X-Git-Url: http://git.squeep.com/?a=blobdiff_plain;f=installation%2Fpleroma.vcl;h=13dad784c9cc219f48901845e20f83f9278a35d6;hb=d7af0294e6a3a690524e0a08a35c9c6dafbb9f79;hp=8ba67069aa24ec7148ab9fef51e824fa8b9493af;hpb=1d06f5037ded79d8b7d38c6d8738867f47888b10;p=akkoma diff --git a/installation/pleroma.vcl b/installation/pleroma.vcl index 8ba67069a..13dad784c 100644 --- a/installation/pleroma.vcl +++ b/installation/pleroma.vcl @@ -1,4 +1,5 @@ -vcl 4.0; +# Recommended varnishncsa logging format: '%h %l %u %t "%m %{X-Forwarded-Proto}i://%{Host}i%U%q %H" %s %b "%{Referer}i" "%{User-agent}i"' +vcl 4.1; import std; backend default { @@ -6,46 +7,38 @@ backend default { .port = "4000"; } +# ACL for IPs that are allowed to PURGE data from the cache +acl purge { + "127.0.0.1"; +} + sub vcl_recv { # Redirect HTTP to HTTPS if (std.port(server.ip) != 443) { - set req.http.x-redir = "https://" + req.http.host + req.url; - return (synth(750, "")); + set req.http.X-Forwarded-Proto = "http"; + set req.http.x-redir = "https://" + req.http.host + req.url; + return (synth(750, "")); + } else { + set req.http.X-Forwarded-Proto = "https"; } - # Pipe if WebSockets request is coming through - if (req.http.upgrade ~ "(?i)websocket") { - return (pipe); + # CHUNKED SUPPORT + if (req.http.Range ~ "bytes=") { + set req.http.x-range = req.http.Range; } - # Pleroma MediaProxy - strip headers that will affect caching - if (req.url ~ "^/proxy/") { - unset req.http.Cookie; - unset req.http.Authorization; - unset req.http.Accept; - return (hash); - } - - # Hack to enable a Terms of Service page missing from Pleroma - if (req.url ~ "^/about/more$") { - set req.http.x-redir = "https://" + req.http.host + "/static/terms-of-service.html"; - return (synth(750, "")); + # Pipe if WebSockets request is coming through + if (req.http.upgrade ~ "(?i)websocket") { + return (pipe); } - # Strip headers that will affect caching from all other static content - # This also permits caching of individual toots and AP Activities - if ((req.url ~ "^/(media|notice|objects|static)/") || - (req.url ~ "^/(activities/|api/v1/statuses/\d+$)") || - (req.url ~ "^/(activities/|api/v1/statuses/\d+/card$)") || - (req.url ~ "(?i)\.(html|js|css|jpg|jpeg|png|gif|gz|tgz|bz2|tbz|mp3|ogg|svg|swf|ttf|pdf|woff|woff2)$")) - { - unset req.http.Cookie; - unset req.http.Authorization; - return (hash); + # Allow purging of the cache + if (req.method == "PURGE") { + if (!client.ip ~ purge) { + return(synth(405,"Not allowed.")); + } + return(purge); } - - # Everything else should just be piped to Pleroma - return (pipe); } sub vcl_backend_response { @@ -54,8 +47,17 @@ sub vcl_backend_response { set beresp.do_gzip = true; } - # etags are bad - unset beresp.http.etag; + # Retry broken backend responses. + if (beresp.status == 503) { + set bereq.http.X-Varnish-Backend-503 = "1"; + return (retry); + } + + # CHUNKED SUPPORT + if (bereq.http.x-range ~ "bytes=" && beresp.status == 206) { + set beresp.ttl = 10m; + set beresp.http.CR = beresp.http.content-range; + } # Don't cache objects that require authentication if (beresp.http.Authorization && !beresp.http.Cache-Control ~ "public") { @@ -63,8 +65,6 @@ sub vcl_backend_response { return (deliver); } - # Default object caching of 86400s; - set beresp.ttl = 86400s; # Allow serving cached content for 6h in case backend goes down set beresp.grace = 6h; @@ -76,32 +76,13 @@ sub vcl_backend_response { # Do not cache redirects and errors if ((beresp.status >= 300) && (beresp.status < 500)) { - set beresp.uncacheable = true; - set beresp.ttl = 30s; - return (deliver); - } - - # Pleroma MediaProxy internally sets headers properly - if (bereq.url ~ "^/proxy/") { + set beresp.uncacheable = true; + set beresp.ttl = 30s; return (deliver); } - - # Strip cache-restricting headers from Pleroma on static content that we want to cache - # Also enable streaming of cached content to clients (no waiting for Varnish to complete backend fetch) - if ((bereq.url ~ "^/(notice|objects)/") || - (bereq.url ~ "^/(activities/|api/v1/statuses/\d+$)") || - (bereq.url ~ "^/(activities/|api/v1/statuses/\d+/card$)") || - (bereq.url ~ "(?i)\.(js|css|jpg|jpeg|png|gif|gz|tgz|bz2|tbz|mp3|ogg|svg|swf|ttf|pdf|woff|woff2)$")) - { - unset beresp.http.set-cookie; - unset beresp.http.Cache-Control; - unset beresp.http.x-request-id; - set beresp.http.Cache-Control = "public, max-age=86400"; - set beresp.do_stream = true; - } } -# The synthetic response for the HTTP to HTTPS upgrade +# The synthetic response for 301 redirects sub vcl_synth { if (resp.status == 750) { set resp.status = 301; @@ -113,7 +94,58 @@ sub vcl_synth { # Ensure WebSockets through the pipe do not close prematurely sub vcl_pipe { if (req.http.upgrade) { - set bereq.http.upgrade = req.http.upgrade; - set bereq.http.connection = req.http.connection; + set bereq.http.upgrade = req.http.upgrade; + set bereq.http.connection = req.http.connection; } } + +sub vcl_hash { + # CHUNKED SUPPORT + if (req.http.x-range ~ "bytes=") { + hash_data(req.http.x-range); + unset req.http.Range; + } +} + +sub vcl_backend_fetch { + # Be more lenient for slow servers on the fediverse + if (bereq.url ~ "^/proxy/") { + set bereq.first_byte_timeout = 300s; + } + + # CHUNKED SUPPORT + if (bereq.http.x-range) { + set bereq.http.Range = bereq.http.x-range; + } + + if (bereq.retries == 0) { + # Clean up the X-Varnish-Backend-503 flag that is used internally + # to mark broken backend responses that should be retried. + unset bereq.http.X-Varnish-Backend-503; + } else { + if (bereq.http.X-Varnish-Backend-503) { + if (bereq.method != "POST" && + std.healthy(bereq.backend) && + bereq.retries <= 4) { + # Flush broken backend response flag & try again. + unset bereq.http.X-Varnish-Backend-503; + } else { + return (abandon); + } + } + } +} + +sub vcl_deliver { + # CHUNKED SUPPORT + if (resp.http.CR) { + set resp.http.Content-Range = resp.http.CR; + unset resp.http.CR; + } +} + +sub vcl_backend_error { + # Retry broken backend responses. + set bereq.http.X-Varnish-Backend-503 = "1"; + return (retry); +}