Instantly share code, notes, and snippets.

Embed
What would you like to do?
#
# This is a VCL file for Varnish used with @TryGhost blog.
# It rewrites Wordpress-style /yyyy/mm/dd/slug urls
# to /slug and /rss20.xml to Ghost's /rss/
# Adds 60 mins cachability to pages, adds AMP Project CSP header and a few other
# security headers giving the site an A+ on https://securityheaders.io/
# Marker to tell the VCL compiler that this VCL has been adapted to the
# new 4.0 format.
vcl 4.0;
# Default backend definition. Set this to point to your content server.
backend default {
.host = "127.0.0.1";
.port = "2368";
}
sub vcl_recv {
# Happens before we check if we have this in cache already.
#
# Typically you clean up the request here, removing cookies you don't need,
# rewriting the request, etc.
if (req.url ~ "^/(\d{4}/\d{2}/\d{2}/)") {
return (synth(700, ""));
}
if (req.url ~ "^/rss20.xml") {
return (synth(701, ""));
}
if (req.http.cache-control ~ "no-cache") {
set req.hash_always_miss = true;
}
}
sub vcl_synth {
if (resp.status == 700) {
set resp.http.Location = "/" + regsuball(req.url, "^/(\d{4}/\d{2}/\d{2}/)", "");
set resp.status = 301;
set resp.reason = "Moved Permanently";
synthetic ( {""} );
}
if (resp.status == 701) {
set resp.http.Location = "/rss/";
set resp.status = 301;
set resp.reason = "Moved Permanently";
synthetic ( {""} );
}
return (deliver);
}
sub vcl_backend_response {
# Happens after we have read the response headers from the backend.
#
# Here you clean the response headers, removing silly Set-Cookie headers
# and other mistakes your backend does.
if (beresp.status < 400 && bereq.url !~ "^/(api|signout|ghost)") {
set beresp.ttl = 60m;
set beresp.http.cache-control = "public, max-age=3600";
set beresp.http.content-security-policy = "default-src * data:; script-src https://cdn.ampproject.org/v0.js https://cdn.ampproject.org/v0/ https://cdn.ampproject.org/viewer/; object-src 'none'; style-src 'unsafe-inline' https://fast.fonts.net https://fonts.googleapis.com; report-uri https://csp-collector.appspot.com/csp/amp";
}
}
sub vcl_deliver {
# Happens when we have all the pieces we need, and are about to send the
# response to the client.
#
# You can do accounting or modifying the final object here.
unset resp.http.Via;
unset resp.http.Age;
unset resp.http.X-Powered-By;
unset resp.http.X-Varnish;
set resp.http.Server = "ZX-81";
set resp.http.X-Content-Type-Options = "nosniff";
set resp.http.X-Frame-Options = "DENY";
set resp.http.X-XSS-Protection = "1; mode=block";
return (deliver);
}
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment