sunet-cdn/cdn-ops
2
0
Fork 0
Code Issues Pull requests Packages Projects Releases Wiki Activity

Add basic varnish VCL for testing

Browse source
This commit is contained in:
Patrik Lundin 2024-10-10 20:39:35 +02:00
parent efa9455fe9
commit ff6376b68d
Signed by: patlu
GPG key ID: A0A812BA2249F294
3 changed files with 100 additions and 2 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

8
global/overlay/etc/puppet/modules/cdn/manifests/cache.pp
View file

@ -78,6 +78,14 @@ class cdn::cache(
content => template('cdn/cache/haproxy.cfg.erb'), content => template('cdn/cache/haproxy.cfg.erb'),
} }
file { "/opt/sunet-cdn/customers/$customer/conf/varnish.vcl":
ensure => file,
owner => $customer_uid,
group => $customer_uid,
mode => '0440',
content => template('cdn/cache/varnish.vcl.erb'),
}
sunet::docker_compose { "sunet-cdn-cache-$customer": sunet::docker_compose { "sunet-cdn-cache-$customer":
content => template('cdn/cache/docker-compose.yml.erb'), content => template('cdn/cache/docker-compose.yml.erb'),
service_name => "cdn-cache-$customer", service_name => "cdn-cache-$customer",

4
global/overlay/etc/puppet/modules/cdn/templates/cache/docker-compose.yml.erb vendored
View file

@ -44,7 +44,7 @@ services:
# Use the same custom user as is used for haproxy. # Use the same custom user as is used for haproxy.
user: <%= @customer_uid %>:<%= @customer_uid %> user: <%= @customer_uid %>:<%= @customer_uid %>
volumes: volumes:
- /opt/sunet-cdn/customers/<%= @customer %>/conf/default.vcl:/etc/varnish/default.vcl:ro - /opt/sunet-cdn/customers/<%= @customer %>/conf/varnish.vcl:/etc/varnish/varnish.vcl:ro
- /opt/sunet-cdn/customers/<%= @customer %>/shared:/shared - /opt/sunet-cdn/customers/<%= @customer %>/shared:/shared
- /opt/sunet-cdn/customers/<%= @customer %>/cache:/cache - /opt/sunet-cdn/customers/<%= @customer %>/cache:/cache
# From https://www.varnish-software.com/developers/tutorials/running-varnish-docker/: # From https://www.varnish-software.com/developers/tutorials/running-varnish-docker/:
@ -65,7 +65,7 @@ services:
"-a", "-a",
"/shared/varnish.sock,PROXY,mode=600", "/shared/varnish.sock,PROXY,mode=600",
"-f", "-f",
"/etc/varnish/default.vcl", "/etc/varnish/varnish.vcl",
"-p", "-p",
"feature=+http2", "feature=+http2",
"-s", "-s",

90
global/overlay/etc/puppet/modules/cdn/templates/cache/varnish.vcl.erb vendored Normal file
View file

@ -0,0 +1,90 @@
# The builtin VCL is called when there is no explicit
# return statement.
#
# See the VCL chapters in the Users Guide for a comprehensive documentation
# at https://www.varnish-cache.org/docs/.
# Marker to tell the VCL compiler that this VCL has been written with the
# 4.0 or 4.1 syntax.
vcl 4.1;
import std;
# https://www.varnish-software.com/developers/tutorials/avoid-http-to-https-redirect-loops-varnish/#create-cache-variations-based-on-the-x-forwarded-proto-header
import proxy;
# https://varnish-cache.org/docs/trunk/users-guide/vcl-backends.html#connecting-through-a-proxy
backend haproxy_https {
.path = "/shared/haproxy_https";
}
backend haproxy_http {
.path = "/shared/haproxy_http";
}
backend destination_https {
.host = "<%= @cache_secrets['customers'][@customer]['host'] %>";
.port = "80";
.via = haproxy_http;
}
backend destination_https {
.host = "<%= @cache_secrets['customers'][@customer]['host'] %>;
.port = "443";
.via = haproxy_https;
}
sub vcl_recv {
# Happens before we check if we have this in cache already.
#
# Typically you clean up the request here, removing cookies you don't need,
# rewriting the request, etc.
#
# The usage of the proxy module is possible because haproxy is configured
# to set PROXY SSL headers for us.
if (proxy.is_ssl()) {
std.syslog(180, "RECV: this is https");
if (req.http.host == "<%= @cache_secrets['customers'][@customer]['host'] %>") {
set req.backend_hint = destination_https;
}
} else {
std.syslog(180, "RECV: this is http");
if (req.http.host == "<%= @cache_secrets['customers'][@customer]['host'] %>") {
set req.backend_hint = destination_http;
}
}
if (req.method == "PURGE") {
if (req.http.x-sunet-cdn-key == "<%= @cache_secrets['customers'][@customer]['key'] %>") {
return (purge);
}
return(synth(405,"Not allowed."));
}
}
sub vcl_backend_response {
# Happens after we have read the response headers from the backend.
#
# Here you clean the response headers, removing silly Set-Cookie headers
# and other mistakes your backend does.
# Use slash/fellow for storage
set beresp.storage = storage.fellow;
# Hold stale objects (where TTL has expired) for a longer time
set beresp.grace = 30m;
# https://www.varnish-software.com/developers/tutorials/avoid-http-to-https-redirect-loops-varnish/#create-cache-variations-based-on-the-x-forwarded-proto-header
if(beresp.http.Vary) {
set beresp.http.Vary = beresp.http.Vary + ", X-Forwarded-Proto";
} else {
set beresp.http.Vary = "X-Forwarded-Proto";
}
}
sub vcl_deliver {
# Happens when we have all the pieces we need, and are about to send the
# response to the client.
#
# You can do accounting or modifying the final object here.
unset resp.http.Vary;
}