Created
August 19, 2010 02:03
-
-
Save mraichelson/536783 to your computer and use it in GitHub Desktop.
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
## | |
# THIS IS STILL VERY MUCH A WORK IN PROGRESS -Mike | |
# | |
# A Varnish reverse-proxy cache config file meant to hold long-expires copies of | |
# essentially static content from a Drupal install. The idea being that | |
# this cache prevents direct access to the Drupal install itself to prevent | |
# hacking and intrusion attempts. | |
# | |
# References: | |
# | |
# * Introduction to Varnish - http://varnish-cache.org/wiki/Introduction | |
# * Example VCL by AlexC - http://varnish-cache.org/wiki/VCLExampleAlexc | |
# * Example Varnish VCL for a Drupal/Pressflow site - http://highervisibilitywebsites.com/example-varnish-vcl-drupal-pressflow-site | |
# * Evolt: Regular Expression Basics - http://www.evolt.org/node/22700 | |
# | |
## | |
# Backend server to be proxied/cached | |
backend default { | |
.host = "mris.localhost"; | |
.port = "80"; | |
} | |
# it is possible to define failover servers here as well | |
# called when a client request is received | |
sub vcl_recv { | |
# add a header containing the client's IP address | |
remove req.http.X-Forwarded-For; | |
set req.http.X-Forwarded-For = req.http.rlnclientipaddr; | |
# REQUIREMENT: Block all administrative URL access | |
if (req.url ~ "(^/admin|^/Admin)"){ | |
error 403 "[Access Denied Message] No access to Admin section (from .VCL file)"; | |
} | |
# REQUIREMENT: block user login forms and user profile pages | |
if (req.url ~ "(^/user|^/User)"){ | |
error 403 "[Access Denied Message] No access to User section (from .VCL file)"; | |
} | |
# SECURITY: Block users from trying to bypass the MOD_REWRITE URLs and try to sneak into the site using query string paths | |
if (req.url ~ "(\?q=)"){ | |
error 403 "[Access Denied Message] Please stop trying to play games with the query strings (from .VCL file)"; | |
} | |
# Always cache these file types ( Use Varnish module to trigger specific updates to files) | |
# * JS files | |
if (req.request == "GET" && req.url ~ "\.(js)"){ | |
lookup; | |
} | |
# * CSS files | |
if (req.request == "GET" && req.url ~ "\.(css)"){ | |
lookup; | |
} | |
# * image files | |
if (req.request == "GET" && req.url ~ "\.(gif|jpg|jpeg|bmp|png|tiff|tif|ico|img|tga|wmf)$"){ | |
lookup; | |
} | |
# * multimedia files | |
if (req.request == "GET" && req.url ~ "\.(svg|swf|flv|mp3|mp4|m4a|mov|wmv|ogg|avi)$"){ | |
lookup; | |
} | |
# Cache these files for a shorter period of time (30min? 1hour?) | |
# * XML files (RSS Feeds) | |
if (req.request == "GET" && req.url ~ "\.(xml)$"){ | |
lookup; | |
} | |
# Never cache these files | |
# * Search results | |
# TODO: always use fresh search results, do not cache them. | |
# if ( requesting a search results page ){ | |
# -> query Drupal server. | |
# -> do not cache result. | |
# } | |
# parse accept encoding rulesets to make it look nice | |
if (req.http.Accept-Encoding) { | |
if (req.url ~ "\.(jpg|png|gif|gz|tgz|bz2|tbz|mp3|ogg)$") { | |
# No point in compressing these | |
remove req.http.Accept-Encoding; | |
} elsif (req.http.Accept-Encoding ~ "gzip") { | |
set req.http.Accept-Encoding = "gzip"; | |
} elsif (req.http.Accept-Encoding ~ "deflate") { | |
set req.http.Accept-Encoding = "deflate"; | |
} else { | |
# unkown algorithm | |
remove req.http.Accept-Encoding; | |
} | |
} | |
# made it through all those checks? do a lookup. | |
lookup; | |
} # END vcl_recv | |
# | |
sub vcl_error {} | |
# when an object exists in the cache | |
sub vcl_hit { | |
deliver; | |
} | |
# when an object is not found in the cache | |
sub vcl_miss { | |
if (req.request == "PURGE") { | |
error 404 "Not in cache."; | |
} | |
} | |
# when an object needs to be retrieved from the backend to the cache | |
sub vcl_fetch { | |
# http://varnish-cache.org/wiki/VCLExampleLongerCaching | |
if (obj.cacheable){ | |
unset obj.http.expires; | |
set obj.http.cache-control = "max-age = 900"; | |
set obj.ttl = 1d; | |
set obj.http.magicmarker = "1"; | |
} | |
# PERFORMANCE: based on concepts in the Yahoo! Y!Slow performance guidelines | |
remove obj.http.Etag; | |
# SECURITY: remove flags identifying underlying technology | |
remove obj.http.X-Drupal-Cache; | |
remove obj.http.X-Powered-By; | |
# clip IP address of actual backend server out of HTTP headers. | |
remove obj.http.X-Varnish-IP; | |
# example of a custom HTTP header | |
set obj.http.X-Security = "Is awesome."; | |
} | |
# when a cached object is delivered to a client | |
sub vcl_deliver { | |
# http://varnish-cache.org/wiki/VCLExampleLongerCaching | |
if (resp.http.magicmarker){ | |
unset resp.http.magicmarker; | |
set resp.http.age = "0"; | |
} | |
if (obj.hits > 0) { | |
set resp.http.X-Cache = "HIT"; | |
set resp.http.X-Cache-Hits = obj.hits; | |
} else { | |
set resp.http.X-Cache = "MISS"; | |
} | |
deliver; | |
} |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment