[varnish] Use Varnish 4.1, redirect to HTTPS

2 files changed, 16 insertions, 6 deletions

diff --git a/varnish/Dockerfile b/varnish/Dockerfile
index 4a4b7dd7e08c..54a8afe27879 100644
--- a/varnish/Dockerfile
+++ b/varnish/Dockerfile
@@ -1,11 +1,14 @@
 FROM centos:7
 MAINTAINER Vincent Ambo <hej@tazj.in>
 
-EXPOSE 6081 6082
+EXPOSE 6081 6082 6083
 
-RUN yum install -y epel-release && yum install -y varnish
+RUN yum install -y epel-release && \
+    rpm --nosignature -i https://repo.varnish-cache.org/redhat/varnish-4.1.el7.rpm && \
+    yum install -y varnish
 
 ADD default.vcl /etc/varnish/default.vcl
 
 CMD ulimit -n 131072 && \
-    /usr/sbin/varnishd -F -f /etc/varnish/default.vcl -a :6081 -T :6082 -t 120
+    /usr/sbin/varnishd -F -f /etc/varnish/default.vcl \
+                       -a :6081 -T :6082 -a :6083,PROXY -t 120
diff --git a/varnish/default.vcl b/varnish/default.vcl
index ebf1854df855..066b1a9b248f 100644
--- a/varnish/default.vcl
+++ b/varnish/default.vcl
@@ -1,4 +1,5 @@
 vcl 4.0;
+import std;
 
 # By default, Varnish will run on the same servers as the blog. Inside of
 # Kubernetes this will be inside the same pod.
@@ -23,6 +24,11 @@ sub vcl_recv {
         if (req.url ~ "^/admin") {
                 return (pass);
         }
+
+        # Redirect non-www to www and non-HTTPS to HTTPS
+        if (req.http.host ~ "tazj.in" || std.port(local.ip) == 6081) {
+                return (synth (750, ""));
+        }
 }
 
 sub vcl_backend_response {
@@ -38,9 +44,10 @@ sub vcl_deliver {
 }
 
 sub vcl_synth {
-        # Execute redirects
-        if (resp.status == 301) {
-                set resp.http.Location = req.url;
+        # Execute TLS or www. redirect
+        if (resp.status == 750) {
+                set resp.http.Location = "https://www.tazj.in" + req.url;
+                set resp.status = 301;
                 return (deliver);
         }
 }