Created
May 5, 2016 21:52
-
-
Save klinkby/938759b66ba808e893b79a16e3ea1cab to your computer and use it in GitHub Desktop.
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
# | |
# This is a VCL file for Varnish used with @TryGhost blog. | |
# It rewrites Wordpress-style /yyyy/mm/dd/slug urls | |
# to /slug and /rss20.xml to Ghost's /rss/ | |
# Adds 60 mins cachability to pages, adds AMP Project CSP header and a few other | |
# security headers giving the site an A+ on https://securityheaders.io/ | |
# Marker to tell the VCL compiler that this VCL has been adapted to the | |
# new 4.0 format. | |
vcl 4.0; | |
# Default backend definition. Set this to point to your content server. | |
backend default { | |
.host = "127.0.0.1"; | |
.port = "2368"; | |
} | |
sub vcl_recv { | |
# Happens before we check if we have this in cache already. | |
# | |
# Typically you clean up the request here, removing cookies you don't need, | |
# rewriting the request, etc. | |
if (req.url ~ "^/(\d{4}/\d{2}/\d{2}/)") { | |
return (synth(700, "")); | |
} | |
if (req.url ~ "^/rss20.xml") { | |
return (synth(701, "")); | |
} | |
if (req.http.cache-control ~ "no-cache") { | |
set req.hash_always_miss = true; | |
} | |
} | |
sub vcl_synth { | |
if (resp.status == 700) { | |
set resp.http.Location = "/" + regsuball(req.url, "^/(\d{4}/\d{2}/\d{2}/)", ""); | |
set resp.status = 301; | |
set resp.reason = "Moved Permanently"; | |
synthetic ( {""} ); | |
} | |
if (resp.status == 701) { | |
set resp.http.Location = "/rss/"; | |
set resp.status = 301; | |
set resp.reason = "Moved Permanently"; | |
synthetic ( {""} ); | |
} | |
return (deliver); | |
} | |
sub vcl_backend_response { | |
# Happens after we have read the response headers from the backend. | |
# | |
# Here you clean the response headers, removing silly Set-Cookie headers | |
# and other mistakes your backend does. | |
if (beresp.status < 400 && bereq.url !~ "^/(api|signout|ghost)") { | |
set beresp.ttl = 60m; | |
set beresp.http.cache-control = "public, max-age=3600"; | |
set beresp.http.content-security-policy = "default-src * data:; script-src https://cdn.ampproject.org/v0.js https://cdn.ampproject.org/v0/ https://cdn.ampproject.org/viewer/; object-src 'none'; style-src 'unsafe-inline' https://fast.fonts.net https://fonts.googleapis.com; report-uri https://csp-collector.appspot.com/csp/amp"; | |
} | |
} | |
sub vcl_deliver { | |
# Happens when we have all the pieces we need, and are about to send the | |
# response to the client. | |
# | |
# You can do accounting or modifying the final object here. | |
unset resp.http.Via; | |
unset resp.http.Age; | |
unset resp.http.X-Powered-By; | |
unset resp.http.X-Varnish; | |
set resp.http.Server = "ZX-81"; | |
set resp.http.X-Content-Type-Options = "nosniff"; | |
set resp.http.X-Frame-Options = "DENY"; | |
set resp.http.X-XSS-Protection = "1; mode=block"; | |
return (deliver); | |
} |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment