Add varnish proxy

WISVCH · Oct 24, 2024 · aae32cc · aae32cc
1 parent a48591c
commit aae32cc
Show file tree

Hide file tree

Showing 5 changed files with 254 additions and 0 deletions.
diff --git a/apps/website/kustomization.yaml b/apps/website/kustomization.yaml
@@ -7,3 +7,4 @@ resources:
   - pv.yaml
   - httproute.yaml
   - backup.yaml
+  - ./varnish
diff --git a/apps/website/varnish/configmap.yaml b/apps/website/varnish/configmap.yaml
@@ -0,0 +1,198 @@
+apiVersion: v1
+kind: ConfigMap
+metadata:
+  name: varnish-vcl
+data:
+  default.vcl: |
+    vcl 4.0;
+    import directors;
+    import std;
+
+    # Assumed 'wordpress' host, this can be docker servicename
+    backend default {
+        .host = "website";
+        .port = "80";
+    }
+
+    acl purge {
+        "localhost";
+      "127.0.0.1";
+    }
+
+
+    sub vcl_recv {
+
+
+
+      # Only a single backend
+            set req.backend_hint= default;
+
+            # Setting http headers for backend
+            set req.http.X-Forwarded-For = client.ip;
+          set req.http.X-Forwarded-Proto = "https";
+
+          # Unset headers that might cause us to cache duplicate infos
+          unset req.http.Accept-Language;
+          unset req.http.User-Agent;
+
+      # The purge...no idea if this works
+        if (req.method == "PURGE") {
+            if (!client.ip ~ purge) {
+              return(synth(405,"Not allowed."));
+            }
+            return (purge);
+          }
+          if ( std.port(server.ip) == 6080) {
+
+        set req.http.x-redir = "https://" + req.http.host + req.url;
+                    return (synth(750, "Moved permanently"));
+            }
+
+        # drop cookies and params from static assets
+          if (req.url ~ "\.(gif|jpg|jpeg|swf|ttf|css|js|flv|mp3|mp4|pdf|ico|png)(\?.*|)$") {
+            unset req.http.cookie;
+            set req.url = regsub(req.url, "\?.*$", "");
+          }
+
+        # drop tracking params
+          if (req.url ~ "\?(utm_(campaign|medium|source|term)|adParams|client|cx|eid|fbid|feed|ref(id|src)?|v(er|iew))=") {
+            set req.url = regsub(req.url, "\?.*$", "");
+          }
+
+        # pass wp-admin urls
+          if (req.url ~ "(wp-login|wp-admin)" || req.url ~ "preview=true" || req.url ~ "xmlrpc.php") {
+            return (pass);
+          }
+
+        # pass wp-admin cookies
+          if (req.http.cookie) {
+            if (req.http.cookie ~ "(wordpress_|wp-settings-)") {
+                return(pass);
+            } else {
+              unset req.http.cookie;
+            }
+          }
+    }
+
+
+
+    sub vcl_backend_response {
+        # retry a few times if backend is down
+        if (beresp.status == 503 && bereq.retries < 3 ) {
+          return(retry);
+    }
+
+        if (bereq.http.Cookie ~ "(UserID|_session)") {
+      # if we get a session cookie...caching is a no-go
+            set beresp.http.X-Cacheable = "NO:Got Session";
+            set beresp.uncacheable = true;
+            return (deliver);
+
+        } elsif (beresp.ttl <= 0s) {
+            # Varnish determined the object was not cacheable
+            set beresp.http.X-Cacheable = "NO:Not Cacheable";
+
+        } elsif (beresp.http.set-cookie) {
+            # You don't wish to cache content for logged in users
+            set beresp.http.X-Cacheable = "NO:Set-Cookie";
+            set beresp.uncacheable = true;
+            return (deliver);
+
+        } elsif (beresp.http.Cache-Control ~ "private") {
+            # You are respecting the Cache-Control=private header from the backend
+            set beresp.http.X-Cacheable = "NO:Cache-Control=private";
+            set beresp.uncacheable = true;
+            return (deliver);
+
+        } else {
+            # Varnish determined the object was cacheable
+            set beresp.http.X-Cacheable = "YES";
+
+            # Remove Expires from backend, it's not long enough
+        unset beresp.http.expires;
+
+            # Set the clients TTL on this object
+            set beresp.http.cache-control = "max-age=900";
+
+            # Set how long Varnish will keep it
+            set beresp.ttl = 1w;
+
+            # marker for vcl_deliver to reset Age:
+            set beresp.http.magicmarker = "1";
+        }
+
+      # unset cookies from backendresponse
+      if (!(bereq.url ~ "(wp-login|wp-admin)"))  {
+        set beresp.http.X-UnsetCookies = "TRUE";
+            unset beresp.http.set-cookie;
+            set beresp.ttl = 1h;
+      }
+
+      # long ttl for assets
+        if (bereq.url ~ "\.(gif|jpg|jpeg|swf|ttf|css|js|flv|mp3|mp4|pdf|ico|png)(\?.*|)$") {
+          set beresp.ttl = 365d;
+
+    }
+    set beresp.grace = 1w;
+
+    }
+
+    sub vcl_hash {
+      if ( req.http.X-Forwarded-Proto ) {
+        hash_data( req.http.X-Forwarded-Proto );
+    }
+    }
+
+    sub vcl_backend_error {
+          # display custom error page if backend down
+          if (beresp.status == 503 && bereq.retries == 3) {
+              synthetic(std.fileread("/etc/varnish/error503.html"));
+              return(deliver);
+          }
+    }
+
+    sub vcl_synth {
+        # redirect for http
+        if (resp.status == 750) {
+            set resp.status = 301;
+            set resp.http.Location = req.http.x-redir;
+            return(deliver);
+        }
+    # display custom error page if backend down
+        if (resp.status == 503) {
+            synthetic(std.fileread("/etc/varnish/error503.html"));
+            return(deliver);
+        }
+    }
+
+
+    sub vcl_deliver {
+        # oh noes backend is down
+        if (resp.status == 503) {
+            return(restart);
+        }
+        if (resp.http.magicmarker) {
+          # Remove the magic marker
+            unset resp.http.magicmarker;
+
+          # By definition we have a fresh object
+          set resp.http.age = "0";
+        }
+      if (obj.hits > 0) {
+        set resp.http.X-Cache = "HIT";
+      } else {
+        set resp.http.X-Cache = "MISS";
+      }
+      set resp.http.Access-Control-Allow-Origin = "*";
+    }
+    sub vcl_hit {
+      if (req.method == "PURGE") {
+        return(synth(200,"OK"));
+      }
+    }
+
+    sub vcl_miss {
+      if (req.method == "PURGE") {
+        return(synth(404,"Not cached"));
+      }
+    }
diff --git a/apps/website/varnish/kustomization.yaml b/apps/website/varnish/kustomization.yaml
@@ -0,0 +1,6 @@
+apiVersion: kustomize.config.k8s.io/v1beta1
+kind: Kustomization
+resources:
+  - configmap.yaml
+  - rc.yaml
+  - service.yaml
diff --git a/apps/website/varnish/rc.yaml b/apps/website/varnish/rc.yaml
@@ -0,0 +1,32 @@
+apiVersion: v1
+kind: ReplicationController
+metadata:
+  name: varnish-proxy
+spec:
+  replicas: 1
+  selector: 
+    app: varnish-proxy
+  template:
+    metadata:
+      name: varnish-proxy
+      labels:
+        app: varnish-proxy
+    spec:
+      volumes:
+        - name: varnish-config
+          configMap:
+            name: varnish-vcl
+            items:
+              - key: default.vcl
+                path: default.vcl
+      containers:
+      - name: varnish
+        image: million12/varnish 
+        env:
+        - name: VCL_CONFIG
+          value: /etc/varnish/default.vcl
+        volumeMounts:
+          - name: varnish-config
+            mountPath: /etc/varnish/
+        ports:
+        - containerPort: 80
diff --git a/apps/website/varnish/service.yaml b/apps/website/varnish/service.yaml
@@ -0,0 +1,17 @@
+apiVersion: v1
+kind: Service
+metadata:
+  name: varnish-svc
+  namespace: default
+  labels:
+    app: varnish-proxy
+spec:
+  ports:
+  - name: http
+    port: 80
+    protocol: TCP
+    targetPort: http
+  selector:
+    app: varnish-proxy
+  sessionAffinity: None
+  type: ClusterIP