# The builtin VCL is called when there is no explicit # return statement. # # See the VCL chapters in the Users Guide for a comprehensive documentation # at https://www.varnish-cache.org/docs/. # Marker to tell the VCL compiler that this VCL has been written with the # 4.0 or 4.1 syntax. vcl 4.1; import std; # https://www.varnish-software.com/developers/tutorials/avoid-http-to-https-redirect-loops-varnish/#create-cache-variations-based-on-the-x-forwarded-proto-header import proxy; # https://varnish-cache.org/docs/trunk/users-guide/vcl-backends.html#connecting-through-a-proxy backend haproxy_https { .path = "/shared/haproxy_https"; } backend haproxy_http { .path = "/shared/haproxy_http"; } backend destination_https { .host = "<%= @cache_secrets['customers'][@customer]['host'] %>"; .port = "80"; .via = haproxy_http; } backend destination_https { .host = "<%= @cache_secrets['customers'][@customer]['host'] %>; .port = "443"; .via = haproxy_https; } sub vcl_recv { # Happens before we check if we have this in cache already. # # Typically you clean up the request here, removing cookies you don't need, # rewriting the request, etc. # # The usage of the proxy module is possible because haproxy is configured # to set PROXY SSL headers for us. if (proxy.is_ssl()) { std.syslog(180, "RECV: this is https"); if (req.http.host == "<%= @cache_secrets['customers'][@customer]['host'] %>") { set req.backend_hint = destination_https; } } else { std.syslog(180, "RECV: this is http"); if (req.http.host == "<%= @cache_secrets['customers'][@customer]['host'] %>") { set req.backend_hint = destination_http; } } if (req.method == "PURGE") { if (req.http.x-sunet-cdn-key == "<%= @cache_secrets['customers'][@customer]['key'] %>") { return (purge); } return(synth(405,"Not allowed.")); } } sub vcl_backend_response { # Happens after we have read the response headers from the backend. # # Here you clean the response headers, removing silly Set-Cookie headers # and other mistakes your backend does. # Use slash/fellow for storage set beresp.storage = storage.fellow; # Hold stale objects (where TTL has expired) for a longer time set beresp.grace = 30m; # https://www.varnish-software.com/developers/tutorials/avoid-http-to-https-redirect-loops-varnish/#create-cache-variations-based-on-the-x-forwarded-proto-header if(beresp.http.Vary) { set beresp.http.Vary = beresp.http.Vary + ", X-Forwarded-Proto"; } else { set beresp.http.Vary = "X-Forwarded-Proto"; } } sub vcl_deliver { # Happens when we have all the pieces we need, and are about to send the # response to the client. # # You can do accounting or modifying the final object here. unset resp.http.Vary; }