Improve varnish config, add support for URIBAN by regex #495
There are no files selected for viewing
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change | ||||
|---|---|---|---|---|---|---|
|
|
@@ -183,7 +183,7 @@ data: | |||||
| set beresp.http.x-ttl = "10m"; | ||||||
| } | ||||||
|
|
||||||
| if (bereq.url ~ "^[^?]*\.(?:jpg|jpeg|gif|png|svg|ico|webp|css|js|zip|tgz|gz|rar|bz2|pdf|txt|tar|wav|bmp|rtf|flv|swf|html|htm|otf)(?:\?.*)?$") { | ||||||
| # Strip any cookies before static files are inserted into cache. | ||||||
| unset beresp.http.set-cookie; | ||||||
| if(beresp.status == 200){ | ||||||
|
|
@@ -199,7 +199,7 @@ data: | |||||
| # Large static files are delivered directly to the end-user without | ||||||
| # waiting for Varnish to fully read the file first. | ||||||
| # Varnish 4 fully supports Streaming, so use streaming here to avoid locking. | ||||||
| if (bereq.url ~ "^[^?]*\.(?:mp[34]|rar|tar|tgz|gz|pdf|wav|zip|bz2|xz|7z|avi|mov|ogm|mpe?g|mk[av]|webm)(?:\?.*)?$") { | ||||||
| unset beresp.http.set-cookie; | ||||||
| set beresp.do_stream = true; # Check memory usage it'll grow in fetch_chunksize blocks (128k by default) if the backend doesn't send a Content-Length header, so only enable it for big objects | ||||||
| set beresp.do_gzip = false; # Don't try to compress it for storage | ||||||
|
|
@@ -304,8 +304,8 @@ data: | |||||
| return(pipe); | ||||||
| } | ||||||
|
|
||||||
| # Only allow BAN requests from IP addressees in the 'internal' ACL. | ||||||
| if (req.method == "BAN") { | ||||||
| # Admin port is only exposed to internal network | ||||||
| if (!client.ip ~ purge) { | ||||||
| return (synth(403, "Not allowed.")); | ||||||
|
|
@@ -319,11 +319,30 @@ data: | |||||
| elseif (req.http.Cache-Tags) { | ||||||
| ban("obj.http.Cache-Tags ~ " + req.http.Cache-Tags); | ||||||
| } | ||||||
| else { | ||||||
| # If there are no cache tags headers in a BAN request, | ||||||
| # it is a bad request, so indicate that to the client. | ||||||
| return (synth(400, "Cache tags headers not present.")); | ||||||
| } | ||||||
| # Throw a synthetic page so the request won't go to the backend. | ||||||
| return (synth(200, "Ban added.")); | ||||||
| } | ||||||
|
|
||||||
| # Only allow URIBAN requests from IP addressees in the 'internal' ACL. | ||||||
| if (req.method == "URIBAN") { | ||||||
| # Admin port is only exposed to internal network | ||||||
| if (!client.ip ~ purge) { | ||||||
| return (synth(403, "Not allowed.")); | ||||||
| } | ||||||
|
|
||||||
| # If x-url-invalidate-pattern header is present, | ||||||
| # use it to match URLs in stored objects. (ban by regex pattern) | ||||||
| if (req.http.x-url-invalidate-pattern) { | ||||||
| ban("obj.http.x-url ~ " + req.http.x-url-invalidate-pattern); | ||||||
|
There was a problem hiding this comment. The ban statements reference
Contributor
Author
There was a problem hiding this comment.
|
||||||
| } | ||||||
| # Without pattern, ban by matching host and URL exactly. | ||||||
| else { | ||||||
| ban("obj.http.host == " + req.http.host + " && obj.http.x-url == " + req.url); | ||||||
|
MarttiR marked this conversation as resolved.
|
||||||
| } | ||||||
| # Throw a synthetic page so the request won't go to the backend. | ||||||
| return (synth(200, "Ban added.")); | ||||||
|
|
@@ -406,7 +425,7 @@ data: | |||||
|
|
||||||
| {{- if .Values.mailpit.enabled }} | ||||||
| // No varnish for mailpit | ||||||
| if (req.url ~ "^/mailpit(?:/|$)") { | ||||||
| return (pass); | ||||||
| } | ||||||
| {{- end }} | ||||||
|
|
@@ -420,13 +439,28 @@ data: | |||||
| return (pass); | ||||||
| } | ||||||
|
|
||||||
| if (req.http.Accept-Encoding) { | ||||||
| if (req.url ~ "\.(?:bz2|eot|gif|gz|ico|jpg|mp3|ogg|pdf|png|svg|swf|tbz|tgz|tif|tiff|ttf|webp|woff|zip)(\?.*)?$") { | ||||||
| # No point in compressing these | ||||||
| unset req.http.Accept-Encoding; | ||||||
| } elsif (req.http.Accept-Encoding ~ "gzip") { | ||||||
| set req.http.Accept-Encoding = "gzip"; | ||||||
| } elsif (req.http.Accept-Encoding ~ "deflate") { | ||||||
| set req.http.Accept-Encoding = "deflate"; | ||||||
| } else { | ||||||
| # unknown algorithm | ||||||
| unset req.http.Accept-Encoding; | ||||||
| } | ||||||
| } | ||||||
|
|
||||||
| if (req.url ~ "\.(?:bmp|bz2|css|doc|eot|gif|ico|jpg|js|pdf|png|ppt|svg|swf|tif|tiff|ttf|webp|woff|xls|zip)$") { | ||||||
| # Static file request do not vary on cookies | ||||||
|
Contributor
There was a problem hiding this comment. Good point. I like this. |
||||||
| unset req.http.Cookie; | ||||||
| return (hash); | ||||||
| } | ||||||
|
|
||||||
| # Do not allow public access to cron.php , update.php or install.php. | ||||||
| if (req.url ~ "^(?:/core)?/(?:cron|install|update)\.php$" && !client.ip ~ internal) { | ||||||
| # Have Varnish throw the error directly. | ||||||
| return (synth( 404, "Page not found.")); | ||||||
| } | ||||||
|
|
@@ -445,12 +479,7 @@ data: | |||||
| } | ||||||
|
|
||||||
| if (req.http.Cookie) { | ||||||
| if (req.http.Cookie ~ "S?SESS[a-z0-9]+=") { | ||||||
|
There was a problem hiding this comment. The regex pattern
Suggested change
Contributor
Author
There was a problem hiding this comment. That's not true, the pattern is correct. This can be verified using regexr.com: 
|
||||||
| # Authenticated users should not be cached | ||||||
| return (pass); | ||||||
| } | ||||||
|
|
@@ -465,20 +494,6 @@ data: | |||||
| } | ||||||
| } | ||||||
|
|
||||||
| // Keep multiple cache objects to a minimum | ||||||
| # -> NOT. We dont Vary cache per these headers. | ||||||
| #unset req.http.Accept-Language; | ||||||
|
|
@@ -487,7 +502,7 @@ data: | |||||
| # Large static files are delivered directly to the end-user without | ||||||
| # waiting for Varnish to fully read the file first. | ||||||
| # Varnish 4 fully supports Streaming, so set do_stream in vcl_backend_response() | ||||||
| if (req.url ~ "^[^?]*\.(?:mp[34]|rar|tar|tgz|gz|wav|zip|bz2|xz|7z|avi|mov|ogm|mpe?g|mk[av]|webm)(?:\?.*)?$") { | ||||||
| unset req.http.Cookie; | ||||||
| return (hash); | ||||||
| } | ||||||
|
|
||||||
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Oops, something went wrong.
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Uh oh!
There was an error while loading. Please reload this page.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Consider "IP not allowed".
Reasoning: suppose someone gets the error, and has no clue of this code here, it could be a guesswork why the error.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
AFAIK, the message set here is only logged in varnishlog, not transmitted via HTTP.