mraichelson/pressflow.varnish.vcl

## pressflow.varnish.vcl
##
# THIS IS STILL VERY MUCH A WORK IN PROGRESS -Mike
#
#	A Varnish reverse-proxy cache config file meant to hold long-expires copies of
#	essentially static content from a Drupal install. The idea being that
#	this cache prevents direct access to the Drupal install itself to prevent
#	hacking and intrusion attempts.
#
#	References:
#
#	* Introduction to Varnish - http://varnish-cache.org/wiki/Introduction
#	* Example VCL by AlexC - http://varnish-cache.org/wiki/VCLExampleAlexc
#	* Example Varnish VCL for a Drupal/Pressflow site - http://highervisibilitywebsites.com/example-varnish-vcl-drupal-pressflow-site
#	* Evolt: Regular Expression Basics - http://www.evolt.org/node/22700
#
##

# Backend server to be proxied/cached
backend default {
	.host = "mris.localhost";
	.port = "80";
}
# it is possible to define failover servers here as well

# called when a client request is received
sub vcl_recv {
	# add a header containing the client's IP address
	remove	req.http.X-Forwarded-For;
	set		req.http.X-Forwarded-For = req.http.rlnclientipaddr;

	# REQUIREMENT: Block all administrative URL access
	if (req.url ~ "(^/admin|^/Admin)"){
		error 403 "[Access Denied Message] No access to Admin section (from .VCL file)";
	}

	# REQUIREMENT: block user login forms and user profile pages
	if (req.url ~ "(^/user|^/User)"){
		error 403 "[Access Denied Message] No access to User section (from .VCL file)";
	}

	# SECURITY: Block users from trying to bypass the MOD_REWRITE URLs and try to sneak into the site using query string paths
	if (req.url ~ "(\?q=)"){
		error 403 "[Access Denied Message] Please stop trying to play games with the query strings (from .VCL file)";
	}

	# Always cache these file types ( Use Varnish module to trigger specific updates to files)
	# * JS files
	if (req.request == "GET" && req.url ~ "\.(js)"){
		lookup;
	}
	# * CSS files
	if (req.request == "GET" && req.url ~ "\.(css)"){
		lookup;
	}
	# * image files
	if (req.request == "GET" && req.url ~ "\.(gif|jpg|jpeg|bmp|png|tiff|tif|ico|img|tga|wmf)$"){
		lookup;
	}
	# * multimedia files
	if (req.request == "GET" && req.url ~ "\.(svg|swf|flv|mp3|mp4|m4a|mov|wmv|ogg|avi)$"){
		lookup;
	}
	# Cache these files for a shorter period of time (30min? 1hour?)
	# * XML files (RSS Feeds)
	if (req.request == "GET" && req.url ~ "\.(xml)$"){
		lookup;
	}
	# Never cache these files
	# * Search results
	# TODO: always use fresh search results, do not cache them.
	#	if ( requesting a search results page ){
	#		-> query Drupal server.
	#		-> do not cache result.
	#	}

	# parse accept encoding rulesets to make it look nice
	if (req.http.Accept-Encoding) {
		if (req.url ~ "\.(jpg|png|gif|gz|tgz|bz2|tbz|mp3|ogg)$") {
			# No point in compressing these
			remove req.http.Accept-Encoding;
		} elsif (req.http.Accept-Encoding ~ "gzip") {
			set req.http.Accept-Encoding = "gzip";
		} elsif (req.http.Accept-Encoding ~ "deflate") {
			set req.http.Accept-Encoding = "deflate";
		} else {
			# unkown algorithm
			remove req.http.Accept-Encoding;
		}
	}

	# made it through all those checks? do a lookup.
	lookup;
} # END vcl_recv

#
sub vcl_error {}

# when an object exists in the cache
sub vcl_hit {
	deliver;
}

# when an object is not found in the cache
sub vcl_miss {
	if (req.request == "PURGE") {
		error 404 "Not in cache.";
	}
}

# when an object needs to be retrieved from the backend to the cache
sub vcl_fetch {
	# http://varnish-cache.org/wiki/VCLExampleLongerCaching
	if (obj.cacheable){
		unset	obj.http.expires;
		set		obj.http.cache-control = "max-age = 900";
		set		obj.ttl = 1d;
		set		obj.http.magicmarker = "1";
	}

	# PERFORMANCE: based on concepts in the Yahoo! Y!Slow performance guidelines
	remove	obj.http.Etag;

	# SECURITY: remove flags identifying underlying technology
	remove	obj.http.X-Drupal-Cache;
	remove	obj.http.X-Powered-By;

	# clip IP address of actual backend server out of HTTP headers.
	remove	obj.http.X-Varnish-IP;
	# example of a custom HTTP header
	set		obj.http.X-Security = "Is awesome.";
}

# when a cached object is delivered to a client
sub vcl_deliver {
	# http://varnish-cache.org/wiki/VCLExampleLongerCaching
	if (resp.http.magicmarker){
		unset	resp.http.magicmarker;
		set		resp.http.age = "0";
	}

	if (obj.hits > 0) {
		set resp.http.X-Cache = "HIT";
		set resp.http.X-Cache-Hits = obj.hits;
	} else {
		set resp.http.X-Cache = "MISS";
	}
	deliver;
}
	##
	# THIS IS STILL VERY MUCH A WORK IN PROGRESS -Mike
	#
	# A Varnish reverse-proxy cache config file meant to hold long-expires copies of
	# essentially static content from a Drupal install. The idea being that
	# this cache prevents direct access to the Drupal install itself to prevent
	# hacking and intrusion attempts.
	#
	# References:
	#
	# * Introduction to Varnish - http://varnish-cache.org/wiki/Introduction
	# * Example VCL by AlexC - http://varnish-cache.org/wiki/VCLExampleAlexc
	# * Example Varnish VCL for a Drupal/Pressflow site - http://highervisibilitywebsites.com/example-varnish-vcl-drupal-pressflow-site
	# * Evolt: Regular Expression Basics - http://www.evolt.org/node/22700
	#
	##

	# Backend server to be proxied/cached
	backend default {
	.host = "mris.localhost";
	.port = "80";
	}
	# it is possible to define failover servers here as well

	# called when a client request is received
	sub vcl_recv {
	# add a header containing the client's IP address
	remove req.http.X-Forwarded-For;
	set req.http.X-Forwarded-For = req.http.rlnclientipaddr;

	# REQUIREMENT: Block all administrative URL access
	if (req.url ~ "(^/admin\|^/Admin)"){
	error 403 "[Access Denied Message] No access to Admin section (from .VCL file)";
	}

	# REQUIREMENT: block user login forms and user profile pages
	if (req.url ~ "(^/user\|^/User)"){
	error 403 "[Access Denied Message] No access to User section (from .VCL file)";
	}

	# SECURITY: Block users from trying to bypass the MOD_REWRITE URLs and try to sneak into the site using query string paths
	if (req.url ~ "(\?q=)"){
	error 403 "[Access Denied Message] Please stop trying to play games with the query strings (from .VCL file)";
	}

	# Always cache these file types ( Use Varnish module to trigger specific updates to files)
	# * JS files
	if (req.request == "GET" && req.url ~ "\.(js)"){
	lookup;
	}
	# * CSS files
	if (req.request == "GET" && req.url ~ "\.(css)"){
	lookup;
	}
	# * image files
	if (req.request == "GET" && req.url ~ "\.(gif\|jpg\|jpeg\|bmp\|png\|tiff\|tif\|ico\|img\|tga\|wmf)$"){
	lookup;
	}
	# * multimedia files
	if (req.request == "GET" && req.url ~ "\.(svg\|swf\|flv\|mp3\|mp4\|m4a\|mov\|wmv\|ogg\|avi)$"){
	lookup;
	}
	# Cache these files for a shorter period of time (30min? 1hour?)
	# * XML files (RSS Feeds)
	if (req.request == "GET" && req.url ~ "\.(xml)$"){
	lookup;
	}
	# Never cache these files
	# * Search results
	# TODO: always use fresh search results, do not cache them.
	# if ( requesting a search results page ){
	# -> query Drupal server.
	# -> do not cache result.
	# }

	# parse accept encoding rulesets to make it look nice
	if (req.http.Accept-Encoding) {
	if (req.url ~ "\.(jpg\|png\|gif\|gz\|tgz\|bz2\|tbz\|mp3\|ogg)$") {
	# No point in compressing these
	remove req.http.Accept-Encoding;
	} elsif (req.http.Accept-Encoding ~ "gzip") {
	set req.http.Accept-Encoding = "gzip";
	} elsif (req.http.Accept-Encoding ~ "deflate") {
	set req.http.Accept-Encoding = "deflate";
	} else {
	# unkown algorithm
	remove req.http.Accept-Encoding;
	}
	}

	# made it through all those checks? do a lookup.
	lookup;
	} # END vcl_recv

	#
	sub vcl_error {}

	# when an object exists in the cache
	sub vcl_hit {
	deliver;
	}

	# when an object is not found in the cache
	sub vcl_miss {
	if (req.request == "PURGE") {
	error 404 "Not in cache.";
	}
	}

	# when an object needs to be retrieved from the backend to the cache
	sub vcl_fetch {
	# http://varnish-cache.org/wiki/VCLExampleLongerCaching
	if (obj.cacheable){
	unset obj.http.expires;
	set obj.http.cache-control = "max-age = 900";
	set obj.ttl = 1d;
	set obj.http.magicmarker = "1";
	}

	# PERFORMANCE: based on concepts in the Yahoo! Y!Slow performance guidelines
	remove obj.http.Etag;

	# SECURITY: remove flags identifying underlying technology
	remove obj.http.X-Drupal-Cache;
	remove obj.http.X-Powered-By;

	# clip IP address of actual backend server out of HTTP headers.
	remove obj.http.X-Varnish-IP;
	# example of a custom HTTP header
	set obj.http.X-Security = "Is awesome.";
	}

	# when a cached object is delivered to a client
	sub vcl_deliver {
	# http://varnish-cache.org/wiki/VCLExampleLongerCaching
	if (resp.http.magicmarker){
	unset resp.http.magicmarker;
	set resp.http.age = "0";
	}

	if (obj.hits > 0) {
	set resp.http.X-Cache = "HIT";
	set resp.http.X-Cache-Hits = obj.hits;
	} else {
	set resp.http.X-Cache = "MISS";
	}
	deliver;
	}