ahilles107 · February 12, 2018 13:46
diff --git a/Superdesk Publisher Varnish config b/Superdesk Publisher Varnish config
 #
 # This is an example VCL file for Varnish.
 #
 # It does not do anything by default, delegating control to the
 # builtin VCL. The builtin VCL is called when there is no explicit
 # return statement.
 #
 # See the VCL chapters in the Users Guide at https://www.varnish-cache.org/docs/
 # and https://www.varnish-cache.org/trac/wiki/VCLExamples for more examples.

 # Marker to tell the VCL compiler that this VCL has been adapted to the
 # new 4.0 format.
 vcl 4.0;

 # Default backend definition. Set this to point to your content server.
 backend default {
    .host = "127.0.0.1";
    .port = "8080";
 }

 acl invalidators {
    "localhost";
    "127.0.0.1"/24;
 }

 acl profile {
   "127.0.0.1";
 }

 sub vcl_recv {
    # Happens before we check if we have this in cache already.
    #
    # Typically you clean up the request here, removing cookies you don't need,
    # rewriting the request, etc.

    # allow PURGE
    if (req.method == "PURGE") {
        if (!client.ip ~ invalidators) {
            return (synth(405, "Not allowed"));
        }
        return (purge);
    }

    # allow cache miss
    if (req.http.Cache-Control ~ "no-cache" && client.ip ~ invalidators) {
        set req.hash_always_miss = true;
    }

    # allow ban
    if (req.method == "BAN") {
        if (!client.ip ~ invalidators) {
            return (synth(405, "Not allowed"));
        }

        if (req.http.X-Cache-Tags) {
            ban("obj.http.X-Host ~ " + req.http.X-Host
                + " && obj.http.X-Url ~ " + req.http.X-Url
                + " && obj.http.content-type ~ " + req.http.X-Content-Type
                // the left side is the response header, the right side the invalidation header
                + " && obj.http.X-Cache-Tags ~ " + req.http.X-Cache-Tags
            );
        } else {
            ban("obj.http.X-Host ~ " + req.http.X-Host
                + " && obj.http.X-Url ~ " + req.http.X-Url
                + " && obj.http.content-type ~ " + req.http.X-Content-Type
            );
        }

        return (synth(200, "Banned"));
    }

    if (req.method != "GET" && req.method != "HEAD") {
      return (pass);
    }

    if (req.http.X-Forwarded-Proto == "https" ) {
        set req.http.X-Forwarded-Port = "443";
    } else {
        set req.http.X-Forwarded-Port = "80";
    }

    if (req.http.cf-connecting-ip) {
        set req.http.X-Forwarded-For = req.http.cf-connecting-ip;
    } else {
        set req.http.X-Forwarded-For = client.ip;
    }

    // Remove all cookies except the session ID.
    if (req.http.Cookie) {
        set req.http.Cookie = ";" + req.http.Cookie;
        set req.http.Cookie = regsuball(req.http.Cookie, "; +", ";");
        set req.http.Cookie = regsuball(req.http.Cookie, ";(SUPERDESKPUBLISHER|PHPSESSID|PPA_ID|REMEMBERME)=", "; \1=");
        set req.http.Cookie = regsuball(req.http.Cookie, ";[^ ][^;]*", "");
        set req.http.Cookie = regsuball(req.http.Cookie, "^[; ]+|[; ]+$", "");

        if (req.http.Cookie == "") {
            // If there are no more cookies, remove the header to get page cached.
            unset req.http.Cookie;
        }
    }

    if (req.http.X-Blackfire-Query && client.ip ~ profile) {
      return (pass);
    } else {
      // Add a Surrogate-Capability header to announce ESI support.
      set req.http.Surrogate-Capability = "abc=ESI/1.0";
    }
 }

 sub vcl_backend_response {
    # Happens after we have read the response headers from the backend.
    #
    # Here you clean the response headers, removing silly Set-Cookie headers
    # and other mistakes your backend does.

    # Check for ESI acknowledgement and remove Surrogate-Control header
    if (beresp.http.Surrogate-Control ~ "ESI/1.0") {
        unset beresp.http.Surrogate-Control;
        set beresp.do_esi = true;
    }

    set beresp.http.X-Url = bereq.url;
    set beresp.http.X-Host = bereq.http.host;
 }

 sub vcl_deliver {
    # Happens when we have all the pieces we need, and are about to send the
    # response to the client.
    #
    # You can do accounting or modifying the final object here.

    if (obj.hits > 0) {
        set resp.http.X-Cache = "HIT";
        set resp.http.X-Cache-Hits = obj.hits;
    } else {
        set resp.http.X-Cache = "MISS";
    }

    if (!resp.http.X-Cache-Debug) {
        # Remove ban-lurker friendly custom headers when delivering to client
        unset resp.http.X-Url;
        unset resp.http.X-Host;

        # Unset the tagged cache headers
        unset resp.http.X-Cache-Tags;
    }

    set resp.http.Access-Control-Allow-Origin = "*";
    set resp.http.Access-Control-Allow-Credentials = "true";

    if (req.method == "OPTIONS") {
        set resp.http.Access-Control-Max-Age = "1728000";
        set resp.http.Access-Control-Allow-Methods = "GET, POST, PUT, DELETE, PATCH, OPTIONS";
        set resp.http.Access-Control-Allow-Headers = "Authorization,Content-Type,Accept,Origin,User-Agent,DNT,Cache-Control,X-Mx-ReqToken,Keep-Alive,X-Requested-With,If-Modified-Since";

        set resp.http.Content-Length = "0";
        set resp.http.Content-Type = "text/plain charset=UTF-8";
        set resp.status = 204;
    }
 }
	#
	# This is an example VCL file for Varnish.
	#
	# It does not do anything by default, delegating control to the
	# builtin VCL. The builtin VCL is called when there is no explicit
	# return statement.
	#
	# See the VCL chapters in the Users Guide at https://www.varnish-cache.org/docs/
	# and https://www.varnish-cache.org/trac/wiki/VCLExamples for more examples.

	# Marker to tell the VCL compiler that this VCL has been adapted to the
	# new 4.0 format.
	vcl 4.0;

	# Default backend definition. Set this to point to your content server.
	backend default {
	.host = "127.0.0.1";
	.port = "8080";
	}

	acl invalidators {
	"localhost";
	"127.0.0.1"/24;
	}

	acl profile {
	"127.0.0.1";
	}

	sub vcl_recv {
	# Happens before we check if we have this in cache already.
	#
	# Typically you clean up the request here, removing cookies you don't need,
	# rewriting the request, etc.

	# allow PURGE
	if (req.method == "PURGE") {
	if (!client.ip ~ invalidators) {
	return (synth(405, "Not allowed"));
	}
	return (purge);
	}

	# allow cache miss
	if (req.http.Cache-Control ~ "no-cache" && client.ip ~ invalidators) {
	set req.hash_always_miss = true;
	}

	# allow ban
	if (req.method == "BAN") {
	if (!client.ip ~ invalidators) {
	return (synth(405, "Not allowed"));
	}

	if (req.http.X-Cache-Tags) {
	ban("obj.http.X-Host ~ " + req.http.X-Host
	+ " && obj.http.X-Url ~ " + req.http.X-Url
	+ " && obj.http.content-type ~ " + req.http.X-Content-Type
	// the left side is the response header, the right side the invalidation header
	+ " && obj.http.X-Cache-Tags ~ " + req.http.X-Cache-Tags
	);
	} else {
	ban("obj.http.X-Host ~ " + req.http.X-Host
	+ " && obj.http.X-Url ~ " + req.http.X-Url
	+ " && obj.http.content-type ~ " + req.http.X-Content-Type
	);
	}

	return (synth(200, "Banned"));
	}

	if (req.method != "GET" && req.method != "HEAD") {
	return (pass);
	}

	if (req.http.X-Forwarded-Proto == "https" ) {
	set req.http.X-Forwarded-Port = "443";
	} else {
	set req.http.X-Forwarded-Port = "80";
	}

	if (req.http.cf-connecting-ip) {
	set req.http.X-Forwarded-For = req.http.cf-connecting-ip;
	} else {
	set req.http.X-Forwarded-For = client.ip;
	}

	// Remove all cookies except the session ID.
	if (req.http.Cookie) {
	set req.http.Cookie = ";" + req.http.Cookie;
	set req.http.Cookie = regsuball(req.http.Cookie, "; +", ";");
	set req.http.Cookie = regsuball(req.http.Cookie, ";(SUPERDESKPUBLISHER\|PHPSESSID\|PPA_ID\|REMEMBERME)=", "; \1=");
	set req.http.Cookie = regsuball(req.http.Cookie, ";[^ ][^;]*", "");
	set req.http.Cookie = regsuball(req.http.Cookie, "^[; ]+\|[; ]+$", "");

	if (req.http.Cookie == "") {
	// If there are no more cookies, remove the header to get page cached.
	unset req.http.Cookie;
	}
	}

	if (req.http.X-Blackfire-Query && client.ip ~ profile) {
	return (pass);
	} else {
	// Add a Surrogate-Capability header to announce ESI support.
	set req.http.Surrogate-Capability = "abc=ESI/1.0";
	}
	}

	sub vcl_backend_response {
	# Happens after we have read the response headers from the backend.
	#
	# Here you clean the response headers, removing silly Set-Cookie headers
	# and other mistakes your backend does.

	# Check for ESI acknowledgement and remove Surrogate-Control header
	if (beresp.http.Surrogate-Control ~ "ESI/1.0") {
	unset beresp.http.Surrogate-Control;
	set beresp.do_esi = true;
	}

	set beresp.http.X-Url = bereq.url;
	set beresp.http.X-Host = bereq.http.host;
	}

	sub vcl_deliver {
	# Happens when we have all the pieces we need, and are about to send the
	# response to the client.
	#
	# You can do accounting or modifying the final object here.

	if (obj.hits > 0) {
	set resp.http.X-Cache = "HIT";
	set resp.http.X-Cache-Hits = obj.hits;
	} else {
	set resp.http.X-Cache = "MISS";
	}

	if (!resp.http.X-Cache-Debug) {
	# Remove ban-lurker friendly custom headers when delivering to client
	unset resp.http.X-Url;
	unset resp.http.X-Host;

	# Unset the tagged cache headers
	unset resp.http.X-Cache-Tags;
	}

	set resp.http.Access-Control-Allow-Origin = "*";
	set resp.http.Access-Control-Allow-Credentials = "true";

	if (req.method == "OPTIONS") {
	set resp.http.Access-Control-Max-Age = "1728000";
	set resp.http.Access-Control-Allow-Methods = "GET, POST, PUT, DELETE, PATCH, OPTIONS";
	set resp.http.Access-Control-Allow-Headers = "Authorization,Content-Type,Accept,Origin,User-Agent,DNT,Cache-Control,X-Mx-ReqToken,Keep-Alive,X-Requested-With,If-Modified-Since";

	set resp.http.Content-Length = "0";
	set resp.http.Content-Type = "text/plain charset=UTF-8";
	set resp.status = 204;
	}
	}