Merge branch 'develop' into release-docs
[akkoma] / installation / pleroma.vcl
1 vcl 4.1;
2 import std;
3
4 backend default {
5 .host = "127.0.0.1";
6 .port = "4000";
7 }
8
9 # ACL for IPs that are allowed to PURGE data from the cache
10 acl purge {
11 "127.0.0.1";
12 }
13
14 sub vcl_recv {
15 # Redirect HTTP to HTTPS
16 if (std.port(server.ip) != 443) {
17 set req.http.x-redir = "https://" + req.http.host + req.url;
18 return (synth(750, ""));
19 }
20
21 # CHUNKED SUPPORT
22 if (req.http.Range ~ "bytes=") {
23 set req.http.x-range = req.http.Range;
24 }
25
26 # Pipe if WebSockets request is coming through
27 if (req.http.upgrade ~ "(?i)websocket") {
28 return (pipe);
29 }
30
31 # Allow purging of the cache
32 if (req.method == "PURGE") {
33 if (!client.ip ~ purge) {
34 return(synth(405,"Not allowed."));
35 }
36 return(purge);
37 }
38 }
39
40 sub vcl_backend_response {
41 # gzip text content
42 if (beresp.http.content-type ~ "(text|text/css|application/x-javascript|application/javascript)") {
43 set beresp.do_gzip = true;
44 }
45
46 # Retry broken backend responses.
47 if (beresp.status == 503) {
48 set bereq.http.X-Varnish-Backend-503 = "1";
49 return (retry);
50 }
51
52 # CHUNKED SUPPORT
53 if (bereq.http.x-range ~ "bytes=" && beresp.status == 206) {
54 set beresp.ttl = 10m;
55 set beresp.http.CR = beresp.http.content-range;
56 }
57
58 # Don't cache objects that require authentication
59 if (beresp.http.Authorization && !beresp.http.Cache-Control ~ "public") {
60 set beresp.uncacheable = true;
61 return (deliver);
62 }
63
64 # Allow serving cached content for 6h in case backend goes down
65 set beresp.grace = 6h;
66
67 # Do not cache 5xx responses
68 if (beresp.status == 500 || beresp.status == 502 || beresp.status == 503 || beresp.status == 504) {
69 set beresp.uncacheable = true;
70 return (abandon);
71 }
72
73 # Do not cache redirects and errors
74 if ((beresp.status >= 300) && (beresp.status < 500)) {
75 set beresp.uncacheable = true;
76 set beresp.ttl = 30s;
77 return (deliver);
78 }
79 }
80
81 # The synthetic response for 301 redirects
82 sub vcl_synth {
83 if (resp.status == 750) {
84 set resp.status = 301;
85 set resp.http.Location = req.http.x-redir;
86 return(deliver);
87 }
88 }
89
90 # Ensure WebSockets through the pipe do not close prematurely
91 sub vcl_pipe {
92 if (req.http.upgrade) {
93 set bereq.http.upgrade = req.http.upgrade;
94 set bereq.http.connection = req.http.connection;
95 }
96 }
97
98 sub vcl_hash {
99 # CHUNKED SUPPORT
100 if (req.http.x-range ~ "bytes=") {
101 hash_data(req.http.x-range);
102 unset req.http.Range;
103 }
104 }
105
106 sub vcl_backend_fetch {
107 # Be more lenient for slow servers on the fediverse
108 if bereq.url ~ "^/proxy/" {
109 set bereq.first_byte_timeout = 300s;
110 }
111
112 # CHUNKED SUPPORT
113 if (bereq.http.x-range) {
114 set bereq.http.Range = bereq.http.x-range;
115 }
116
117 if (bereq.retries == 0) {
118 # Clean up the X-Varnish-Backend-503 flag that is used internally
119 # to mark broken backend responses that should be retried.
120 unset bereq.http.X-Varnish-Backend-503;
121 } else {
122 if (bereq.http.X-Varnish-Backend-503) {
123 if (bereq.method != "POST" &&
124 std.healthy(bereq.backend) &&
125 bereq.retries <= 4) {
126 # Flush broken backend response flag & try again.
127 unset bereq.http.X-Varnish-Backend-503;
128 } else {
129 return (abandon);
130 }
131 }
132 }
133 }
134
135 sub vcl_deliver {
136 # CHUNKED SUPPORT
137 if (resp.http.CR) {
138 set resp.http.Content-Range = resp.http.CR;
139 unset resp.http.CR;
140 }
141 }
142
143 sub vcl_backend_error {
144 # Retry broken backend responses.
145 set bereq.http.X-Varnish-Backend-503 = "1";
146 return (retry);
147 }