Example varnish and hitch config (#2655)

Varnish is a http caching server, hitch is a tls terminating proxy.

contrib/varnish/hitch.conf

@@ -0,0 +1,32 @@
+# Run 'man hitch.conf' for a description of all options.
+
+frontend = {
+	host = "*"
+	port = "443"
+}
+backend = "[127.0.0.1]:8443"
+workers = 4                     # number of CPU cores
+
+daemon = on
+
+# We strongly recommend you create a separate non-privileged hitch
+# user and group
+user = "hitch"
+group = "hitch"
+
+# Enable to let clients negotiate HTTP/2 with ALPN. (default off)
+# alpn-protos = "h2, http/1.1"
+
+# run Varnish as backend over PROXY; varnishd -a :80 -a localhost:6086,PROXY ..
+write-proxy-v2 = on             # Write PROXY header
+
+## ssl config
+pem-dir = "/etc/tls/private"
+tls-protos = TLSv1.2 TLSv1.3
+# ocsp
+ocsp-dir = "/etc/hitch/ocsp"
+ocsp-verify-staple = on
+
+syslog = on
+log-level = 1
+tcp-fastopen = on

contrib/varnish/vanish.vcl

@@ -0,0 +1,38 @@
+vcl 4.0;
+
+backend default {
+	.host = "localhost";
+	.port = "8080";
+}
+
+sub vcl_recv {
+	# Implementing websocket support (https://www.varnish-cache.org/docs/4.0/users-guide/vcl-example-websockets.html)
+	if (req.http.Upgrade ~ "(?i)websocket") {
+		return (pipe);
+	}
+}
+
+sub vcl_pipe {
+	if (req.http.upgrade) {
+		set bereq.http.upgrade = req.http.upgrade;
+		set bereq.http.connection = req.http.connection;
+	}
+}
+
+sub vcl_backend_response {
+	# Set 1s ttl if origin response HTTP status code is anything other than 200
+	if (beresp.status != 200) {
+		set beresp.ttl = 1s;
+		set beresp.uncacheable = true;
+		return (deliver);
+	}
+	if (bereq.url ~ "m3u8") {
+		# assuming chunks are 2 seconds long
+		set beresp.ttl = 1s;
+		set beresp.grace = 0s;
+	}
+	if (bereq.url ~ "ts") {
+		set beresp.ttl = 10m;
+		set beresp.grace = 5m;
+	}
+}