sunet-cdn/cdn-ops
2
0
Fork 0
Code Issues Pull requests Packages Projects Releases Wiki Activity
cdn-ops/global/overlay/etc/puppet/modules/cdn/templates/cache/varnish.vcl.erb
Patrik Lundin 7286dec3ff
Make sure X-Forwarded-Proto is set 
Needed to cache http and https responses separately via Vary header
2024-10-15 16:29:31 +02:00

93 lines
2.8 KiB
Plaintext
Raw Blame History

# The builtin VCL is called when there is no explicit
# return statement.
#
# See the VCL chapters in the Users Guide for a comprehensive documentation
# at https://www.varnish-cache.org/docs/.
# Marker to tell the VCL compiler that this VCL has been written with the
# 4.0 or 4.1 syntax.
vcl 4.1;
import std;
# https://www.varnish-software.com/developers/tutorials/avoid-http-to-https-redirect-loops-varnish/#create-cache-variations-based-on-the-x-forwarded-proto-header
import proxy;
# https://varnish-cache.org/docs/trunk/users-guide/vcl-backends.html#connecting-through-a-proxy
backend haproxy_https {
.path = "/shared/haproxy_https";
}
backend haproxy_http {
.path = "/shared/haproxy_http";
}
backend destination_http {
.host = "<%= @cache_secrets['customers'][@customer]['host'] %>";
.port = "80";
.via = haproxy_http;
}
backend destination_https {
.host = "<%= @cache_secrets['customers'][@customer]['host'] %>";
.port = "443";
.via = haproxy_https;
}
sub vcl_recv {
# Happens before we check if we have this in cache already.
#
# Typically you clean up the request here, removing cookies you don't need,
# rewriting the request, etc.
#
# The usage of the proxy module is possible because haproxy is configured
# to set PROXY SSL headers for us.
if (proxy.is_ssl()) {
set req.http.X-Forwarded-Proto = "https";
std.syslog(180, "RECV: this is https");
if (req.http.host == "<%= @cache_secrets['customers'][@customer]['host'] %>") {
set req.backend_hint = destination_https;
}
} else {
set req.http.X-Forwarded-Proto = "http";
std.syslog(180, "RECV: this is http");
if (req.http.host == "<%= @cache_secrets['customers'][@customer]['host'] %>") {
set req.backend_hint = destination_http;
}
}
if (req.method == "PURGE") {
if (req.http.x-sunet-cdn-key == "<%= @cache_secrets['customers'][@customer]['key'] %>") {
return (purge);
}
return(synth(405,"Not allowed."));
}
}
sub vcl_backend_response {
# Happens after we have read the response headers from the backend.
#
# Here you clean the response headers, removing silly Set-Cookie headers
# and other mistakes your backend does.
# Use slash/fellow for storage
set beresp.storage = storage.fellow;
# Hold stale objects (where TTL has expired) for a longer time
set beresp.grace = 30m;
# https://www.varnish-software.com/developers/tutorials/avoid-http-to-https-redirect-loops-varnish/#create-cache-variations-based-on-the-x-forwarded-proto-header
if(beresp.http.Vary) {
set beresp.http.Vary = beresp.http.Vary + ", X-Forwarded-Proto";
} else {
set beresp.http.Vary = "X-Forwarded-Proto";
}
}
sub vcl_deliver {
# Happens when we have all the pieces we need, and are about to send the
# response to the client.
#
# You can do accounting or modifying the final object here.
unset resp.http.Vary;
}
Reference in a new issue View git blame Copy permalink