X-Git-Url: http://git.squeep.com/?a=blobdiff_plain;f=installation%2Fpleroma.vcl;h=13dad784c9cc219f48901845e20f83f9278a35d6;hb=8e1f32e71560c4b36ccbdc3ecf8de8386928305a;hp=fe9bf056bb2071e014a89e37e857a68af8609dd6;hpb=6ff583e5e10e59fe76cb51ce3d04587307af9eae;p=akkoma diff --git a/installation/pleroma.vcl b/installation/pleroma.vcl index fe9bf056b..13dad784c 100644 --- a/installation/pleroma.vcl +++ b/installation/pleroma.vcl @@ -1,4 +1,5 @@ -vcl 4.0; +# Recommended varnishncsa logging format: '%h %l %u %t "%m %{X-Forwarded-Proto}i://%{Host}i%U%q %H" %s %b "%{Referer}i" "%{User-agent}i"' +vcl 4.1; import std; backend default { @@ -14,49 +15,30 @@ acl purge { sub vcl_recv { # Redirect HTTP to HTTPS if (std.port(server.ip) != 443) { - set req.http.x-redir = "https://" + req.http.host + req.url; - return (synth(750, "")); + set req.http.X-Forwarded-Proto = "http"; + set req.http.x-redir = "https://" + req.http.host + req.url; + return (synth(750, "")); + } else { + set req.http.X-Forwarded-Proto = "https"; + } + + # CHUNKED SUPPORT + if (req.http.Range ~ "bytes=") { + set req.http.x-range = req.http.Range; } # Pipe if WebSockets request is coming through if (req.http.upgrade ~ "(?i)websocket") { - return (pipe); + return (pipe); } # Allow purging of the cache if (req.method == "PURGE") { - if (!client.ip ~ purge) { - return(synth(405,"Not allowed.")); - } - return(purge); - } - - # Pleroma MediaProxy - strip headers that will affect caching - if (req.url ~ "^/proxy/") { - unset req.http.Cookie; - unset req.http.Authorization; - unset req.http.Accept; - return (hash); - } - - # Hack to enable a Terms of Service page missing from Pleroma - if (req.url ~ "^/about/more$") { - set req.http.x-redir = "https://" + req.http.host + "/static/terms-of-service.html"; - return (synth(750, "")); - } - - # Strip headers that will affect caching from all other static content - # This also permits caching of individual toots and AP Activities - if ((req.url ~ "^/(media|notice|objects|static)/") || - (req.url ~ "(?i)\.(html|js|css|jpg|jpeg|png|gif|gz|tgz|bz2|tbz|mp3|ogg|svg|swf|ttf|pdf|woff|woff2)$")) - { - unset req.http.Cookie; - unset req.http.Authorization; - return (hash); + if (!client.ip ~ purge) { + return(synth(405,"Not allowed.")); + } + return(purge); } - - # Everything else should just be piped to Pleroma - return (pipe); } sub vcl_backend_response { @@ -65,8 +47,17 @@ sub vcl_backend_response { set beresp.do_gzip = true; } - # etags are bad - unset beresp.http.etag; + # Retry broken backend responses. + if (beresp.status == 503) { + set bereq.http.X-Varnish-Backend-503 = "1"; + return (retry); + } + + # CHUNKED SUPPORT + if (bereq.http.x-range ~ "bytes=" && beresp.status == 206) { + set beresp.ttl = 10m; + set beresp.http.CR = beresp.http.content-range; + } # Don't cache objects that require authentication if (beresp.http.Authorization && !beresp.http.Cache-Control ~ "public") { @@ -74,8 +65,6 @@ sub vcl_backend_response { return (deliver); } - # Default object caching of 86400s; - set beresp.ttl = 86400s; # Allow serving cached content for 6h in case backend goes down set beresp.grace = 6h; @@ -87,27 +76,10 @@ sub vcl_backend_response { # Do not cache redirects and errors if ((beresp.status >= 300) && (beresp.status < 500)) { - set beresp.uncacheable = true; - set beresp.ttl = 30s; - return (deliver); - } - - # Pleroma MediaProxy internally sets headers properly - if (bereq.url ~ "^/proxy/") { + set beresp.uncacheable = true; + set beresp.ttl = 30s; return (deliver); } - - # Strip cache-restricting headers from Pleroma on static content that we want to cache - # Also enable streaming of cached content to clients (no waiting for Varnish to complete backend fetch) - if ((bereq.url ~ "^/(notice|objects)/") || - (bereq.url ~ "(?i)\.(js|css|jpg|jpeg|png|gif|gz|tgz|bz2|tbz|mp3|ogg|svg|swf|ttf|pdf|woff|woff2)$")) - { - unset beresp.http.set-cookie; - unset beresp.http.Cache-Control; - unset beresp.http.x-request-id; - set beresp.http.Cache-Control = "public, max-age=86400"; - set beresp.do_stream = true; - } } # The synthetic response for 301 redirects @@ -122,7 +94,58 @@ sub vcl_synth { # Ensure WebSockets through the pipe do not close prematurely sub vcl_pipe { if (req.http.upgrade) { - set bereq.http.upgrade = req.http.upgrade; - set bereq.http.connection = req.http.connection; + set bereq.http.upgrade = req.http.upgrade; + set bereq.http.connection = req.http.connection; + } +} + +sub vcl_hash { + # CHUNKED SUPPORT + if (req.http.x-range ~ "bytes=") { + hash_data(req.http.x-range); + unset req.http.Range; + } +} + +sub vcl_backend_fetch { + # Be more lenient for slow servers on the fediverse + if (bereq.url ~ "^/proxy/") { + set bereq.first_byte_timeout = 300s; + } + + # CHUNKED SUPPORT + if (bereq.http.x-range) { + set bereq.http.Range = bereq.http.x-range; } + + if (bereq.retries == 0) { + # Clean up the X-Varnish-Backend-503 flag that is used internally + # to mark broken backend responses that should be retried. + unset bereq.http.X-Varnish-Backend-503; + } else { + if (bereq.http.X-Varnish-Backend-503) { + if (bereq.method != "POST" && + std.healthy(bereq.backend) && + bereq.retries <= 4) { + # Flush broken backend response flag & try again. + unset bereq.http.X-Varnish-Backend-503; + } else { + return (abandon); + } + } + } +} + +sub vcl_deliver { + # CHUNKED SUPPORT + if (resp.http.CR) { + set resp.http.Content-Range = resp.http.CR; + unset resp.http.CR; + } +} + +sub vcl_backend_error { + # Retry broken backend responses. + set bereq.http.X-Varnish-Backend-503 = "1"; + return (retry); }