash_data("+context=" + regsub(req.http.cookie, "^.*?sw-cache-hash=([^;]*);*.*$", "\1"));
    } elseif (req.http.cookie ~ "sw-currency=") {
        hash_data("+currency=" + regsub(req.http.cookie, "^.*?sw-currency=([^;]*);*.*$", "\1"));
    }
}

sub vcl_hit {
}

sub vcl_backend_response {
    # Fix Vary Header in some cases
    # https://www.varnish-cache.org/trac/wiki/VCLExampleFixupVary
    if (beresp.http.Vary ~ "User-Agent") {
        set beresp.http.Vary = regsub(beresp.http.Vary, ",? *User-Agent *", "");
        set beresp.http.Vary = regsub(beresp.http.Vary, "^, *", "");
        if (beresp.http.Vary == "") {
            unset beresp.http.Vary;
        }
    }

    # Respect the Cache-Control=private header from the backend
    if (
        beresp.http.Pragma        ~ "no-cache" ||
        beresp.http.Cache-Control ~ "no-cache" ||
        beresp.http.Cache-Control ~ "private"
    ) {
        set beresp.ttl = 0s;
        set beresp.http.X-Cacheable = "NO:Cache-Control=private";
        set beresp.uncacheable = true;
        return (deliver);
    }

    # strip the cookie before the image is inserted into cache.
    if (bereq.url ~ "\.(png|gif|jpg|swf|css|js|webp)$") {
        unset beresp.http.set-cookie;
    }

    # Allow items to be stale if needed.
    set beresp.grace = 6h;

    # Save the bereq.url so bans work efficiently
    set beresp.http.x-url = bereq.url;
    set beresp.http.X-Cacheable = "YES";

    return (deliver);
}

sub vcl_deliver {
    ## we don't want the client to cache
    set resp.http.Cache-Control = "max-age=0, private";

    # remove link header, if session is already started to save client resources
    if (req.http.cookie ~ "session-") {
        unset resp.http.Link;
    }

    # Set a cache header to allow us to inspect the response headers during testing
    if (obj.hits > 0) {
        unset resp.http.set-cookie;
#        set resp.http.X-Cache = "HIT";
    }  else {
#        set resp.http.X-Cache = "MISS";
    }

#    set resp.http.X-Cache-Hits = obj.hits;
}
	vcl 4.0;

	import std;

	# You should specify here all your app nodes and use round robin to select a backend
	backend default {
	.host = "127.0.0.1";
	.port = "8080";
	}

	# ACL for purgers IP. (This needs to contain app server ips)
	acl purgers {
	"127.0.0.1";
	"localhost";
	"::1";
	}
	### To allow Blackfire requests to bypass Varnish, uncomment the below block and whitelist the profilers IP. ###
	#acl blackfire {
	# "<YOUR IP HERE>";
	#}

	sub vcl_recv {
	# Mitigate httpoxy application vulnerability, see: https://httpoxy.org/
	unset req.http.Proxy;

	# Strip query strings only needed by browser javascript. Customize to used tags.
	if (req.url ~ "(\?\|&)(pk_campaign\|piwik_campaign\|pk_kwd\|piwik_kwd\|pk_keyword\|pixelId\|kwid\|kw\|adid\|chl\|dv\|nk\|pa\|camid\|adgid\|cx\|ie\|cof\|siteurl\|utm_[a-z]+\|_ga\|gclid)=") {
	# see rfc3986#section-2.3 "Unreserved Characters" for regex
	set req.url = regsuball(req.url, "(pk_campaign\|piwik_campaign\|pk_kwd\|piwik_kwd\|pk_keyword\|pixelId\|kwid\|kw\|adid\|chl\|dv\|nk\|pa\|camid\|adgid\|cx\|ie\|cof\|siteurl\|utm_[a-z]+\|_ga\|gclid)=[A-Za-z0-9\-\_\.\~]+&?", "");
	}
	set req.url = regsub(req.url, "(\?\|\?&\|&)$", "");

	# Normalize query arguments
	set req.url = std.querysort(req.url);

	# Make sure that the client ip is forward to the client.
	if (req.http.x-forwarded-for) {
	set req.http.X-Forwarded-For = req.http.X-Forwarded-For + ", " + client.ip;
	} else {
	set req.http.X-Forwarded-For = client.ip;
	}

	# Handle BAN
	if (req.method == "BAN") {
	if (!client.ip ~ purgers) {
	return (synth(405, "Method not allowed"));
	}

	ban("req.url ~ "+req.url);
	return (synth(200, "BAN URLs containing (" + req.url + ") done."));
	}

	# Normalize Accept-Encoding header
	# straight from the manual: https://www.varnish-cache.org/docs/3.0/tutorial/vary.html
	if (req.http.Accept-Encoding) {
	if (req.url ~ "\.(jpg\|png\|gif\|gz\|tgz\|bz2\|tbz\|mp3\|ogg)$") {
	# No point in compressing these
	unset req.http.Accept-Encoding;
	} elsif (req.http.Accept-Encoding ~ "gzip") {
	set req.http.Accept-Encoding = "gzip";
	} elsif (req.http.Accept-Encoding ~ "deflate") {
	set req.http.Accept-Encoding = "deflate";
	} else {
	# unkown algorithm
	unset req.http.Accept-Encoding;
	}
	}

	if (req.method != "GET" &&
	req.method != "HEAD" &&
	req.method != "PUT" &&
	req.method != "POST" &&
	req.method != "TRACE" &&
	req.method != "OPTIONS" &&
	req.method != "DELETE") {
	/* Non-RFC2616 or CONNECT which is weird. */
	return (pipe);
	}

	# We only deal with GET and HEAD by default
	if (req.method != "GET" && req.method != "HEAD") {
	return (pass);
	}

	# Don't cache Authenticate & Authorization
	if (req.http.Authenticate \|\| req.http.Authorization) {
	return (pass);
	}

	# Always pass these paths directly to php without caching
	# Note: virtual URLs might bypass this rule (e.g. /en/checkout)
	if (req.url ~ "^/(checkout\|account\|admin\|api)(/.*)?$") {
	return (pass);
	}

	if (req.url ~ "^/(bundles\|css\|fonts\|js\|media\|sitemap\|theme\|thumbnail)(/.*)?$") {
	return (pass);
	}
	### To allow Blackfire requests to bypass Varnish, uncomment the below block. ###
	#if (req.esi_level > 0) {
	# unset req.http.X-Blackfire-Query;
	#}

	# if (req.http.X-Blackfire-Query && std.ip(req.http.X-Real-IP,"0.0.0.0") ~ blackfire) {
	# return (pass);
	# }

	return (hash);
	}

	sub vcl_hash {
	# Consider Shopware http cache cookies
	if (req.http.cookie ~ "sw-cache-hash=") {
	hash_data("+context=" + regsub(req.http.cookie, "^.?sw-cache-hash=([^;]);.$", "\1"));
	} elseif (req.http.cookie ~ "sw-currency=") {
	hash_data("+currency=" + regsub(req.http.cookie, "^.?sw-currency=([^;]);.$", "\1"));
	}
	}

	sub vcl_hit {
	}

	sub vcl_backend_response {
	# Fix Vary Header in some cases
	# https://www.varnish-cache.org/trac/wiki/VCLExampleFixupVary
	if (beresp.http.Vary ~ "User-Agent") {
	set beresp.http.Vary = regsub(beresp.http.Vary, ",? User-Agent ", "");
	set beresp.http.Vary = regsub(beresp.http.Vary, "^, *", "");
	if (beresp.http.Vary == "") {
	unset beresp.http.Vary;
	}
	}

	# Respect the Cache-Control=private header from the backend
	if (
	beresp.http.Pragma ~ "no-cache" \|\|
	beresp.http.Cache-Control ~ "no-cache" \|\|
	beresp.http.Cache-Control ~ "private"
	) {
	set beresp.ttl = 0s;
	set beresp.http.X-Cacheable = "NO:Cache-Control=private";
	set beresp.uncacheable = true;
	return (deliver);
	}

	# strip the cookie before the image is inserted into cache.
	if (bereq.url ~ "\.(png\|gif\|jpg\|swf\|css\|js\|webp)$") {
	unset beresp.http.set-cookie;
	}

	# Allow items to be stale if needed.
	set beresp.grace = 6h;

	# Save the bereq.url so bans work efficiently
	set beresp.http.x-url = bereq.url;
	set beresp.http.X-Cacheable = "YES";

	return (deliver);
	}

	sub vcl_deliver {
	## we don't want the client to cache
	set resp.http.Cache-Control = "max-age=0, private";

	# remove link header, if session is already started to save client resources
	if (req.http.cookie ~ "session-") {
	unset resp.http.Link;
	}

	# Set a cache header to allow us to inspect the response headers during testing
	if (obj.hits > 0) {
	unset resp.http.set-cookie;
	# set resp.http.X-Cache = "HIT";
	} else {
	# set resp.http.X-Cache = "MISS";
	}

	# set resp.http.X-Cache-Hits = obj.hits;
	}