From 1bd291c7febb0bd9a3a84263cd78bd78798d9b36 Mon Sep 17 00:00:00 2001
From: 4censord <49623362+4censord@users.noreply.github.com>
Date: Tue, 31 Jan 2023 20:19:21 +0100
Subject: [PATCH] Example varnish and hitch config (#2655)

Varnish is a http caching server, hitch is a tls terminating proxy.
---
 contrib/varnish/hitch.conf | 32 ++++++++++++++++++++++++++++++++
 contrib/varnish/vanish.vcl | 38 ++++++++++++++++++++++++++++++++++++++
 2 files changed, 70 insertions(+)
 create mode 100644 contrib/varnish/hitch.conf
 create mode 100644 contrib/varnish/vanish.vcl

diff --git a/contrib/varnish/hitch.conf b/contrib/varnish/hitch.conf
new file mode 100644
index 000000000..6c79efe13
--- /dev/null
+++ b/contrib/varnish/hitch.conf
@@ -0,0 +1,32 @@
+# Run 'man hitch.conf' for a description of all options.
+
+frontend = {
+	host = "*"
+	port = "443"
+}
+backend = "[127.0.0.1]:8443"
+workers = 4                     # number of CPU cores
+
+daemon = on
+
+# We strongly recommend you create a separate non-privileged hitch
+# user and group
+user = "hitch"
+group = "hitch"
+
+# Enable to let clients negotiate HTTP/2 with ALPN. (default off)
+# alpn-protos = "h2, http/1.1"
+
+# run Varnish as backend over PROXY; varnishd -a :80 -a localhost:6086,PROXY ..
+write-proxy-v2 = on             # Write PROXY header
+
+## ssl config
+pem-dir = "/etc/tls/private"
+tls-protos = TLSv1.2 TLSv1.3
+# ocsp
+ocsp-dir = "/etc/hitch/ocsp"
+ocsp-verify-staple = on
+
+syslog = on
+log-level = 1
+tcp-fastopen = on
diff --git a/contrib/varnish/vanish.vcl b/contrib/varnish/vanish.vcl
new file mode 100644
index 000000000..f54ab999a
--- /dev/null
+++ b/contrib/varnish/vanish.vcl
@@ -0,0 +1,38 @@
+vcl 4.0;
+
+backend default {
+	.host = "localhost";
+	.port = "8080";
+}
+
+sub vcl_recv {
+	# Implementing websocket support (https://www.varnish-cache.org/docs/4.0/users-guide/vcl-example-websockets.html)
+	if (req.http.Upgrade ~ "(?i)websocket") {
+		return (pipe);
+	}
+}
+
+sub vcl_pipe {
+	if (req.http.upgrade) {
+		set bereq.http.upgrade = req.http.upgrade;
+		set bereq.http.connection = req.http.connection;
+	}
+}
+
+sub vcl_backend_response {
+	# Set 1s ttl if origin response HTTP status code is anything other than 200
+	if (beresp.status != 200) {
+		set beresp.ttl = 1s;
+		set beresp.uncacheable = true;
+		return (deliver);
+	}
+	if (bereq.url ~ "m3u8") {
+		# assuming chunks are 2 seconds long
+		set beresp.ttl = 1s;
+		set beresp.grace = 0s;
+	}
+	if (bereq.url ~ "ts") {
+		set beresp.ttl = 10m;
+		set beresp.grace = 5m;
+	}
+}