summary refs log tree commit diff
path: root/services/tazblog/varnish/default.vcl
diff options
context:
space:
mode:
Diffstat (limited to 'services/tazblog/varnish/default.vcl')
-rw-r--r--services/tazblog/varnish/default.vcl60
1 files changed, 60 insertions, 0 deletions
diff --git a/services/tazblog/varnish/default.vcl b/services/tazblog/varnish/default.vcl
new file mode 100644
index 000000000000..5a15d21a9c98
--- /dev/null
+++ b/services/tazblog/varnish/default.vcl
@@ -0,0 +1,60 @@
+vcl 4.0;
+import std;
+
+# By default, Varnish will run on the same servers as the blog. Inside of
+# Kubernetes this will be inside the same pod.
+
+backend default {
+        .host = "localhost";
+        .port = "8000";
+}
+
+# Purge requests should be accepted from localhost
+acl purge {
+        "localhost";
+}
+
+sub vcl_recv {
+        # Allow HTTP PURGE from ACL above
+        if (req.method == "PURGE" && client.ip ~ purge) {
+                return (purge);
+        }
+
+        # Don't cache admin page
+        if (req.url ~ "^/admin") {
+                return (pass);
+        }
+
+        # Redirect non-www to www and non-HTTPS to HTTPS
+        if (req.http.host ~ "^tazj.in" || std.port(local.ip) == 6081) {
+                return (synth (750, ""));
+        }
+}
+
+sub vcl_backend_response {
+        # Cache everything for at least 1 minute.
+        if (beresp.ttl < 1m) {
+                set beresp.ttl = 1m;
+        }
+}
+
+sub vcl_deliver {
+        # Add an HSTS header to everything
+        set resp.http.Strict-Transport-Security = "max-age=31536000;includeSubdomains;preload";
+
+        if (obj.hits > 0) {
+                set resp.http.X-Cache = "HIT";
+        } else {
+                set resp.http.X-Cache = "MISS";
+        }
+}
+
+sub vcl_synth {
+        # Execute TLS or www. redirect
+        if (resp.status == 750) {
+                set resp.http.Location = "https://www.tazj.in" + req.url;
+                set resp.http.Strict-Transport-Security = "max-age=31536000;includeSubdomains;preload";
+                set resp.status = 301;
+                return (deliver);
+        }
+}