VarnishConfig: enable override of default pass rules in builtin VCL
vcl_recv
in builtin.vcl
does this, among other things:
-
If the client request has either of the headers
Authorization
orCookie
, thenreturn(pass)
. This means that cache lookups are bypassed, and the response will not be cached (even if it would have been cached otherwise).- That means that the response is not cacheable if the request has any Cookie at all (!). Or if Basic Auth was executed.
The reason is that if there is a Cookie, or if a user has "logged in" via Basic Auth, then it is possible that the response is personalized; if it is, then it should not be cached. Varnish cannot know about this for every site, so the default is the cautious choice.
Cookies are evil, and like the Evil, they are Always and Everywhere. So nearly every Varnish deployment, in order to be able to cache responses despite the omnipresent Evil of Cookies, has to override this default rule, by returning out of a custom vcl_recv
implementation, before the flow can get to built-in vcl_recv
.
For Varnish/Ingress, that can be done now with the vcl
field in VarnishConfig. But we can add capabilities to VarnishConfig to automate the bypass with static config.
Some other steps in built-in vcl_recv
(we'll have to decide how to handle these in a generated vcl_recv
override, and maybe enable certain choices concerning these features):
-
If the request method is
PRI
, reject with status 405. (Used to be fairly prevalent when SPDY was new, less relevant now.) -
For HTTP/1.1 in a non-ESI-included request, reject with status 400 if the
Host
header is missing (required according to the standard). -
If the request method is none of those specified in the standard, then
return(pipe)
. In my experience, it's a much better idea to reject such requests with 405. (Using vmod selector is a better way to test if the method is one of 8 fixed strings.) -
If the method is neither of
GET
orHEAD
, thenreturn(pass)
. Usually fine. (Despite much contemplation about caching responses to POST requests, using a hash of the request body, hardly anyone actually ever does it.) -
Otherwise go to cache lookup (
return(hash)
).