-
-
Save hn-support/29efb2e58b18ff2ef0f25363bd02dbe9 to your computer and use it in GitHub Desktop.
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
vcl 4.0; | |
import std; | |
# You should specify here all your app nodes and use round robin to select a backend | |
backend default { | |
.host = "127.0.0.1"; | |
.port = "8080"; | |
} | |
# ACL for purgers IP. (This needs to contain app server ips) | |
acl purgers { | |
"127.0.0.1"; | |
"localhost"; | |
"::1"; | |
} | |
### To allow Blackfire requests to bypass Varnish, uncomment the below block and whitelist the profilers IP. ### | |
#acl blackfire { | |
# "<YOUR IP HERE>"; | |
#} | |
sub vcl_recv { | |
# Mitigate httpoxy application vulnerability, see: https://httpoxy.org/ | |
unset req.http.Proxy; | |
# Strip query strings only needed by browser javascript. Customize to used tags. | |
if (req.url ~ "(\?|&)(pk_campaign|piwik_campaign|pk_kwd|piwik_kwd|pk_keyword|pixelId|kwid|kw|adid|chl|dv|nk|pa|camid|adgid|cx|ie|cof|siteurl|utm_[a-z]+|_ga|gclid)=") { | |
# see rfc3986#section-2.3 "Unreserved Characters" for regex | |
set req.url = regsuball(req.url, "(pk_campaign|piwik_campaign|pk_kwd|piwik_kwd|pk_keyword|pixelId|kwid|kw|adid|chl|dv|nk|pa|camid|adgid|cx|ie|cof|siteurl|utm_[a-z]+|_ga|gclid)=[A-Za-z0-9\-\_\.\~]+&?", ""); | |
} | |
set req.url = regsub(req.url, "(\?|\?&|&)$", ""); | |
# Normalize query arguments | |
set req.url = std.querysort(req.url); | |
# Make sure that the client ip is forward to the client. | |
if (req.http.x-forwarded-for) { | |
set req.http.X-Forwarded-For = req.http.X-Forwarded-For + ", " + client.ip; | |
} else { | |
set req.http.X-Forwarded-For = client.ip; | |
} | |
# Handle BAN | |
if (req.method == "BAN") { | |
if (!client.ip ~ purgers) { | |
return (synth(405, "Method not allowed")); | |
} | |
ban("req.url ~ "+req.url); | |
return (synth(200, "BAN URLs containing (" + req.url + ") done.")); | |
} | |
# Normalize Accept-Encoding header | |
# straight from the manual: https://www.varnish-cache.org/docs/3.0/tutorial/vary.html | |
if (req.http.Accept-Encoding) { | |
if (req.url ~ "\.(jpg|png|gif|gz|tgz|bz2|tbz|mp3|ogg)$") { | |
# No point in compressing these | |
unset req.http.Accept-Encoding; | |
} elsif (req.http.Accept-Encoding ~ "gzip") { | |
set req.http.Accept-Encoding = "gzip"; | |
} elsif (req.http.Accept-Encoding ~ "deflate") { | |
set req.http.Accept-Encoding = "deflate"; | |
} else { | |
# unkown algorithm | |
unset req.http.Accept-Encoding; | |
} | |
} | |
if (req.method != "GET" && | |
req.method != "HEAD" && | |
req.method != "PUT" && | |
req.method != "POST" && | |
req.method != "TRACE" && | |
req.method != "OPTIONS" && | |
req.method != "DELETE") { | |
/* Non-RFC2616 or CONNECT which is weird. */ | |
return (pipe); | |
} | |
# We only deal with GET and HEAD by default | |
if (req.method != "GET" && req.method != "HEAD") { | |
return (pass); | |
} | |
# Don't cache Authenticate & Authorization | |
if (req.http.Authenticate || req.http.Authorization) { | |
return (pass); | |
} | |
# Always pass these paths directly to php without caching | |
# Note: virtual URLs might bypass this rule (e.g. /en/checkout) | |
if (req.url ~ "^/(checkout|account|admin|api)(/.*)?$") { | |
return (pass); | |
} | |
if (req.url ~ "^/(bundles|css|fonts|js|media|sitemap|theme|thumbnail)(/.*)?$") { | |
return (pass); | |
} | |
### To allow Blackfire requests to bypass Varnish, uncomment the below block. ### | |
#if (req.esi_level > 0) { | |
# unset req.http.X-Blackfire-Query; | |
#} | |
# if (req.http.X-Blackfire-Query && std.ip(req.http.X-Real-IP,"0.0.0.0") ~ blackfire) { | |
# return (pass); | |
# } | |
return (hash); | |
} | |
sub vcl_hash { | |
# Consider Shopware http cache cookies | |
if (req.http.cookie ~ "sw-cache-hash=") { | |
hash_data("+context=" + regsub(req.http.cookie, "^.*?sw-cache-hash=([^;]*);*.*$", "\1")); | |
} elseif (req.http.cookie ~ "sw-currency=") { | |
hash_data("+currency=" + regsub(req.http.cookie, "^.*?sw-currency=([^;]*);*.*$", "\1")); | |
} | |
} | |
sub vcl_hit { | |
} | |
sub vcl_backend_response { | |
# Fix Vary Header in some cases | |
# https://www.varnish-cache.org/trac/wiki/VCLExampleFixupVary | |
if (beresp.http.Vary ~ "User-Agent") { | |
set beresp.http.Vary = regsub(beresp.http.Vary, ",? *User-Agent *", ""); | |
set beresp.http.Vary = regsub(beresp.http.Vary, "^, *", ""); | |
if (beresp.http.Vary == "") { | |
unset beresp.http.Vary; | |
} | |
} | |
# Respect the Cache-Control=private header from the backend | |
if ( | |
beresp.http.Pragma ~ "no-cache" || | |
beresp.http.Cache-Control ~ "no-cache" || | |
beresp.http.Cache-Control ~ "private" | |
) { | |
set beresp.ttl = 0s; | |
set beresp.http.X-Cacheable = "NO:Cache-Control=private"; | |
set beresp.uncacheable = true; | |
return (deliver); | |
} | |
# strip the cookie before the image is inserted into cache. | |
if (bereq.url ~ "\.(png|gif|jpg|swf|css|js|webp)$") { | |
unset beresp.http.set-cookie; | |
} | |
# Allow items to be stale if needed. | |
set beresp.grace = 6h; | |
# Save the bereq.url so bans work efficiently | |
set beresp.http.x-url = bereq.url; | |
set beresp.http.X-Cacheable = "YES"; | |
return (deliver); | |
} | |
sub vcl_deliver { | |
## we don't want the client to cache | |
set resp.http.Cache-Control = "max-age=0, private"; | |
# remove link header, if session is already started to save client resources | |
if (req.http.cookie ~ "session-") { | |
unset resp.http.Link; | |
} | |
# Set a cache header to allow us to inspect the response headers during testing | |
if (obj.hits > 0) { | |
unset resp.http.set-cookie; | |
# set resp.http.X-Cache = "HIT"; | |
} else { | |
# set resp.http.X-Cache = "MISS"; | |
} | |
# set resp.http.X-Cache-Hits = obj.hits; | |
} |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment