https://github.com/vegandthecity/server/issues/14

etc/default/varnish

@@ -72,8 +72,9 @@ p_t=1209600
 DAEMON_OPTS="\
     -a ${p_a} \
     -f ${p_f} \
-    -S /etc/varnish/secret \
+    -p http_resp_hdr_len=65536 \
     -s ${p_s} \
+    -S /etc/varnish/secret \
     -T ${p_T} \
     -t ${p_t} \
 "

etc/varnish/default.vcl

@@ -1,21 +1,27 @@
-# 2020-04-19 Dmitry Fedyuk https://www.upwork.com/fl/mage2pro
-vcl 4.1;
+# VCL version 5.0 is not supported so it should be 4.0 even though actually used Varnish version is 6
+vcl 4.0;
+import std;
 # 2020-04-19 Dmitry Fedyuk https://www.upwork.com/fl/mage2pro
 # «Varnish has a concept of "backend" or "origin" servers.
 # A backend server is the server providing the content Varnish will accelerate.»
 # https://varnish-cache.org/docs/6.4/users-guide/vcl-backends.html
+# 2020-05-10
+# «For SSL offloading, pass the following header in your proxy server or load balancer: 'X-Forwarded-Proto: https'».
 backend default {
-	.host = "127.0.0.1";
+	.first_byte_timeout = 600s;
+	.host = "localhost";
 	.port = "8080";
+	.probe = {
+		.interval = 5s;
+		.threshold = 5;
+		.timeout = 2s;
+		.url = "/shop/health_check.php";
+		.window = 10;
+   }
+}
+acl purge {
+	"localhost";
 }
-# 2020-04-19 Dmitry Fedyuk https://www.upwork.com/fl/mage2pro
-# «Called after the response headers have been successfully retrieved from the backend.»
-# https://varnish-cache.org/docs/6.4/users-guide/vcl-built-in-subs.html#vcl-backend-response
-sub vcl_backend_response {}
-# 2020-04-19 Dmitry Fedyuk https://www.upwork.com/fl/mage2pro
-# «Called before any object except a `vcl_synth` result is delivered to the client.»
-# https://varnish-cache.org/docs/6.4/users-guide/vcl-built-in-subs.html#vcl-deliver
-sub vcl_deliver {}
 # 2020-04-19 Dmitry Fedyuk https://www.upwork.com/fl/mage2pro
 # «Called:
 #	*) at the beginning of a request,
@@ -28,4 +34,200 @@ sub vcl_deliver {}
 #	*) and decide on how to process it further.
 # A backend hint may be set as a default for the backend processing side.»
 # https://varnish-cache.org/docs/6.4/users-guide/vcl-built-in-subs.html#vcl-recv
-sub vcl_recv {}
+sub vcl_recv {
+	if (req.method == "PURGE") {
+		if (client.ip !~ purge) {
+			return (synth(405, "Method not allowed"));
+		}
+		# To use the X-Pool header for purging varnish during automated deployments, make sure the X-Pool header
+		# has been added to the response in your backend server config. This is used, for example, by the
+		# capistrano-magento2 gem for purging old content from varnish during it's deploy routine.
+		if (!req.http.X-Magento-Tags-Pattern && !req.http.X-Pool) {
+			return (synth(400, "X-Magento-Tags-Pattern or X-Pool header required"));
+		}
+		if (req.http.X-Magento-Tags-Pattern) {
+		  ban("obj.http.X-Magento-Tags ~ " + req.http.X-Magento-Tags-Pattern);
+		}
+		if (req.http.X-Pool) {
+		  ban("obj.http.X-Pool ~ " + req.http.X-Pool);
+		}
+		return (synth(200, "Purged"));
+	}
+	if (req.method != "GET" &&
+		req.method != "HEAD" &&
+		req.method != "PUT" &&
+		req.method != "POST" &&
+		req.method != "TRACE" &&
+		req.method != "OPTIONS" &&
+		req.method != "DELETE") {
+		  /* Non-RFC2616 or CONNECT which is weird. */
+		  return (pipe);
+	}
+	# We only deal with GET and HEAD by default
+	if (req.method != "GET" && req.method != "HEAD") {
+		return (pass);
+	}
+	# Bypass shopping cart, checkout and search requests
+	if (req.url ~ "/checkout" || req.url ~ "/catalogsearch") {
+		return (pass);
+	}
+	# Bypass health check requests
+	if (req.url ~ "/shop/health_check.php") {
+		return (pass);
+	}
+	# Set initial grace period usage status
+	set req.http.grace = "none";
+	# normalize url in case of leading HTTP scheme and domain
+	set req.url = regsub(req.url, "^http[s]?://", "");
+	# collect all cookies
+	std.collect(req.http.Cookie);
+	# Compression filter. See https://www.varnish-cache.org/trac/wiki/FAQ/Compression
+	if (req.http.Accept-Encoding) {
+		if (req.url ~ "\.(jpg|jpeg|png|gif|gz|tgz|bz2|tbz|mp3|ogg|swf|flv)$") {
+			# No point in compressing these
+			unset req.http.Accept-Encoding;
+		}
+		elsif (req.http.Accept-Encoding ~ "gzip") {
+			set req.http.Accept-Encoding = "gzip";
+		}
+		elsif (req.http.Accept-Encoding ~ "deflate" && req.http.user-agent !~ "MSIE") {
+			set req.http.Accept-Encoding = "deflate";
+		}
+		else {
+			# unknown algorithm
+			unset req.http.Accept-Encoding;
+		}
+	}
+	# Remove all marketing get parameters to minimize the cache objects
+	if (req.url ~ "(\?|&)(gclid|cx|ie|cof|siteurl|zanpid|origin|fbclid|mc_[a-z]+|utm_[a-z]+|_bta_[a-z]+)=") {
+		set req.url = regsuball(req.url, "(gclid|cx|ie|cof|siteurl|zanpid|origin|fbclid|mc_[a-z]+|utm_[a-z]+|_bta_[a-z]+)=[-_A-z0-9+()%.]+&?", "");
+		set req.url = regsub(req.url, "[?|&]+$", "");
+	}
+	# Static files caching
+	if (req.url ~ "^/(pub/)?(media|static)/") {
+		# Static files should not be cached by default
+		return (pass);
+		# But if you use a few locales and don't use CDN you can enable caching static files by commenting previous line (#return (pass);) and uncommenting next 3 lines
+		#unset req.http.Https;
+		#unset req.http.X-Forwarded-Proto;
+		#unset req.http.Cookie;
+	}
+	return (hash);
+}
+sub vcl_hash {
+	if (req.http.cookie ~ "X-Magento-Vary=") {
+		hash_data(regsub(req.http.cookie, "^.*?X-Magento-Vary=([^;]+);*.*$", "\1"));
+	}
+	# For multi site configurations to not cache each other's content
+	if (req.http.host) {
+		hash_data(req.http.host);
+	}
+	else {
+		hash_data(server.ip);
+	}
+	# To make sure http users don't see ssl warning
+	if (req.http.X-Forwarded-Proto) {
+		hash_data(req.http.X-Forwarded-Proto);
+	}
+	if (req.url ~ "/graphql") {
+		call process_graphql_headers;
+	}
+}
+sub process_graphql_headers {
+	if (req.http.Store) {
+		hash_data(req.http.Store);
+	}
+	if (req.http.Content-Currency) {
+		hash_data(req.http.Content-Currency);
+	}
+}
+# 2020-04-19 Dmitry Fedyuk https://www.upwork.com/fl/mage2pro
+# «Called after the response headers have been successfully retrieved from the backend.»
+# https://varnish-cache.org/docs/6.4/users-guide/vcl-built-in-subs.html#vcl-backend-response
+sub vcl_backend_response {
+	set beresp.grace = 3d;
+	if (beresp.http.content-type ~ "text") {
+		set beresp.do_esi = true;
+	}
+	if (bereq.url ~ "\.js$" || beresp.http.content-type ~ "text") {
+		set beresp.do_gzip = true;
+	}
+	if (beresp.http.X-Magento-Debug) {
+		set beresp.http.X-Magento-Cache-Control = beresp.http.Cache-Control;
+	}
+	# cache only successfully responses and 404s
+	if (beresp.status != 200 && beresp.status != 404) {
+		set beresp.ttl = 0s;
+		set beresp.uncacheable = true;
+		return (deliver);
+	} elsif (beresp.http.Cache-Control ~ "private") {
+		set beresp.uncacheable = true;
+		set beresp.ttl = 86400s;
+		return (deliver);
+	}
+	# validate if we need to cache it and prevent from setting cookie
+	if (beresp.ttl > 0s && (bereq.method == "GET" || bereq.method == "HEAD")) {
+		unset beresp.http.set-cookie;
+	}
+   # If page is not cacheable then bypass varnish for 2 minutes as Hit-For-Pass
+   if (beresp.ttl <= 0s ||
+	   beresp.http.Surrogate-control ~ "no-store" ||
+	   (!beresp.http.Surrogate-Control &&
+	   beresp.http.Cache-Control ~ "no-cache|no-store") ||
+	   beresp.http.Vary == "*") {
+		# Mark as Hit-For-Pass for the next 2 minutes
+		set beresp.ttl = 120s;
+		set beresp.uncacheable = true;
+	}
+	return (deliver);
+}
+# 2020-04-19 Dmitry Fedyuk https://www.upwork.com/fl/mage2pro
+# «Called before any object except a `vcl_synth` result is delivered to the client.»
+# https://varnish-cache.org/docs/6.4/users-guide/vcl-built-in-subs.html#vcl-deliver
+sub vcl_deliver {
+	if (resp.http.X-Magento-Debug) {
+		if (resp.http.x-varnish ~ " ") {
+			set resp.http.X-Magento-Cache-Debug = "HIT";
+			set resp.http.Grace = req.http.grace;
+		}
+		else {
+			set resp.http.X-Magento-Cache-Debug = "MISS";
+		}
+	}
+	else {
+		unset resp.http.Age;
+	}
+	# Not letting browser to cache non-static files.
+	if (resp.http.Cache-Control !~ "private" && req.url !~ "^/(pub/)?(media|static)/") {
+		set resp.http.Pragma = "no-cache";
+		set resp.http.Expires = "-1";
+		set resp.http.Cache-Control = "no-store, no-cache, must-revalidate, max-age=0";
+	}
+	unset resp.http.X-Magento-Debug;
+	unset resp.http.X-Magento-Tags;
+	unset resp.http.X-Powered-By;
+	unset resp.http.Server;
+	unset resp.http.X-Varnish;
+	unset resp.http.Via;
+	unset resp.http.Link;
+}
+sub vcl_hit {
+	if (obj.ttl >= 0s) {
+		# Hit within TTL period
+		return (deliver);
+	}
+	if (std.healthy(req.backend_hint)) {
+		if (obj.ttl + 300s > 0s) {
+			# Hit after TTL expiration, but within grace period
+			set req.http.grace = "normal (healthy server)";
+			return (deliver);
+		} else {
+			# Hit after TTL and grace expiration
+			return (restart);
+		}
+	} else {
+		# server is not healthy, retrieve from cache
+		set req.http.grace = "unlimited (unhealthy server)";
+		return (deliver);
+	}
+}

usr/local/nginx/conf/nginx.conf

@@ -13,6 +13,7 @@ http {
 	# https://blog.neversyn.com/install-sentry-with-docker-easily#nginx
 	client_body_buffer_size 100k;
 	client_max_body_size 64m;
+	default_type application/octet-stream;
 	# It prevents Magento 2 failure while paying with PayPal:
 	# «upstream sent too big header while reading response header from upstream»
 	# "GET /store/paypal/express/return/?token=<...>&PayerID=<...>
@@ -62,7 +63,11 @@ http {
 	# I want to gzip other static content too: http://stackoverflow.com/a/12644530
 	# http://nginx.org/en/docs/http/ngx_http_gzip_module.html#gzip_types
 	gzip_types text/plain text/css text/js text/xml text/javascript application/javascript application/x-javascript application/json application/xml application/xml+rss;
-	keepalive_timeout 10;
+	include mime.types;
+	# 2020-05-10
+	# http://nginx.org/en/docs/http/ngx_http_core_module.html#keepalive_timeout
+	# https://olegnax.com/speed-up-magento-2-with-varnish-and-nginx-as-ssl-termination-on-ubuntu
+	keepalive_timeout 300s;
 	log_format websocket '$time_iso8601 $remote_addr $scheme $request_uri $status';
 	# 2017-05-22 For Websockets, used by OroCRM.
     map $http_upgrade $connection_upgrade {
@@ -76,8 +81,38 @@ http {
     proxy_headers_hash_bucket_size 256;
 	proxy_read_timeout 3600;
 	send_timeout 3600;
-    default_type application/octet-stream;
-    include mime.types;
-    sendfile on;
+	sendfile on;
+	# 2020-05-10
+	# 1) «Specifies the enabled ciphers. The ciphers are specified in the format understood by the OpenSSL library»
+	# http://nginx.org/en/docs/http/ngx_http_ssl_module.html#ssl_ciphers
+	# 2) https://olegnax.com/speed-up-magento-2-with-varnish-and-nginx-as-ssl-termination-on-ubuntu
+    ssl_ciphers EECDH+CHACHA20:EECDH+AES128:RSA+AES128:EECDH+AES256:RSA+AES256:EECDH+3DES:RSA+3DES:!MD5;
+	# 2020-05-10
+	# 1) http://nginx.org/en/docs/http/ngx_http_ssl_module.html#ssl_dhparam
+	# 2) https://olegnax.com/speed-up-magento-2-with-varnish-and-nginx-as-ssl-termination-on-ubuntu
+	# 3) `openssl dhparam -out ssl-dhparams.pem 2048`
+	# https://hackernoon.com/configuring-your-server-to-provide-https-using-lets-encrypt-and-nginx-e46a5ae93e41
+    ssl_dhparam /etc/letsencrypt/ssl-dhparams.pem;
+	# 2020-05-10
+	# `shared`
+	#		«a cache shared between all worker processes.
+	#		The cache size is specified in bytes; one megabyte can store about 4000 sessions.
+	#		Each shared cache should have an arbitrary name.
+	#		A cache with the same name can be used in several virtual servers.»
+    # http://nginx.org/en/docs/http/ngx_http_ssl_module.html#ssl_session_cache
+    ssl_session_cache shared:SSL:10m;
+    # 2020-05-10
+    # «Specifies a time during which a client may reuse the session parameters.»
+    # http://nginx.org/en/docs/http/ngx_http_ssl_module.html#ssl_session_timeout
+    ssl_session_timeout 24h;
+	# 2020-05-10
+	# http://nginx.org/en/docs/http/ngx_http_ssl_module.html#ssl_stapling
+    # https://olegnax.com/speed-up-magento-2-with-varnish-and-nginx-as-ssl-termination-on-ubuntu
+    ssl_stapling on;
+    # 2020-05-10
+    # http://nginx.org/en/docs/http/ngx_http_ssl_module.html#ssl_stapling_verify
+    # https://olegnax.com/speed-up-magento-2-with-varnish-and-nginx-as-ssl-termination-on-ubuntu
+    ssl_stapling_verify on;
 	include sites/*.conf;
+	include sites/sandbox/*.conf;
 }