about summary refs log tree commit diff
path: root/services/tazblog/varnish
diff options
context:
space:
mode:
Diffstat (limited to 'services/tazblog/varnish')
-rw-r--r--services/tazblog/varnish/Dockerfile16
-rw-r--r--services/tazblog/varnish/default.vcl60
2 files changed, 76 insertions, 0 deletions
diff --git a/services/tazblog/varnish/Dockerfile b/services/tazblog/varnish/Dockerfile
new file mode 100644
index 000000000000..83733b527d31
--- /dev/null
+++ b/services/tazblog/varnish/Dockerfile
@@ -0,0 +1,16 @@
+FROM centos:7
+MAINTAINER Vincent Ambo <hej@tazj.in>
+
+EXPOSE 6081 6082 6083
+
+RUN yum install -y epel-release && \
+    rpm --nosignature -i https://repo.varnish-cache.org/redhat/varnish-4.1.el7.rpm && \
+    yum install -y varnish
+
+ADD default.vcl /etc/varnish/default.vcl
+
+CMD ulimit -n 131072 && \
+    /usr/sbin/varnishd -F -f /etc/varnish/default.vcl \
+                       -a :6081 -T :6082 -a :6083,PROXY -t 120 \
+                       -p thread_pool_min=5 -p thread_pool_max=500\
+                       -p thread_pool_timeout=300
diff --git a/services/tazblog/varnish/default.vcl b/services/tazblog/varnish/default.vcl
new file mode 100644
index 000000000000..5a15d21a9c98
--- /dev/null
+++ b/services/tazblog/varnish/default.vcl
@@ -0,0 +1,60 @@
+vcl 4.0;
+import std;
+
+# By default, Varnish will run on the same servers as the blog. Inside of
+# Kubernetes this will be inside the same pod.
+
+backend default {
+        .host = "localhost";
+        .port = "8000";
+}
+
+# Purge requests should be accepted from localhost
+acl purge {
+        "localhost";
+}
+
+sub vcl_recv {
+        # Allow HTTP PURGE from ACL above
+        if (req.method == "PURGE" && client.ip ~ purge) {
+                return (purge);
+        }
+
+        # Don't cache admin page
+        if (req.url ~ "^/admin") {
+                return (pass);
+        }
+
+        # Redirect non-www to www and non-HTTPS to HTTPS
+        if (req.http.host ~ "^tazj.in" || std.port(local.ip) == 6081) {
+                return (synth (750, ""));
+        }
+}
+
+sub vcl_backend_response {
+        # Cache everything for at least 1 minute.
+        if (beresp.ttl < 1m) {
+                set beresp.ttl = 1m;
+        }
+}
+
+sub vcl_deliver {
+        # Add an HSTS header to everything
+        set resp.http.Strict-Transport-Security = "max-age=31536000;includeSubdomains;preload";
+
+        if (obj.hits > 0) {
+                set resp.http.X-Cache = "HIT";
+        } else {
+                set resp.http.X-Cache = "MISS";
+        }
+}
+
+sub vcl_synth {
+        # Execute TLS or www. redirect
+        if (resp.status == 750) {
+                set resp.http.Location = "https://www.tazj.in" + req.url;
+                set resp.http.Strict-Transport-Security = "max-age=31536000;includeSubdomains;preload";
+                set resp.status = 301;
+                return (deliver);
+        }
+}
generated by cgit-pink 1.4.1 (git 2.44.2) at 2024-11-01T16ยท42+0000