diff options
Diffstat (limited to 'ansible/roles/web/files/varnish.vcl')
| -rw-r--r-- | ansible/roles/web/files/varnish.vcl | 140 |
1 files changed, 125 insertions, 15 deletions
diff --git a/ansible/roles/web/files/varnish.vcl b/ansible/roles/web/files/varnish.vcl index 2cdbbfe..c0dc8b6 100644 --- a/ansible/roles/web/files/varnish.vcl +++ b/ansible/roles/web/files/varnish.vcl @@ -1,21 +1,97 @@ # vim: ts=8:expandtab:sw=4:softtabstop=4 +# VCL for Gondul - also requires auth.vcl (see further down) +# Also uses hitch and acmetool for ssl vcl 4.0; +import std; + +# API - apache backend default { .host = "::1"; .port = "8080"; } +# Templating engine +backend templating { + .host = "::1"; + .port = "8081"; +} + +# Definitely not influx backend influx { .host = "::1"; .port = "8086"; } +# For certbot +# WTF... isn't this apache? Apparently acmetool listens on port 402 +backend acmetool { + .host = "::1"; + .port = "402"; +} + +# White-list localhost - PLEASE make sure this is actually smart +acl white { + "::1"; + "127.0.0.0"/8; + #"172.16.0.0"/12; + #"192.168.0.0"/16; + #"10.0.0.0"/8; +} + +# vcl_recv is "prep-processing of requests sub vcl_recv { + # Handle certbot by passing /.well-known to acmetool + if (req.url ~ "^/.well-known/acme-challenge/") { + set req.backend_hint = acmetool; + return(pass); + } + + # Redirect to https - note that this does NOT happen for + # "whitelisted" stuff - e.g., templating engine. + #disabled as we haven't fixd hitch for ssl termination + #if (std.port(local.ip) == 80 && client.ip !~ white) { + # set req.http.x-redir = "https://" + req.http.host + req.url; + # return(synth(301)); + #} + + # Basic authentication .... + # We include the following from /etc/varnish/auth.vcl, to keep passwords + # out of default vcl: + # req.http.Authorization != "Basic AAAA" + # + # where AAAA is the result of: + # echo -n user:password | base64. + # Example: + # kly@jade:~$ echo -n tech:rules | base64 + # dGVjaDpydWxlcw== + # # cat /etc/varnish/auth.vcl + # req.http.Authorization != "Basic dGVjaDpydWxlcw==" + if (client.ip !~ white && + include "/etc/varnish/auth.vcl";) { + return(synth(401)); + } else { + unset req.http.Authorization; + set req.http.X-Webauth-User = "admin"; + } + + if (req.url ~ "^/api/templates") { + set req.url = regsub(req.url,"^/api/templates",""); + set req.backend_hint = templating; + } + + if (req.url ~ "^/query") { + set req.backend_hint = influx; + } + + # More human-typable URL if (req.url ~ "^/where" || req.url ~ "^/location") { set req.url = "/api/public/location"; } + + # Fairly standard filtering. Default VCL will do "pipe", which is + # pointless for us. if (req.method != "GET" && req.method != "HEAD" && req.method != "PUT" && @@ -27,50 +103,84 @@ sub vcl_recv { return (synth(418,"LOLOLOL")); } - if (req.url ~ "^/query") { - set req.backend_hint = influx; - } - + # We can only cache GET/HEAD requests. if (req.method != "GET" && req.method != "HEAD") { - /* We only deal with GET and HEAD by default */ return (pass); } - # Brukes ikke. Cookies er for nubs. + # We don't use cookies - so get rid of them so we don't mess up the cache + # by accident. unset req.http.Cookie; - # Tvinges gjennom for å cache med authorization-skrot. + # Force hash, since we want to cache with Authorization headers return (hash); } - -# Rosa magi +# vcl_hash runs right after vcl_recv, and determines what +# is "unique", e.g., what's part of the hash key. We simply +# add the Authorization header, allowing caching of authenticated +# content. +# NOTE: We do NOT run "return" so it will fall back to the default +# vcl builtin, which will add ip/host and URL as you'd expect. sub vcl_hash { - # Wheee. Legg til authorization-headeren i hashen. hash_data(req.http.authorization); } -# Mauve magi. Hva nå enn det er. -# Dette er WIP - Skal flyttes til backend +# vcl_synth is run for "synthetic messages": responses generated internally +# from Varnish, typically error messages or "return (synth...)" +sub vcl_synth { + if (resp.status == 401) { + set resp.http.WWW-Authenticate = {"Basic realm="WHAT .... is your favorite color?""}; + } + + # Second part of redirect-logic + if (resp.status == 301) { + set resp.http.Location = req.http.x-redir; + return (deliver); + } +} + +# vcl_backend_response is run when we have a reply from a backend, +# allowing us to massage the backend response. We wish to do as little +# as possible here to keep things transparent. sub vcl_backend_response { + # Expose the URL used for debug purposes and future + # cache invalidation. set beresp.http.x-url = bereq.url; + + # If the backend response supplies the "x-ban" HTTP response + # header, then invalidate based on it. This is used for for + # invalidating e.g. switch-management if a switch is added, or the oplog. if (beresp.http.x-ban) { ban("obj.http.x-url ~ " + beresp.http.x-ban); } + + # Force gzip on text-based content so we don't have to + # rely on Apache. + if (beresp.http.content-type ~ "text") { + set beresp.do_gzip = true; + } + + # Do some hand-crafting for influx. Should probably be + # improved... e.g.: with checking error codes. if (bereq.url ~ "/query") { - # Let's blindly cache influx requests for 5+10s set beresp.http.Cache-Control = "max-age=5"; unset beresp.http.Pragma; set beresp.uncacheable = false; set beresp.grace = 10s; set beresp.ttl = 5s; } + + # Wait, nvm, we catch non-200 here and make them actually cacheable for 5 + # seconds - we don't want to nuke a backend just because it has ...issues. if (beresp.status != 200) { set beresp.uncacheable = false; set beresp.ttl = 5s; } - if (bereq.url ~ "\.(html|css|js)") { - # Mainly for ease of development + # So for html/css/js there really is no sensible blackend to set + # smart TTL, so we hard-code it to 10s. 10s can be a bit annoying + # for development, but works. + if (bereq.url ~ "\.(html|css|js)" || bereq.url ~ "^/[^/.]*") { set beresp.ttl = 10s; } } |