# The builtin VCL is called when there is no explicit
# return statement.
#
# See the VCL chapters in the Users Guide for a comprehensive documentation
# at https://www.varnish-cache.org/docs/.

# Marker to tell the VCL compiler that this VCL has been written with the
# 4.0 or 4.1 syntax.
vcl 4.1;

import std;
# https://www.varnish-software.com/developers/tutorials/avoid-http-to-https-redirect-loops-varnish/#create-cache-variations-based-on-the-x-forwarded-proto-header
import proxy;

# https://varnish-cache.org/docs/trunk/users-guide/vcl-backends.html#connecting-through-a-proxy
backend haproxy_https {
  .path = "/shared/haproxy_https";
}

backend haproxy_http {
  .path = "/shared/haproxy_http";
}

backend destination_http {
  .host = "<%= @cache_secrets['customers'][@customer]['host'] %>";
  .port = "80";
  .via = haproxy_http;
}

backend destination_https {
  .host = "<%= @cache_secrets['customers'][@customer]['host'] %>";
  .port = "443";
  .via = haproxy_https;
}

sub vcl_recv {
  # Happens before we check if we have this in cache already.
  #
  # Typically you clean up the request here, removing cookies you don't need,
  # rewriting the request, etc.
  #

  # The usage of the proxy module is possible because haproxy is configured
  # to set PROXY SSL headers for us.
  if (proxy.is_ssl()) {
    set req.http.X-Forwarded-Proto = "https";
    std.syslog(180, "RECV: this is https");
    if (req.http.host == "<%= @cache_secrets['customers'][@customer]['host'] %>") {
      set req.backend_hint = destination_https;
    }
  } else {
    set req.http.X-Forwarded-Proto = "http";
    std.syslog(180, "RECV: this is http");
    if (req.http.host == "<%= @cache_secrets['customers'][@customer]['host'] %>") {
        set req.backend_hint = destination_http;
    }
  }
  if (req.method == "PURGE") {
    if (req.http.x-sunet-cdn-key == "<%= @cache_secrets['customers'][@customer]['key'] %>") {
      return (purge);
    }
    return(synth(405,"Not allowed."));
  }
}

sub vcl_backend_response {
  # Happens after we have read the response headers from the backend.
  #
  # Here you clean the response headers, removing silly Set-Cookie headers
  # and other mistakes your backend does.

  # Use slash/fellow for storage
  set beresp.storage = storage.fellow;

  # Hold stale objects (where TTL has expired) for a longer time
  set beresp.grace = 30m;

  # https://www.varnish-software.com/developers/tutorials/avoid-http-to-https-redirect-loops-varnish/#create-cache-variations-based-on-the-x-forwarded-proto-header
  if(beresp.http.Vary) {
    set beresp.http.Vary = beresp.http.Vary + ", X-Forwarded-Proto";
  } else {
    set beresp.http.Vary = "X-Forwarded-Proto";
  }
}

sub vcl_deliver {
    # Happens when we have all the pieces we need, and are about to send the
    # response to the client.
    #
    # You can do accounting or modifying the final object here.
    unset resp.http.Vary;
}