Puppet Class: varnish::vcl

Defined in:
manifests/vcl.pp

Summary

Manages the Varnish VCL configuration

Overview

To change name/location of vcl file, use $varnish_vcl_conf in the main varnish class

NOTE: though you can pass config for backends, directors, acls, probes and selectors

as parameters to this class, it is recommended to use existing definitions instead:
varnish::backend
varnish::director
varnish::probe
varnish::acl
varnish::selector
See README for details on how to use those
Note:

VCL applies following restictions:

  • if you define an acl it must be used

  • if you define a probe it must be used

  • if you define a backend it must be used

  • if you define a director it must be used

You cannot define 2 or more backends/directors and not to have selectors Not following above rules will result in VCL compilation failure

Parameters:

  • functions (Hash) (defaults to: {})

    Hash of additional function definitions

  • probes (Hash) (defaults to: {})

    Hash of probes, defined as varnish::vcl::probe

  • backends (Hash) (defaults to: { 'default' => { host => '127.0.0.1', port => 8080 } })

    Hash of backends, defined as varnish::vcl::backend

  • directors (Hash) (defaults to: {})

    Hash of directors, defined as varnish::vcl::director

  • selectors (Hash) (defaults to: {})

    Hash of selectors, defined as varnish::vcl::selector

  • acls (Hash) (defaults to: {})

    Hash of acls, defined as varnish::vcl::acl

  • blockedips (Array) (defaults to: [])

    Array of IP’s that will be blocked with default VCL

  • blockedbots (Array) (defaults to: [])

    Array of UserAgent Bots that will be blocked

  • enable_waf (Boolean) (defaults to: false)

    controls VCL WAF component, can be true or false

  • pipe_uploads (Boolean) (defaults to: false)

    If the request is a post/put upload (chunked or multipart), pipe the request to the backend.

  • wafexceptions (Array[String]) (defaults to: ['57' , '56' , '34'])

    Exclude those rules

  • purgeips (Array[Stdlib::IP::Address]) (defaults to: [])

    source ips which are allowed to send purge requests

  • includedir (Stdlib::Absolutepath) (defaults to: '/etc/varnish/includes')

    Dir for includefiles

  • manage_includes (Boolean) (defaults to: true)

    If Includes (and Subtypes like directors, probes,.. ) should be created

  • cookiekeeps (Array[String]) (defaults to: ['__ac', '_ZopeId', 'captchasessionid', 'statusmessages', '__cp', 'MoodleSession'])

    Cookies that should be kept for backend

  • defaultgrace (Optional[String]) (defaults to: undef)

    Default Grace time for Iptems

  • min_cache_time (String) (defaults to: '60s')

    Default Cache time

  • static_cache_time (String) (defaults to: '5m')

    Cache Time for static Elements like images,..

  • gziptypes (Array[String]) (defaults to: ['text/', 'application/xml', 'application/rss', 'application/xhtml', 'application/javascript', 'application/x-javascript'])

    Content Types that will be gziped

  • template (Optional[String]) (defaults to: undef)

    Overwrite Template for VCL

  • logrealip (Boolean) (defaults to: false)

    Create std.log entry with Real IP of client

  • honor_backend_ttl (Boolean) (defaults to: false)

    if Backend TTL will be honored

  • cond_requests (Boolean) (defaults to: false)

    if condtional requests are allowed

  • x_forwarded_proto (Boolean) (defaults to: false)

    If Header x-forwared-proto should be added to hash

  • https_redirect (Boolean) (defaults to: false)

    deprecated

  • drop_stat_cookies (Boolean) (defaults to: true)

    depretaced

  • cond_unset_cookies (Optional[String]) (defaults to: undef)

    If condtion to unset all coockies

  • unset_headers (Array[String]) (defaults to: ['Via','X-Powered-By','X-Varnish','Server','Age','X-Cache'])

    Unset the named http headers

  • unset_headers_debugips (Array[Stdlib::IP::Address]) (defaults to: ['172.0.0.1'])

    Do not unset the named headers for the following IP’s

  • vcl_version (Varnish::Vclversion) (defaults to: '4')

    Which version von VCL should be used



84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
 
# File 'manifests/vcl.pp', line 84

class varnish::vcl (
  Hash $functions         = {},
  Hash $probes            = {},
  Hash $backends          = { 'default' => { host => '127.0.0.1', port => 8080 } },
  Hash $directors         = {},
  Hash $selectors         = {},
  Hash $acls              = {},
  Array $blockedips        = [],
  Array $blockedbots       = [],
  Boolean $enable_waf        = false,
  Boolean $pipe_uploads      = false,
  Array[String] $wafexceptions     = ['57' , '56' , '34'],
  Array[Stdlib::IP::Address] $purgeips          = [],
  Stdlib::Absolutepath $includedir        = '/etc/varnish/includes',
  Boolean $manage_includes   = true,
  Array[String] $cookiekeeps       = ['__ac', '_ZopeId', 'captchasessionid', 'statusmessages', '__cp', 'MoodleSession'],
  Optional[String] $defaultgrace      = undef,
  String $min_cache_time    = '60s',
  String $static_cache_time = '5m',
  Array[String] $gziptypes         = ['text/', 'application/xml', 'application/rss', 'application/xhtml', 'application/javascript', 'application/x-javascript'],
  Optional[String] $template          = undef,
  Boolean $logrealip         = false,
  Boolean $honor_backend_ttl = false,
  Boolean $cond_requests     = false,
  Boolean $x_forwarded_proto = false,
  Boolean $https_redirect    = false,
  Boolean $drop_stat_cookies = true,
  Optional[String] $cond_unset_cookies = undef,
  Array[String] $unset_headers     = ['Via','X-Powered-By','X-Varnish','Server','Age','X-Cache'],
  Array[Stdlib::IP::Address] $unset_headers_debugips = ['172.0.0.1'],
  Varnish::Vclversion $vcl_version     = '4',
) {
  include varnish

  # select template to use
  if $template {
    $template_vcl = $template
  }
  else {
    $template_vcl = $vcl_version ? {
      '4'     => 'varnish/varnish4-vcl.erb',
      '3'     => 'varnish/varnish-vcl.erb',
      default => 'varnish/varnish4-vcl.erb',
    }
  }

  # vcl file
  file { 'varnish-vcl':
    ensure  => file,
    path    => $varnish::varnish_vcl_conf,
    owner   => 'root',
    group   => 'root',
    mode    => '0644',
    content => template($template_vcl),
    notify  => Service['varnish'],
    require => Package['varnish'],
  }

  if $template == undef or $manage_includes {
    file { $includedir:
      ensure  => directory,
      purge   => true,
      recurse => true,
      require => Package['varnish'],
    }
    $includefiles = ['probes', 'backends', 'directors', 'acls', 'backendselection', 'waf']

    varnish::vcl::includefile { $includefiles: }

    # web application firewall
    concat::fragment { 'waf':
      target  => "${varnish::vcl::includedir}/waf.vcl",
      content => template('varnish/includes/waf.vcl.erb'),
      order   => '02',
    }

    #Create resources

    #Backends
    create_resources(varnish::vcl::backend,$backends)

    #Probes
    create_resources(varnish::vcl::probe,$probes)

    #Directors
    create_resources(varnish::vcl::director,$directors)

    #Selectors
    create_resources(varnish::vcl::selector,$selectors)

    #ACLs
    $default_acls = {
      blockedips => { hosts => $blockedips },
      unset_headers_debugips => { hosts => $unset_headers_debugips },
      purge => { hosts => $purgeips },
    }
    $all_acls = $default_acls + $acls
    create_resources(varnish::vcl::acl,$all_acls)
    Varnish::Vcl::Acl_member <| varnish_fqdn == $facts['networking']['fqdn'] |>
  }
}