## Redirect requests to Apache, running on port 8000 on localhost

backend apache {

        .host = "127.0.0.1";

        .port = "8000";

}

acl purge {

        "localhost";

        "127.0.0.1";

        "127.0.1.1";

        "testing.domain.com";

}

sub vcl_recv {

        # remove ?ver=xxxxx strings from urls so css and js files are cached.

        # Watch out when upgrading WordPress, need to restart Varnish or flush cache.

        # Remove "replytocom" from requests to make caching better.

        ## If the request to the backend returns a code other than 200, restart the loop

        ## If the number of restarts reaches the value of the parameter max_restarts,

        ## the request will be error'ed.  max_restarts defaults to 4.  This prevents

        ## an eternal loop in the event that, e.g., the object does not exist at all.

#       if (beresp.status != 200 && beresp.status != 403 && beresp.status != 404) {

#               return(restart);

#       }

        # Exclude this site because it breaks if cached

        #if ( req.http.host == "testing.domain.com" ) {

        #    return( pass );

        #}

        # Serve objects up to 2 minutes past their expiry if the backend is slow to respond.

        set req.grace = 120s;

        # Strip cookies for static files:

       }

        # Remove has_js and Google Analytics __* cookies.

        # Remove a ";" prefix, if present.

        # Remove empty cookies.

       }

        if (req.request == "PURGE") {

                if (!client.ip ~ purge) {

                        error 405 "Not allowed.";

                }

                return (lookup);

        }

        if (req.request == "BAN") {

                if (!client.ip ~ purge) {

                    error 405 "Not allowed.";

                }

                ban("req.url ~ " + req.url + " && req.http.host == " + req.http.host);

                error 200 "Ban added";

        }

        # Pass anything other than GET and HEAD directly.

        if (req.request != "GET" && req.request != "HEAD") {

            return( pass );

        } /* We only deal with GET and HEAD by default */

        # remove cookies for comments cookie to make caching better.

        # never cache the admin pages, or the server-status page

        if (req.request == "GET" && (req.url ~ "(wp-admin|bb-admin|server-status|feed)")) {

            return(pipe);

        }

        # don't cache authenticated sessions

        if (req.http.Cookie && req.http.Cookie ~ "(wordpress_|PHPSESSID)") {

            return(pass);

        }

        # don't cache ajax requests

        if(req.http.X-Requested-With == "XMLHttpRequest" || req.url ~ "nocache" || req.url ~ "(control.php|wp-comments-post.php|wp-login.php|bb-login.php|bb-reset-password.php|register.php)") {

            return (pass);

        }

        return( lookup );

}

sub vcl_hash {

        # Each cached page has to be identified by a key that unlocks it.

        # Add the browser cookie only if a WordPress cookie found.

        if ( req.http.Cookie ~"(wp-postpass|wordpress_logged_in|comment_author_)" ) {

        #if (req.http.Cookie) {

                #set req.hash += req.http.Cookie;

                hash_data(req.http.Cookie);

        }

}

# Called after a document has been successfully retrieved from the backend.

sub vcl_fetch {

        # Uncomment to make the default cache "time to live" is 5 minutes, handy

        # but it may cache stale pages unless purged. (TODO)

        # By default Varnish will use the headers sent to it by Apache (the backend server)

        # to figure out the correct TTL.

        # WP Super Cache sends a TTL of 3 seconds, set in wp-content/cache/.htaccess

        set beresp.ttl   = 24h;

        # Strip cookies for static files and set a long cache expiry time.

        if (req.url ~ "\.(jpg|jpeg|gif|png|ico|css|zip|tgz|gz|rar|bz2|pdf|txt|tar|wav|bmp|rtf|js|flv|swf|html|htm)$") {

                unset beresp.http.set-cookie;

                set beresp.ttl   = 24h;

        }

        # If WordPress cookies found then page is not cacheable

        if (req.http.Cookie ~"(wp-postpass|wordpress_logged_in|comment_author_)") {

            # set beresp.cacheable = false;#versions less than 3

            #beresp.ttl>0 is cacheable so 0 will not be cached

            set beresp.ttl = 0s;

        } else {

            # set beresp.cacheable = true;

            set beresp.ttl=24h; #cache for 24hrs

        }

        # Varnish determined the object was not cacheable

        if (!beresp.ttl > 0s) {

            set beresp.http.X-Cacheable = "NO:Not Cacheable";

        } else if ( req.http.Cookie ~"(wp-postpass|wordpress_logged_in|comment_author_|UserID|_session)" ) {

                # You don't wish to cache content for logged in users

                set beresp.http.X-Cacheable = "NO:Got Session";

                return(hit_for_pass);

        }  else if ( beresp.http.Cache-Control ~ "private") {

            # You are respecting the Cache-Control=private header from the backend

            set beresp.http.X-Cacheable = "NO:Cache-Control=private";

            return(hit_for_pass);

        } else if ( beresp.ttl < 1s ) {

            # You are extending the lifetime of the object artificially

            set beresp.ttl   = 300s;

            set beresp.grace = 300s;

            set beresp.http.X-Cacheable = "YES:Forced";

        }  else {

            # Varnish determined the object was cacheable

            set beresp.http.X-Cacheable = "YES";

        }

        if (beresp.status == 404 || beresp.status >= 500) {

            set beresp.ttl = 0s;

        }

        ## Remove the X-Forwarded-For header if it exists.

        remove req.http.X-Forwarded-For;

        ## insert the client IP address as X-Forwarded-For. This is the normal IP address of the user.

        set    req.http.X-Forwarded-For = req.http.rlnclientipaddr;

        ## Added security, the "w00tw00t" attacks are pretty annoying so lets block it before it reaches our webserver

        if (req.url ~ "^/w00tw00t") {

                error 403 "Not permitted";

        }

        if (req.url ~ "^/phpmyadmin") {error 403;}

        if (req.url ~ "^/PhpMyAdmin") {error 403;}

        if (req.url ~ "^/databases") {error 403;}

        if (req.url ~ "^/pma") {error 403;}

        if (req.url ~ "^/Toata")  {error 403;}

        ## Deliver the content

        return(deliver);

}

## Deliver

#sub vcl_deliver {

        ## We'll be hiding some headers added by Varnish. We want to make sure people are not seeing we're using Varnish.

        ## Since we're not caching (yet), why bother telling people we use it?

        #remove resp.http.X-Varnish;

        #remove resp.http.Via;

        #remove resp.http.Age;

        ## We'd like to hide the X-Powered-By headers. Nobody has to know we can run PHP and have version xyz of it.

        #remove resp.http.X-Powered-By;

#}

sub vcl_deliver {

  // Debugging

  if (obj.hits > 0) {

    set resp.http.X-Cache = "HIT";

  } else {

    set resp.http.X-Cache = "MISS";

  }

  // Remove some headers: PHP version

  unset resp.http.X-Powered-By;

  // Remove some headers: Apache version & OS

  unset resp.http.Server;

  return (deliver);

}

sub vcl_error {

  set obj.http.Content-Type = "text/html; charset=utf-8";

  set obj.http.Retry-After = "5";

  synthetic {"

<?xml version="1.0" encoding="utf-8"?>

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN"

 "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">

<html>

  <head>

    <title>"} + obj.status + " " + obj.response + {"</title>

  </head>

  <body>

    <h1>Error "} + obj.status + " " + obj.response + {"</h1>

    <p>"} + obj.response + {"</p>

    <h3>Guru Meditation:</h3>

    <p>XID: "} + req.xid + {"</p>

    <hr>

    <p>Varnish cache server</p>

  </body>

</html>

"};

  return (deliver);

}