Added docker compose dev env, improved varnish VCL, and added favicons.

config/nginx/dev/localhost.conf

@@ -0,0 +1,17 @@
+server {
+  listen 80 default_server;
+  listen [::]:80 default_server;
+
+  server_name _;
+  server_tokens off;
+
+  location / {
+    proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
+    proxy_set_header X-Forwarded-Proto $scheme;
+    proxy_set_header X-Real-IP $remote_addr;
+    proxy_set_header Host $http_host;
+
+    proxy_pass http://varnish:80;
+    proxy_redirect off;
+  }
+}

config/varnish/default.vcl

@@ -9,52 +9,53 @@ backend default {
   .port = "5000";
 }
 
-acl purge {
-  "localhost";
-  "nginx";
-  "127.0.0.1";
-}
-
 sub vcl_recv {
-  set req.http.Host = regsub(req.http.Host, ":[0-9]+", "");
-  unset req.http.proxy;
-  set req.url = std.querysort(req.url);
-  set req.url = regsub(req.url, "\?$", "");
-  set req.http.Surrogate-Capability = "key=ESI/1.0";
-
-  if (req.url ~ "/purge-cache") {
-    if (!client.ip ~ purge) {
-      return(synth(403, "Not allowed."));
-    }
-    ban("req.http.host == rstat.net");
-    return(synth(200, "Cache cleared"));
+  if (req.method != "GET" &&
+      req.method != "HEAD" &&
+      req.method != "PUT" &&
+      req.method != "POST" &&
+      req.method != "TRACE" &&
+      req.method != "OPTIONS" &&
+      req.method != "DELETE") {
+        /* Non-RFC2616 or CONNECT which is weird. */
+        return (pipe);
   }
 
-  if (!req.http.X-Forwarded-Proto) {
-    if(std.port(server.ip) == 443 || std.port(server.ip) == 8443) {
-      set req.http.X-Forwarded-Proto = "https";
-    } else {
-      set req.http.X-Forwarded-Proto = "https";
-    }
+  # We only deal with GET and HEAD by default
+  if (req.method != "GET" && req.method != "HEAD") {
+      return (pass);
   }
-  
-  # Cache static files
-  if (req.url ~ "^[^?]*\.(7z|avi|bmp|bz2|css|csv|doc|docx|eot|flac|flv|gif|gz|ico|jpeg|jpg|js|less|mka|mkv|mov|mp3|mp4|mpeg|mpg|odt|ogg|ogm|opus|otf|pdf|png|ppt|pptx|rar|rtf|svg|svgz|swf|tar|tbz|tgz|ttf|txt|txz|wav|webm|webp|woff|woff2|xls|xlsx|xml|xz|zip)(\?.*)?$") {
+
+  set req.url = regsub(req.url, "^http[s]?://", "");
+
+  # static files are always cacheable. remove SSL flag and cookie
+  if (req.url ~ "^/(pub/)?(media|static)/.*\.(ico|jpg|jpeg|png|gif|tiff|bmp|mp3|ogg|svg|swf|woff|woff2|eot|ttf|otf)$") {
+    unset req.http.Https;
+    unset req.http.X-Forwarded-Proto;
     unset req.http.Cookie;
-    return(hash);
+    unset req.http.css;
+    unset req.http.js;
   }
-  
-  # Remove all cookies for other requests
-  unset req.http.Cookie;
-  return(hash);
+
+  return (hash);
 }
 
 sub vcl_hash {
+  if (req.http.host) {
+    hash_data(req.http.host);
+  } else {
+    hash_data(server.ip);
+  }
+
+  # To make sure http users don't see ssl warning
+  if (req.http.X-Forwarded-Proto) {
     hash_data(req.http.X-Forwarded-Proto);
+  }
 }
 
 sub vcl_backend_response {
-  # Cache static files and other content in Varnish for 1 min
+  set beresp.http.X-Host = bereq.http.host;
+
   set beresp.ttl = 1m;
   # Enable stale content serving
   set beresp.grace = 24h;
@@ -62,6 +63,30 @@ sub vcl_backend_response {
   if (beresp.http.Cache-Control) {
     set beresp.http.X-Orig-Cache-Control = beresp.http.Cache-Control;
   }
+
+  # validate if we need to cache it and prevent from setting cookie
+  # images, css and js are cacheable by default so we have to remove cookie also
+  if (beresp.ttl > 0s && (bereq.method == "GET" || bereq.method == "HEAD")) {
+    unset beresp.http.set-cookie;
+    unset beresp.http.set-css;
+    unset beresp.http.set-js;
+    if (bereq.url !~ "\.(ico|jpg|jpeg|png|gif|tiff|bmp|gz|tgz|bz2|tbz|mp3|ogg|svg|swf|woff|woff2|eot|ttf|otf)(\?|$)") {
+      set beresp.http.Pragma = "no-cache";
+      set beresp.http.Expires = "-1";
+      set beresp.http.Cache-Control = "no-store, no-cache, must-revalidate, max-age=0";
+      set beresp.grace = 1m;
+    }
+  }
+
+  # If page is not cacheable then bypass varnish for 2 minutes as Hit-For-Pass
+  if (beresp.ttl <= 0s ||
+      beresp.http.Surrogate-control ~ "no-store" ||
+      (!beresp.http.Surrogate-Control && beresp.http.Vary == "*")) {
+    # Mark as Hit-For-Pass for the next 2 minutes
+    set beresp.ttl = 120s;
+    set beresp.uncacheable = true;
+  }
+  return (deliver);
 }
 
 sub vcl_deliver {
@@ -73,4 +98,8 @@ sub vcl_deliver {
     # If no Cache-Control was set by the origin, we'll set a default
     set resp.http.Cache-Control = "no-cache, must-revalidate";
   }
-}
+
+  unset resp.http.Server;
+  unset resp.http.Via;
+  unset resp.http.Link;
+}

config/varnish/dev.vcl

@@ -0,0 +1,105 @@
+vcl 4.1;
+
+# https://github.com/varnish/toolbox/tree/master/vcls/hit-miss
+include "hit-miss.vcl";
+import std;
+
+backend default {
+  .host = "rstat-dashboard";
+  .port = "5000";
+}
+
+sub vcl_recv {
+  if (req.method != "GET" &&
+      req.method != "HEAD" &&
+      req.method != "PUT" &&
+      req.method != "POST" &&
+      req.method != "TRACE" &&
+      req.method != "OPTIONS" &&
+      req.method != "DELETE") {
+        /* Non-RFC2616 or CONNECT which is weird. */
+        return (pipe);
+  }
+
+  # We only deal with GET and HEAD by default
+  if (req.method != "GET" && req.method != "HEAD") {
+      return (pass);
+  }
+
+  set req.url = regsub(req.url, "^http[s]?://", "");
+
+  # static files are always cacheable. remove SSL flag and cookie
+  if (req.url ~ "^/(pub/)?(media|static)/.*\.(ico|jpg|jpeg|png|gif|tiff|bmp|mp3|ogg|svg|swf|woff|woff2|eot|ttf|otf)$") {
+    unset req.http.Https;
+    unset req.http.X-Forwarded-Proto;
+    unset req.http.Cookie;
+    unset req.http.css;
+    unset req.http.js;
+  }
+
+  return (hash);
+}
+
+sub vcl_hash {
+  if (req.http.host) {
+    hash_data(req.http.host);
+  } else {
+    hash_data(server.ip);
+  }
+
+  # To make sure http users don't see ssl warning
+  if (req.http.X-Forwarded-Proto) {
+    hash_data(req.http.X-Forwarded-Proto);
+  }
+}
+
+sub vcl_backend_response {
+  set beresp.http.X-Host = bereq.http.host;
+
+  set beresp.ttl = 1m;
+  # Enable stale content serving
+  set beresp.grace = 24h;
+  # Preserve the origin's Cache-Control header for client-side caching
+  if (beresp.http.Cache-Control) {
+    set beresp.http.X-Orig-Cache-Control = beresp.http.Cache-Control;
+  }
+
+  # validate if we need to cache it and prevent from setting cookie
+  # images, css and js are cacheable by default so we have to remove cookie also
+  if (beresp.ttl > 0s && (bereq.method == "GET" || bereq.method == "HEAD")) {
+    unset beresp.http.set-cookie;
+    unset beresp.http.set-css;
+    unset beresp.http.set-js;
+    if (bereq.url !~ "\.(ico|jpg|jpeg|png|gif|tiff|bmp|gz|tgz|bz2|tbz|mp3|ogg|svg|swf|woff|woff2|eot|ttf|otf)(\?|$)") {
+      set beresp.http.Pragma = "no-cache";
+      set beresp.http.Expires = "-1";
+      set beresp.http.Cache-Control = "no-store, no-cache, must-revalidate, max-age=0";
+      set beresp.grace = 1m;
+    }
+  }
+
+  # If page is not cacheable then bypass varnish for 2 minutes as Hit-For-Pass
+  if (beresp.ttl <= 0s ||
+      beresp.http.Surrogate-control ~ "no-store" ||
+      (!beresp.http.Surrogate-Control && beresp.http.Vary == "*")) {
+    # Mark as Hit-For-Pass for the next 2 minutes
+    set beresp.ttl = 120s;
+    set beresp.uncacheable = true;
+  }
+  return (deliver);
+}
+
+sub vcl_deliver {
+  # Restore the origin's Cache-Control header for the browser
+  if (resp.http.X-Orig-Cache-Control) {
+    set resp.http.Cache-Control = resp.http.X-Orig-Cache-Control;
+    unset resp.http.X-Orig-Cache-Control;
+  } else {
+    # If no Cache-Control was set by the origin, we'll set a default
+    set resp.http.Cache-Control = "no-cache, must-revalidate";
+  }
+
+  unset resp.http.Server;
+  unset resp.http.Via;
+  unset resp.http.Link;
+}