pfSense » pfSense Packages

I request we add an plugin for www/varnish4 (added to the ports tree 3/3/2015).

VCL changes from varnish3 to varnish4 are noted here.
https://www.varnish-cache.org/docs/trunk/whats-new/upgrading.html#changes-to-vcl

• varnish4, by default, handles compression accept-encoding sanely. https://www.varnish-cache.org/docs/trunk/users-guide/compression.html We should remove the option to "Fix gzip compression" and instead have a dropdown to..

1. let backends handle compression (default)
2. always compress content (https://www.varnish-cache.org/docs/trunk/users-guide/compression.html#compressing-content-if-backends-don-t)
3. always uncompress content (https://www.varnish-cache.org/docs/trunk/users-guide/compression.html#uncompressing-content-before-entering-the-cache)

• varnish4 sets X-Forward-For before vcl_recv.

• The option "SSL Offload server ACL" should overwrite the X-Forwarded-For header instead of X-Forwarded-Varnish, and it no longer needs to set anything using the client.ip. I don't know who actually uses X-Forwarded-Varnish, but x-Forwarded-For is the current norm, and makes things simpler because that's what varnish4 has built in.
• We should also have an option to unset the X-Forwarded-Proto header if not coming from the trusted "SSL Offload server ACL"

• We might want to add the X-Forwarded-Proto header to the vcl_hash for non-text objects. This way we don't serve an HTML/JS/CSS page with mixed content for a site that allows both HTTP and HTTPS access.
  

  if (req.http.X-Forwarded-Proto && !req.url ~ "\.(zip|pdf|rtf|flv|swf|gif|jpg|jpeg|bmp|png|ico|img|tga|wmf|mp3|ogg)$") {
  hash_data(req.http.X-Forwarded-Proto);
  }
  

• We should add a "Purge ACL" option. Enabling purging in varnish4 is described here. https://www.varnish-cache.org/docs/trunk/users-guide/purging.html#http-purging

Tell me if you need any help making this feature request a reality. Thanks!