1VCL(7)                                                                  VCL(7)
2
3
4

NAME

6       VCL - Varnish Configuration Language
7

DESCRIPTION

9       The  VCL  language  is  a small domain-specific language designed to be
10       used to describe request handling and  document  caching  policies  for
11       Varnish Cache.
12
13       When  a  new  configuration  is loaded, the varnishd management process
14       translates the VCL code to C and compiles it to a shared  object  which
15       is then loaded into the server process.
16
17       This  document  focuses  on  the syntax of the VCL language. For a full
18       description of syntax and semantics, with ample  examples,  please  see
19       the online documentation at https://www.varnish-cache.org/docs/ .
20
21       Starting  with  Varnish  4.0, each VCL file must start by declaring its
22       version with vcl <major>.<minor>; marker at the top of the  file.   See
23       more about this under Versioning below.
24
25   Operators
26       The following operators are available in VCL:
27
28          =      Assignment operator.
29
30          +=, -=, *=, /=
31                 Assign and increment/decrement/multiply/divide operator.
32
33                 For strings, += appends.
34
35          ==, !=, <, >, <=, >=
36                 Comparisons
37
38          ~, !~  Match  /  non-match.  Can either be used with regular expres‐
39                 sions or ACLs.
40
41          !      Negation.
42
43          && / ||
44                 Logical and/or.
45
46   Conditionals
47       VCL has if and else statements. Nested logic can  be  implemented  with
48       the elseif statement (elsif/elif/else if are equivalent).
49
50       Note that there are no loops or iterators of any kind in VCL.
51
52   Strings, booleans, time, duration, integers and real numbers
53       These are the data types in Varnish. You can set or unset these.
54
55       Example:
56
57          set req.http.User-Agent = "unknown";
58          unset req.http.Range;
59
60   Strings
61       Basic  strings are enclosed in double quotes "...", and may not contain
62       newlines. Long strings are enclosed in {"..."}. They  may  contain  any
63       character  including  single double quotes ", newline and other control
64       characters except for the NUL (0x00) character.
65
66   Booleans
67       Booleans can be either true or false.  In addition, in a  boolean  con‐
68       text  some data types will evaluate to true or false depending on their
69       value.
70
71       String types will evaluate to false if they  are  unset.   This  allows
72       checks  of the type if (req.http.opthdr) {} to test if a header exists,
73       even if it is empty, whereas if (req.http.opthdr ==  "")  {}  does  not
74       distinguish if the header does not exist or if it is empty.
75
76       Backend  types  will  evaluate  to  false  if they don't have a backend
77       assigned; integer types will evaluate to false if their value is  zero;
78       duration  types  will evaluate to false if their value is equal or less
79       than zero.
80
81   Time
82       VCL has time. A duration can be added to a time to make  another  time.
83       In  string  context  they  return a formatted string in RFC1123 format,
84       e.g. Sun, 06 Nov 1994 08:49:37 GMT.
85
86       The keyword now returns a notion of the current  time,  which  is  kept
87       consistent  during  VCL subroutine invocations, so during the execution
88       of a VCL state subroutine (vcl_* {}), including all  user-defined  sub‐
89       routines being called, now always returns the same value.
90
91   Durations
92       Durations  are  defined  by a number followed by a unit. The number can
93       include a fractional part, e.g. 1.5s. The supported units are:
94
95          ms     milliseconds
96
97          s      seconds
98
99          m      minutes
100
101          h      hours
102
103          d      days
104
105          w      weeks
106
107          y      years
108
109       In string context they return a string with their value  rounded  to  3
110       decimal places and excluding the unit, e.g.  1.500.
111
112   Integers
113       Certain  fields  are integers, used as expected. In string context they
114       return a string, e.g. 1234.
115
116   Real numbers
117       VCL understands real numbers. In string context they  return  a  string
118       with their value rounded to 3 decimal places, e.g. 3.142.
119
120   Regular Expressions
121       Varnish uses Perl-compatible regular expressions (PCRE). For a complete
122       description please see the pcre(3) man page.
123
124       To send flags to the PCRE engine, such as to do case insensitive match‐
125       ing, add the flag within parens following a question mark, like this:
126
127          # If host is NOT example dot com..
128          if (req.http.host !~ "(?i)example\.com$") {
129              ...
130          }
131
132   Include statement
133       To include a VCL file in another file use the include keyword:
134
135          include "foo.vcl";
136
137   Import statement
138       The import statement is used to load Varnish Modules (VMODs.)
139
140       Example:
141
142          import std;
143          sub vcl_recv {
144              std.log("foo");
145          }
146
147   Comments
148       Single  lines  of  VCL  can  be commented out using // or #. Multi-line
149       blocks can be commented out with /*block*/.
150
151       Example:
152
153          sub vcl_recv {
154              // Single line of out-commented VCL.
155              # Another way of commenting out a single line.
156              /*
157                  Multi-line block of commented-out VCL.
158              */
159          }
160
161   Backend definition
162       A backend declaration creates and initialises a named backend object. A
163       declaration  start with the keyword backend followed by the name of the
164       backend. The actual declaration is in curly brackets,  in  a  key/value
165       fashion.:
166
167          backend name {
168              .attribute = "value";
169          }
170
171       One  of  the attributes .host or .path is mandatory (but not both). The
172       attributes will inherit their defaults from the global parameters.  The
173       following attributes are available:
174
175          .host  The  host  to be used. IP address or a hostname that resolves
176                 to a single IP address. This attribute is  mandatory,  unless
177                 .path is declared.
178
179          .path     (VCL >= 4.1)
180              The  absolute path of a Unix domain socket at which a backend is
181              listening. If the file at that path does not  exist  or  is  not
182              accessible  to  Varnish  at VCL load time, then the VCL compiler
183              issues a warning, but does not fail. This makes it  possible  to
184              start  the  UDS-listening peer, or set the socket file's permis‐
185              sions, after starting Varnish or loading VCL with a UDS backend.
186              But  the  socket  file must exist and have necessary permissions
187              before the first connection is attempted, otherwise fetches will
188              fail.  If the file does exist and is accessible, then it must be
189              a socket; otherwise the VCL load fails. One of  .path  or  .host
190              must  be  declared (but not both). .path may only be used in VCL
191              since version 4.1.
192
193          .port  The port on the  backend  that  Varnish  should  connect  to.
194                 Ignored if a Unix domain socket is declared in .path.
195
196          .host_header
197                 A  host  header to add to probes and regular backend requests
198                 if they have no such header.
199
200          .connect_timeout
201                 Timeout for connections.
202
203                 Default: connect_timeout parameter, see varnishd(1)
204
205          .first_byte_timeout
206                 Timeout for first byte.
207
208                 Default: first_byte_timeout parameter, see varnishd(1)
209
210          .between_bytes_timeout
211                 Timeout between bytes.
212
213                 Default: between_bytes_timeout parameter, see varnishd(1)
214
215          .probe Attach a probe to the backend. See Probes
216
217          .proxy_header
218                 The PROXY protocol version Varnish should use when connecting
219                 to this backend. Allowed values are 1 and 2.
220
221                 Notice  this  setting  will lead to backend connections being
222                 used for a single request only (subject  to  future  improve‐
223                 ments).  Thus,  extra  care  should be taken to avoid running
224                 into failing backend connections with EADDRNOTAVAIL due to no
225                 local ports being available. Possible options are:
226
227                 · Use additional backend connections to extra IP addresses or
228                   TCP ports
229
230                 · Increase  the  number  of  available  ports  (Linux  sysctl
231                   net.ipv4.ip_local_port_range)
232
233                 · Reuse   backend   connection   ports  early  (Linux  sysctl
234                   net.ipv4.tcp_tw_reuse)
235
236          .max_connections
237                 Maximum number of open connections towards this  backend.  If
238                 Varnish  reaches  the  maximum  Varnish it will start failing
239                 connections.
240
241       Empty backends can also be defined using the following syntax.:
242
243          backend name none;
244
245       An empty backend will always return status code 503 as if it is sick.
246
247       Backends can be used with directors. Please see  the  vmod_directors(3)
248       man page for more information.
249
250   Probes
251       Probes  will  query  the backend for status on a regular basis and mark
252       the backend as down it they fail. A probe is defined as this:
253
254          probe name {
255              .attribute = "value";
256          }
257
258       The probe named default is special and will be used  for  all  backends
259       which do not explicitly reference a probe.
260
261       There are no mandatory options. These are the options you can set:
262
263          .url   The  URL  to  query.  Defaults to /.  Mutually exclusive with
264                 .request
265
266          .request
267                 Specify a full HTTP request using multiple strings.  .request
268                 will  have  \r\n  automatically  inserted after every string.
269                 Mutually exclusive with .url.
270
271                 Note that probes require the backend to complete sending  the
272                 response  and close the connection within the specified time‐
273                 out, so .request will, for HTTP/1.1, most likely need to con‐
274                 tain a "Connection: close" string.
275
276          .expected_response
277                 The expected HTTP response code. Defaults to 200.
278
279          .timeout
280                 The timeout for the probe. Default is 2s.
281
282          .interval
283                 How often the probe is run. Default is 5s.
284
285          .initial
286                 How  many  of  the  polls in .window are considered good when
287                 Varnish starts. Defaults to the value of .threshold -  1.  In
288                 this case, the backend starts as sick and requires one single
289                 poll to be considered healthy.
290
291          .window
292                 How many of the latest polls we examine to determine  backend
293                 health.  Defaults to 8.
294
295          .threshold
296                 How  many of the polls in .window must have succeeded to con‐
297                 sider the backend to be healthy.  Defaults to 3.
298
299   Access Control List (ACL)
300       An Access Control List (ACL)  declaration  creates  and  initialises  a
301       named  access  control  list  which  can  later be used to match client
302       addresses:
303
304          acl localnetwork {
305              "localhost";    # myself
306              "192.0.2.0"/24; # and everyone on the local network
307              ! "192.0.2.23"; # except for the dial-in router
308          }
309
310       If an ACL entry specifies a  host  name  which  Varnish  is  unable  to
311       resolve,  it will match any address it is compared to. Consequently, if
312       it is preceded by a negation mark, it will reject  any  address  it  is
313       compared  to,  which  may  not  be  what  you intended. If the entry is
314       enclosed in parentheses, however, it will simply be ignored.
315
316       To match an IP address against an ACL, simply use the match operator:
317
318          if (client.ip ~ localnetwork) {
319              return (pipe);
320          }
321
322   VCL objects
323       A VCL object can be instantiated with the new keyword:
324
325          sub vcl_init {
326              new b = directors.round_robin()
327              b.add_backend(node1);
328          }
329
330       This is only available in vcl_init.
331
332   Subroutines
333       A subroutine is used to group code for legibility or reusability:
334
335          sub pipe_if_local {
336              if (client.ip ~ localnetwork) {
337                  return (pipe);
338              }
339          }
340
341       Subroutines in VCL do not take arguments, nor do  they  return  values.
342       The  built  in subroutines all have names beginning with vcl_, which is
343       reserved.
344
345       To call a subroutine, use the call keyword followed by the subroutine's
346       name:
347
348          sub vcl_recv {
349              call pipe_if_local;
350          }
351
352   Return statements
353       The  ongoing  vcl_*  subroutine  execution ends when a return(<action>)
354       statement is made.
355
356       The <action>  specifies  how  execution  should  proceed.  The  context
357       defines which actions are available.
358
359   Multiple subroutines
360       If  multiple  subroutines with the name of one of the built-in ones are
361       defined, they are concatenated in the order in which they appear in the
362       source.
363
364       The  built-in  VCL distributed with Varnish will be implicitly concate‐
365       nated when the VCL is compiled.
366
367   VCL Variables
368       Variables provide read, write and delete access to almost  all  aspects
369       of the work at hand.
370
371       Reading a variable is done simply by using its name in VCL:
372
373          if (client.ip ~ bad_guys) {
374              return (synth(400));
375          }
376
377       Writing  a  variable, where this is possible, is done with a set state‐
378       ment:
379
380          set resp.http.never = "Let You Down";
381
382       Similarly, deleting a variable, for the few  variables  where  this  is
383       possible, is done with a unset statement:
384
385          unset req.http.cookie;
386
387       Which  operations  are  possible  on  each variable is described below,
388       often with the shorthand "backend" which covers the vcl_backend_*  sub‐
389       routines  and  "client"  which  covers  the  rest,  except vcl_init and
390       vcl_fini.
391
392       When setting a variable, the right hand side of  the  equal  sign  must
393       have  the  variables  type, you cannot assign a STRING to a variable of
394       type NUMBER, even if the string is "42".   (Explicit  conversion  func‐
395       tions can be found in vmod_std(3)).
396
397   local, server, remote and client
398       These  variables describe the network connection between the client and
399       varnishd.
400
401       Without PROXY protocol:
402
403               client    server
404               remote    local
405                 v          v
406          CLIENT ------------ VARNISHD
407
408       With PROXY protocol:
409
410               client    server   remote     local
411                 v          v       v          v
412          CLIENT ------------ PROXY ------------ VARNISHD
413
414       local.ip
415          Type: IP
416
417          Readable from: client, backend
418
419          The IP address (and port number) of the local end of the TCP connec‐
420          tion, for instance 192.168.1.1:81
421
422          If  the  connection  is  a  UNIX  domain  socket,  the value will be
423          0.0.0.0:0
424
425       local.endpoint  VCL >= 4.1
426          Type: STRING
427
428          Readable from: client, backend
429
430          The address of the '-a' socket the session was accepted on.
431
432          If the argument was -a foo=:81 this would be ":81"
433
434       local.socket    VCL >= 4.1
435          Type: STRING
436
437          Readable from: client, backend
438
439          The name of the '-a' socket the session was accepted on.
440
441          If the argument was -a foo=:81 this would be "foo".
442
443          Note that all '-a' gets a default name on the form a%d if no name is
444          provided.
445
446       remote.ip
447          Type: IP
448
449          Readable from: client, backend
450
451          The  IP  address  of  the other end of the TCP connection.  This can
452          either be the clients IP, or the outgoing IP of a proxy server.
453
454          If the connection is  a  UNIX  domain  socket,  the  value  will  be
455          0.0.0.0:0
456
457       client.ip
458          Type: IP
459
460          Readable from: client, backend
461
462          The  client's  IP  address,  either the same as local.ip or what the
463          PROXY protocol told us.
464
465       client.identity
466          Type: STRING
467
468          Readable from: client
469
470          Writable from: client
471
472          Identification of the client, used to load  balance  in  the  client
473          director.  Defaults to client.ip
474
475          This  variable can be overwritten with more precise information, for
476          instance extracted from a Cookie: header.
477
478       server.ip
479          Type: IP
480
481          Readable from: client, backend
482
483          The IP address of the socket on  which  the  client  connection  was
484          received,  either  the  same as server.ip or what the PROXY protocol
485          told us.
486
487       server.hostname
488          Type: STRING
489
490          Readable from: all
491
492          The host name of the server, as returned by the gethostname(3)  sys‐
493          tem function.
494
495       server.identity
496          Type: STRING
497
498          Readable from: all
499
500          The identity of the server, as set by the -i parameter.
501
502          If  an -i parameter is not passed to varnishd, the return value from
503          gethostname(3) system function will be used.
504
505   req and req_top
506       These variables describe the  present  request,  and  when  ESI:include
507       requests  are  being  processed, req_top points to the request received
508       from the client.
509
510       req
511          Type: HTTP
512
513          Readable from: client
514
515          The entire request HTTP data structure.  Mostly useful  for  passing
516          to VMODs.
517
518       req.method
519          Type: STRING
520
521          Readable from: client
522
523          Writable from: client
524
525          The request method (e.g. "GET", "HEAD", ...)
526
527       req.hash
528          Type: BLOB
529
530          Readable from: vcl_hit, vcl_miss, vcl_pass, vcl_purge, vcl_deliver
531
532          The  hash  key of this request.  Mostly useful for passing to VMODs,
533          but can also be useful for debugging hit/miss status.
534
535       req.url
536          Type: STRING
537
538          Readable from: client
539
540          Writable from: client
541
542          The requested URL, for instance "/robots.txt".
543
544       req.proto       VCL <= 4.0
545          Type: STRING
546
547          Readable from: client
548
549          Writable from: client
550
551          The HTTP protocol version used by the client, usually "HTTP/1.1"  or
552          "HTTP/2.0".
553
554       req.proto       VCL >= 4.1
555          Type: STRING
556
557          Readable from: client
558
559          The  HTTP protocol version used by the client, usually "HTTP/1.1" or
560          "HTTP/2.0".
561
562       req.http.*
563          Type: HEADER
564
565          Readable from: client
566
567          Writable from: client
568
569          Unsetable from: client
570
571          The headers of request, things like req.http.date.
572
573          The RFCs allow multiple headers with the same name, and both set and
574          unset will remove all headers with the name given.
575
576       req.restarts
577          Type: INT
578
579          Readable from: client
580
581          A count of how many times this request has been restarted.
582
583       req.storage
584          Type: STEVEDORE
585
586          Readable from: client
587
588          Writable from: client
589
590          The storage backend to use to save this request body.
591
592       req.esi_level
593          Type: INT
594
595          Readable from: client
596
597          A count of how many levels of ESI requests we're currently at.
598
599       req.ttl
600          Type: DURATION
601
602          Readable from: client
603
604          Writable from: client
605
606          Upper limit on the object age for cache lookups to return hit.
607
608       req.grace
609          Type: DURATION
610
611          Readable from: client
612
613          Writable from: client
614
615          Upper limit on the object grace.
616
617          During lookup the minimum of req.grace and the object's stored grace
618          value will be used as the object's grace.
619
620       req.xid
621          Type: STRING
622
623          Readable from: client
624
625          Unique ID of this request.
626
627       req.esi VCL <= 4.0
628          Type: BOOL
629
630          Readable from: client
631
632          Writable from: client
633
634          Set to false to disable ESI processing regardless of  any  value  in
635          beresp.do_esi.  Defaults  to  true.  This  variable  is  replaced by
636          resp.do_esi in VCL 4.1.
637
638       req.can_gzip
639          Type: BOOL
640
641          Readable from: client
642
643          True if the client provided gzip or x-gzip  in  the  Accept-Encoding
644          header.
645
646       req.backend_hint
647          Type: BACKEND
648
649          Readable from: client
650
651          Writable from: client
652
653          Set  bereq.backend  to  this  if we attempt to fetch.  When set to a
654          director, reading this variable returns an  actual  backend  if  the
655          director  has resolved immediately, or the director otherwise.  When
656          used in string context, returns the name of the director or backend,
657          respectively.
658
659       req.hash_ignore_busy
660          Type: BOOL
661
662          Readable from: client
663
664          Writable from: client
665
666          Default: false.
667
668          Ignore any busy object during cache lookup.
669
670          You only want to do this when you have two server looking up content
671          sideways from each other to avoid deadlocks.
672
673       req.hash_always_miss
674          Type: BOOL
675
676          Readable from: client
677
678          Writable from: client
679
680          Default: false.
681
682          Force a cache miss for this request, even if perfectly good matching
683          objects are in the cache.
684
685          This is useful to force-update the cache without invalidating exist‐
686          ing entries in case the fetch fails.
687
688       req.is_hitmiss
689          Type: BOOL
690
691          Readable from: client
692
693          If this request resulted in a hitmiss
694
695       req.is_hitpass
696          Type: BOOL
697
698          Readable from: client
699
700          If this request resulted in a hitpass
701
702       req_top.method
703          Type: STRING
704
705          Readable from: client
706
707          The request method of  the  top-level  request  in  a  tree  of  ESI
708          requests.  (e.g. "GET", "HEAD").  Identical to req.method in non-ESI
709          requests.
710
711       req_top.url
712          Type: STRING
713
714          Readable from: client
715
716          The requested URL  of  the  top-level  request  in  a  tree  of  ESI
717          requests.  Identical to req.url in non-ESI requests.
718
719       req_top.http.*
720          Type: HEADER
721
722          Readable from: client
723
724          HTTP  headers  of  the  top-level request in a tree of ESI requests.
725          Identical to req.http. in non-ESI requests.
726
727       req_top.proto
728          Type: STRING
729
730          Readable from: client
731
732          HTTP protocol version of the top-level request  in  a  tree  of  ESI
733          requests.  Identical to req.proto in non-ESI requests.
734
735   bereq
736       This  is  the  request  we  send  to  the backend, it is built from the
737       clients req.* fields by filtering out "per-hop" fields which should not
738       be passed along (Connection:, Range: and similar).
739
740       Slightly more fields are allowed through for pass fetches than for miss
741       fetches, for instance Range.
742
743       bereq
744          Type: HTTP
745
746          Readable from: backend
747
748          The entire backend request HTTP data structure.   Mostly  useful  as
749          argument to VMODs.
750
751       bereq.xid
752          Type: STRING
753
754          Readable from: backend
755
756          Unique ID of this request.
757
758       bereq.retries
759          Type: INT
760
761          Readable from: backend
762
763          A count of how many times this request has been retried.
764
765       bereq.backend
766          Type: BACKEND
767
768          Readable from: vcl_pipe, backend
769
770          Writable from: vcl_pipe, backend
771
772          This  is the backend or director we attempt to fetch from.  When set
773          to a director, reading this variable returns an  actual  backend  if
774          the  director  has  resolved immediately, or the director otherwise.
775          When used in string context, returns the name  of  the  director  or
776          backend, respectively.
777
778       bereq.body
779          Type: BODY
780
781          Unsetable from: vcl_backend_fetch
782
783          The request body.
784
785          Unset will also remove bereq.http.Content-Length.
786
787       bereq.hash
788          Type: BLOB
789
790          Readable from: vcl_pipe, backend
791
792          The hash key of this request, a copy of req.hash.
793
794       bereq.method
795          Type: STRING
796
797          Readable from: vcl_pipe, backend
798
799          Writable from: vcl_pipe, backend
800
801          The request type (e.g. "GET", "HEAD").
802
803          Regular (non-pipe, non-pass) fetches are always "GET"
804
805       bereq.url
806          Type: STRING
807
808          Readable from: vcl_pipe, backend
809
810          Writable from: vcl_pipe, backend
811
812          The requested URL, copied from req.url
813
814       bereq.proto     VCL <= 4.0
815          Type: STRING
816
817          Readable from: vcl_pipe, backend
818
819          Writable from: vcl_pipe, backend
820
821          The  HTTP protocol version, "HTTP/1.1" unless a pass or pipe request
822          has "HTTP/1.0" in req.proto
823
824       bereq.proto     VCL >= 4.1
825          Type: STRING
826
827          Readable from: vcl_pipe, backend
828
829          The HTTP protocol version, "HTTP/1.1" unless a pass or pipe  request
830          has "HTTP/1.0" in req.proto
831
832       bereq.http.*
833          Type: HEADER
834
835          Readable from: vcl_pipe, backend
836
837          Writable from: vcl_pipe, backend
838
839          Unsetable from: vcl_pipe, backend
840
841          The headers to be sent to the backend.
842
843       bereq.uncacheable
844          Type: BOOL
845
846          Readable from: backend
847
848          Indicates  whether  this request is uncacheable due to a pass in the
849          client side or a hit on an hit-for-pass object.
850
851       bereq.connect_timeout
852          Type: DURATION
853
854          Readable from: vcl_pipe, backend
855
856          Writable from: vcl_pipe, backend
857
858          Default: .connect_timeout  attribute  from  the  backend_definition,
859          which defaults to the connect_timeout parameter, see varnishd(1).
860
861          The  time  in  seconds to wait for a backend connection to be estab‐
862          lished.
863
864       bereq.first_byte_timeout
865          Type: DURATION
866
867          Readable from: backend
868
869          Writable from: backend
870
871          Default: .first_byte_timeout attribute from the  backend_definition,
872          which defaults to the first_byte_timeout parameter, see varnishd(1).
873
874          The  time  in  seconds  to wait getting the first byte back from the
875          backend.  Not available in pipe mode.
876
877       bereq.between_bytes_timeout
878          Type: DURATION
879
880          Readable from: backend
881
882          Writable from: backend
883
884          Default: .between_bytes_timeout attribute from  the  backend_defini‐
885          tion,  which  defaults  to  the between_bytes_timeout parameter, see
886          varnishd(1).
887
888          The time in seconds to wait between  each  received  byte  from  the
889          backend.  Not available in pipe mode.
890
891       bereq.is_bgfetch
892          Type: BOOL
893
894          Readable from: backend
895
896          True  for  fetches where the client got a hit on an object in grace,
897          and this fetch was kicked of in the background to get a fresh copy.
898
899   beresp
900       The response received from the backend, one  cache  misses,  the  store
901       object is built from beresp.
902
903       beresp
904          Type: HTTP
905
906          Readable from: vcl_backend_response, vcl_backend_error
907
908          The  entire backend response HTTP data structure, useful as argument
909          to VMOD functions.
910
911       beresp.body
912          Type: BODY
913
914          Writable from: vcl_backend_error
915
916          For producing a synthetic body.
917
918       beresp.proto    VCL <= 4.0
919          Type: STRING
920
921          Readable from: vcl_backend_response, vcl_backend_error
922
923          Writable from: vcl_backend_response, vcl_backend_error
924
925          The HTTP protocol version the backend replied with.
926
927       beresp.proto    VCL >= 4.1
928          Type: STRING
929
930          Readable from: vcl_backend_response, vcl_backend_error
931
932          The HTTP protocol version the backend replied with.
933
934       beresp.status
935          Type: INT
936
937          Readable from: vcl_backend_response, vcl_backend_error
938
939          Writable from: vcl_backend_response, vcl_backend_error
940
941          The HTTP status code returned by the server.
942
943          Status codes on the form XXYZZ can be set where XXYZZ is  less  than
944          65536 and Y is [1...9].  Only YZZ will be sent back to clients.
945
946          XX  can  be therefore be used to pass information around inside VCL,
947          for instance return(synth(22404)) from vcl_recv{} to vcl_synth{}
948
949       beresp.reason
950          Type: STRING
951
952          Readable from: vcl_backend_response, vcl_backend_error
953
954          Writable from: vcl_backend_response, vcl_backend_error
955
956          The HTTP status message returned by the server.
957
958       beresp.http.*
959          Type: HEADER
960
961          Readable from: vcl_backend_response, vcl_backend_error
962
963          Writable from: vcl_backend_response, vcl_backend_error
964
965          Unsetable from: vcl_backend_response, vcl_backend_error
966
967          The HTTP headers returned from the server.
968
969       beresp.do_esi
970          Type: BOOL
971
972          Readable from: vcl_backend_response, vcl_backend_error
973
974          Writable from: vcl_backend_response, vcl_backend_error
975
976          Default: false.
977
978          Set it to true to parse the object for ESI directives.  Will only be
979          honored if req.esi is true.
980
981       beresp.do_stream
982          Type: BOOL
983
984          Readable from: vcl_backend_response, vcl_backend_error
985
986          Writable from: vcl_backend_response, vcl_backend_error
987
988          Default: true.
989
990          Deliver  the  object  to  the client while fetching the whole object
991          into varnish.
992
993          For uncacheable objects, storage for parts of the  body  which  have
994          been  sent to the client may get freed early, depending on the stor‐
995          age engine used.
996
997          This variable has no effect if do_esi is true or when  the  response
998          body is empty.
999
1000       beresp.do_gzip
1001          Type: BOOL
1002
1003          Readable from: vcl_backend_response, vcl_backend_error
1004
1005          Writable from: vcl_backend_response, vcl_backend_error
1006
1007          Default: false.
1008
1009          Set to true to gzip the object while storing it.
1010
1011          If  http_gzip_support  is  disabled,  setting  this  variable has no
1012          effect.
1013
1014       beresp.do_gunzip
1015          Type: BOOL
1016
1017          Readable from: vcl_backend_response, vcl_backend_error
1018
1019          Writable from: vcl_backend_response, vcl_backend_error
1020
1021          Default: false.
1022
1023          Set to true to gunzip the object while storing it in the cache.
1024
1025          If http_gzip_support is  disabled,  setting  this  variable  has  no
1026          effect.
1027
1028       beresp.was_304
1029          Type: BOOL
1030
1031          Readable from: vcl_backend_response, vcl_backend_error
1032
1033          When  true  this  indicates that we got a 304 response to our condi‐
1034          tional fetch from the backend and turned that into  beresp.status  =
1035          200
1036
1037       beresp.uncacheable
1038          Type: BOOL
1039
1040          Readable from: vcl_backend_response, vcl_backend_error
1041
1042          Writable from: vcl_backend_response, vcl_backend_error
1043
1044          Inherited from bereq.uncacheable, see there.
1045
1046          Setting this variable makes the object uncacheable.
1047
1048          This may may produce a hit-for-miss object in the cache.
1049
1050          Clearing the variable has no effect and will log the warning "Ignor‐
1051          ing attempt to reset beresp.uncacheable".
1052
1053       beresp.ttl
1054          Type: DURATION
1055
1056          Readable from: vcl_backend_response, vcl_backend_error
1057
1058          Writable from: vcl_backend_response, vcl_backend_error
1059
1060          Default: Cache-Control s-maxage or max-age directives,  or  a  value
1061          computed  from  the  Expires  header's  deadline, or the default_ttl
1062          parameter.
1063
1064          The object's remaining time to live, in seconds.
1065
1066       beresp.age
1067          Type: DURATION
1068
1069          Readable from: vcl_backend_response, vcl_backend_error
1070
1071          Default: Age header, or zero.
1072
1073          The age of the object.
1074
1075       beresp.grace
1076          Type: DURATION
1077
1078          Readable from: vcl_backend_response, vcl_backend_error
1079
1080          Writable from: vcl_backend_response, vcl_backend_error
1081
1082          Default:   Cache-Control   stale-while-revalidate   directive,    or
1083          default_grace parameter.
1084
1085          Set to a period to enable grace.
1086
1087       beresp.keep
1088          Type: DURATION
1089
1090          Readable from: vcl_backend_response, vcl_backend_error
1091
1092          Writable from: vcl_backend_response, vcl_backend_error
1093
1094          Default: default_keep parameter.
1095
1096          Set to a period to enable conditional backend requests.
1097
1098          The keep time is cache lifetime in addition to the ttl.
1099
1100          Objects  with  ttl  expired  but  with keep time left may be used to
1101          issue conditional (If-Modified-Since /  If-None-Match)  requests  to
1102          the backend to refresh them.
1103
1104       beresp.backend
1105          Type: BACKEND
1106
1107          Readable from: vcl_backend_response, vcl_backend_error
1108
1109          This  is the backend we fetched from.  If bereq.backend was set to a
1110          director, this will be the backend selected by the  director.   When
1111          used in string context, returns its name.
1112
1113       beresp.backend.name
1114          Type: STRING
1115
1116          Readable from: vcl_backend_response, vcl_backend_error
1117
1118          Name  of  the  backend  this  response  was  fetched  from.  Same as
1119          beresp.backend.
1120
1121       beresp.backend.ip       VCL <= 4.0
1122          Type: IP
1123
1124          Readable from: vcl_backend_response
1125
1126          IP of the backend this response was fetched from.
1127
1128       beresp.storage
1129          Type: STEVEDORE
1130
1131          Readable from: vcl_backend_response, vcl_backend_error
1132
1133          Writable from: vcl_backend_response, vcl_backend_error
1134
1135          The storage backend to use to save this object.
1136
1137       beresp.storage_hint     VCL <= 4.0
1138          Type: STRING
1139
1140          Readable from: vcl_backend_response, vcl_backend_error
1141
1142          Writable from: vcl_backend_response, vcl_backend_error
1143
1144          Deprecated since varnish 5.1 and discontinued since VCL 4.1 (varnish
1145          6.0). Use beresp.storage instead.
1146
1147          Hint  to  Varnish  that you want to save this object to a particular
1148          storage backend.
1149
1150       beresp.filters
1151          Type: STRING
1152
1153          Readable from: vcl_backend_response
1154
1155          Writable from: vcl_backend_response
1156
1157          List of Varnish Fetch Processor (VFP) filters the  beresp.body  will
1158          be pulled through. The order left to right signifies processing from
1159          backend to cache, iow the leftmost filter is run first on  the  body
1160          as  received  from the backend after decoding of any transfer encod‐
1161          ings.
1162
1163          VFP Filters change the body before going into the cache and/or being
1164          handed  to  the  client  side,  where  it may get processed again by
1165          resp.filters.
1166
1167          The following VFP filters exist in varnish-cache:
1168
1169          · gzip: compress a body using gzip
1170
1171          · testgunzip: Test if a body is valid gzip and refuse it otherwise
1172
1173          · gunzip: Uncompress gzip content
1174
1175          · esi: ESI-process plain text content
1176
1177          · esi_gzip: Save gzipped snippets for efficient ESI-processing
1178
1179            This filter  enables  stitching  together  ESI  from  individually
1180            gzipped  fragments,  saving processing power for re-compression on
1181            the client side at the expense of some compression efficiency.
1182
1183          Additional VFP filters are available from VMODs.
1184
1185          By default, beresp.filters is constructed as follows:
1186
1187          · gunzip gets added  for  gzipped  content  if  beresp.do_gunzip  or
1188            beresp.do_esi are true.
1189
1190          · esi_gzip  gets  added  if  beresp.do_esi  is  true  together  with
1191            beresp.do_gzip or content is already compressed.
1192
1193          · esi gets added if beresp.do_esi is true
1194
1195          · gzip gets added for uncompressed content if beresp.do_gzip is true
1196
1197          · testgunzip gets added for compressed content  if  beresp.do_gunzip
1198            is false.
1199
1200   obj
1201       This is the object we found in cache.  It cannot be modified.
1202
1203       obj.proto
1204          Type: STRING
1205
1206          Readable from: vcl_hit
1207
1208          The HTTP protocol version stored in the object.
1209
1210       obj.status
1211          Type: INT
1212
1213          Readable from: vcl_hit
1214
1215          The HTTP status code stored in the object.
1216
1217       obj.reason
1218          Type: STRING
1219
1220          Readable from: vcl_hit
1221
1222          The HTTP reason phrase stored in the object.
1223
1224       obj.hits
1225          Type: INT
1226
1227          Readable from: vcl_hit, vcl_deliver
1228
1229          The count of cache-hits on this object.
1230
1231          In vcl_deliver a value of 0 indicates a cache miss.
1232
1233       obj.http.*
1234          Type: HEADER
1235
1236          Readable from: vcl_hit
1237
1238          The HTTP headers stored in the object.
1239
1240       obj.ttl
1241          Type: DURATION
1242
1243          Readable from: vcl_hit, vcl_deliver
1244
1245          The object's remaining time to live, in seconds.
1246
1247       obj.age
1248          Type: DURATION
1249
1250          Readable from: vcl_hit, vcl_deliver
1251
1252          The age of the object.
1253
1254       obj.grace
1255          Type: DURATION
1256
1257          Readable from: vcl_hit, vcl_deliver
1258
1259          The object's grace period in seconds.
1260
1261       obj.keep
1262          Type: DURATION
1263
1264          Readable from: vcl_hit, vcl_deliver
1265
1266          The object's keep period in seconds.
1267
1268       obj.uncacheable
1269          Type: BOOL
1270
1271          Readable from: vcl_deliver
1272
1273          Whether   the   object   is   uncacheable   (pass,  hit-for-pass  or
1274          hit-for-miss).
1275
1276       obj.storage
1277          Type: STEVEDORE
1278
1279          Readable from: vcl_hit, vcl_deliver
1280
1281          The storage backend where this object is stored.
1282
1283   resp
1284       This is the response we send to the client, it  is  built  from  either
1285       beresp (pass/miss), obj (hits) or created from whole cloth (synth).
1286
1287       With  the exception of resp.body all resp.* variables available in both
1288       vcl_deliver{} and vcl_synth{} as a matter of symmetry.
1289
1290       resp
1291          Type: HTTP
1292
1293          Readable from: vcl_deliver, vcl_synth
1294
1295          The entire response HTTP  data  structure,  useful  as  argument  to
1296          VMODs.
1297
1298       resp.body
1299          Type: BODY
1300
1301          Writable from: vcl_synth
1302
1303          To produce a synthetic response body, for instance for errors.
1304
1305       resp.proto      VCL <= 4.0
1306          Type: STRING
1307
1308          Readable from: vcl_deliver, vcl_synth
1309
1310          Writable from: vcl_deliver, vcl_synth
1311
1312          The HTTP protocol version to use for the response.
1313
1314       resp.proto      VCL >= 4.1
1315          Type: STRING
1316
1317          Readable from: vcl_deliver, vcl_synth
1318
1319          Writable from: vcl_deliver, vcl_synth
1320
1321          The HTTP protocol version to use for the response.
1322
1323       resp.status
1324          Type: INT
1325
1326          Readable from: vcl_deliver, vcl_synth
1327
1328          Writable from: vcl_deliver, vcl_synth
1329
1330          The HTTP status code that will be returned.
1331
1332          Assigning  a  HTTP  standardized  code  to resp.status will also set
1333          resp.reason to the corresponding status message.
1334
1335          resp.status 200 will get changed into  304  by  core  code  after  a
1336          return(deliver)  from vcl_deliver for conditional requests to cached
1337          content if validation succeeds.
1338
1339          For the validation, first req.http.If-None-Match is compared against
1340          resp.http.Etag.  If  they  compare  equal according to the rules for
1341          weak validation (see RFC7232), a 304 is sent.
1342
1343          Secondly,    req.http.If-Modified-Since    is    compared    against
1344          resp.http.Last-Modified  or,  if  it  is unset, against the point in
1345          time when the object was last modified based on  the  Date  and  Age
1346          headers received with the backend response which created the object.
1347          If the object has not been modified based on that comparison, a  304
1348          is sent.
1349
1350       resp.reason
1351          Type: STRING
1352
1353          Readable from: vcl_deliver, vcl_synth
1354
1355          Writable from: vcl_deliver, vcl_synth
1356
1357          The HTTP status message that will be returned.
1358
1359       resp.http.*
1360          Type: HEADER
1361
1362          Readable from: vcl_deliver, vcl_synth
1363
1364          Writable from: vcl_deliver, vcl_synth
1365
1366          Unsetable from: vcl_deliver, vcl_synth
1367
1368          The HTTP headers that will be returned.
1369
1370       resp.do_esi     VCL >= 4.1
1371          Type: BOOL
1372
1373          Readable from: vcl_deliver, vcl_synth
1374
1375          Writable from: vcl_deliver, vcl_synth
1376
1377          Default: Set if ESI parsing has happened.
1378
1379          This  can be used to selectively disable ESI processing, even though
1380          ESI parsing happened during fetch.   This  is  useful  when  Varnish
1381          caches peer with each other.
1382
1383       resp.is_streaming
1384          Type: BOOL
1385
1386          Readable from: vcl_deliver, vcl_synth
1387
1388          Returns  true when the response will be streamed while being fetched
1389          from the backend.
1390
1391       resp.filters
1392          Type: STRING
1393
1394          Readable from: vcl_deliver, vcl_synth
1395
1396          Writable from: vcl_deliver, vcl_synth
1397
1398          List of VDP filters the resp.body will be pushed through.
1399
1400   Special variables
1401       now
1402          Type: TIME
1403
1404          Readable from: all
1405
1406          The current time, in seconds since the UNIX epoch.
1407
1408          When converted to STRING in expressions it returns a formatted time‐
1409          stamp like Tue, 20 Feb 2018 09:30:31 GMT
1410
1411   sess
1412       A  session  corresponds  to  the "conversation" that Varnish has with a
1413       single client connection,  over  which  one  or  more  request/response
1414       transactions may take place. It may comprise the traffic over an HTTP/1
1415       keep-alive connection, or the multiplexed traffic over an  HTTP/2  con‐
1416       nection.
1417
1418       sess.xid        VCL >= 4.1
1419          Type: STRING
1420
1421          Readable from: client, backend
1422
1423          Unique ID of this session.
1424
1425       sess.timeout_idle
1426          Type: DURATION
1427
1428          Readable from: client
1429
1430          Writable from: client
1431
1432          Idle  timeout for this session, defaults to the timeout_idle parame‐
1433          ter, see varnishd(1)
1434
1435       sess.timeout_linger
1436          Type: DURATION
1437
1438          Readable from: client
1439
1440          Writable from: client
1441
1442          Linger timeout for this  session,  defaults  to  the  timeout_linger
1443          parameter, see varnishd(1)
1444
1445       sess.send_timeout
1446          Type: DURATION
1447
1448          Readable from: client
1449
1450          Writable from: client
1451
1452          Total   timeout  for  ordinary  HTTP1  responses,  defaults  to  the
1453          send_timeout parameter, see varnishd(1)
1454
1455       sess.idle_send_timeout
1456          Type: DURATION
1457
1458          Readable from: client
1459
1460          Writable from: client
1461
1462          Send timeout for individual pieces of data  on  client  connections,
1463          defaults to the idle_send_timeout parameter, see varnishd(1)
1464
1465   storage
1466       storage.<name>.free_space
1467          Type: BYTES
1468
1469          Readable from: client, backend
1470
1471          Free  space available in the named stevedore. Only available for the
1472          malloc stevedore.
1473
1474       storage.<name>.used_space
1475          Type: BYTES
1476
1477          Readable from: client, backend
1478
1479          Used space in the named stevedore. Only  available  for  the  malloc
1480          stevedore.
1481
1482       storage.<name>.happy
1483          Type: BOOL
1484
1485          Readable from: client, backend
1486
1487          Health  status  for the named stevedore. Not available in any of the
1488          current stevedores.
1489
1490   Functions
1491       The following built-in functions are available:
1492
1493   ban(STRING)
1494          Invalidates all objects in cache that  match  the  given  expression
1495          with the ban mechanism.
1496
1497          The format of STRING is:
1498
1499              <field> <operator> <arg> [&& <field> <oper> <arg> ...]
1500
1501          · <field>:
1502
1503            · string fields:
1504
1505              · req.url: The request url
1506
1507              · req.http.*: Any request header
1508
1509              · obj.status: The cache object status
1510
1511              · obj.http.*: Any cache object header
1512
1513              obj.status  is  treated  as a string despite the fact that it is
1514              actually an integer.
1515
1516            · duration fields:
1517
1518              · obj.ttl: Remaining ttl at the time the ban is issued
1519
1520              · obj.age: Object age at the time the ban is issued
1521
1522              · obj.grace: The grace time of the object
1523
1524              · obj.keep: The keep time of the object
1525
1526          · <operator>:
1527
1528            · for all fields:
1529
1530              · ==: <field> and <arg> are equal
1531
1532              · !=: <field> and <arg> are unequal
1533
1534              strings are compared case sensitively
1535
1536            · for string fields:
1537
1538              · ~: <field> matches the regular expression <arg>
1539
1540              · !~:<field> does not match the regular expression <arg>
1541
1542            · for duration fields:
1543
1544              · >: <field> is greater than <arg>
1545
1546              · >=: <field> is greater than or equal to <arg>
1547
1548              · <: <field> is less than <arg>
1549
1550              · <=: <field> is less than or equal to <arg>
1551
1552          · <arg>:
1553
1554            · for string fields:
1555
1556              Either a literal string or a regular expression. Note that <arg>
1557              does not use any of the string delimiters like " or {"..."} used
1558              elsewhere in varnish. To match against strings containing white‐
1559              space, regular expressions containing \s can be used.
1560
1561            · for duration fields:
1562
1563              A VCL duration like 10s, 5m or 1h, see Durations
1564
1565          Expressions  can be chained using the and operator &&. For or seman‐
1566          tics, use several bans.
1567
1568          The unset <field> is not equal to  any  string,  such  that,  for  a
1569          non-existing  header,  the  operators  ==  and  ~ always evaluate as
1570          false, while the operators  !=  and  !~  always  evaluate  as  true,
1571          respectively, for any value of <arg>.
1572
1573   hash_data(input)
1574          Adds  an input to the hash input. In the built-in VCL hash_data() is
1575          called on the host and URL of the request. Available in vcl_hash.
1576
1577   synthetic(STRING)
1578          Prepare a synthetic response body containing the  STRING.  Available
1579          in vcl_synth and vcl_backend_error.
1580
1581          Identical to set resp.body /  set beresp.body.
1582
1583   regsub(str, regex, sub)
1584          Returns  a  copy  of  str  with  the first occurrence of the regular
1585          expression regex replaced with sub. Within sub, \0 (which  can  also
1586          be spelled \&) is replaced with the entire matched string, and \n is
1587          replaced with the contents of subgroup n in the matched string.
1588
1589   regsuball(str, regex, sub)
1590          As regsub(), but this replaces all occurrences.
1591
1592       For converting or casting VCL values between data types use  the  func‐
1593       tions available in the std VMOD.
1594

VERSIONING

1596       Multiple  versions  of  the  VCL syntax can coexist within certain con‐
1597       straints.
1598
1599       The VCL syntax version at the start of VCL file specified with -f  sets
1600       the  hard  limit  that  cannot be exceeded anywhere, and it selects the
1601       appropriate version of the builtin VCL.
1602
1603       That means that you can never include vcl 9.1; from vcl 8.7;,  but  the
1604       opposite may be possible, to the extent the compiler supports it.
1605
1606       Files  pulled  in via include do not need to have a vcl X.Y; but it may
1607       be a good idea to do it anyway, to not have surprises  in  the  future.
1608       The  syntax  version  set in an included file only applies to that file
1609       and any files it includes - unless these set their own VCL syntax  ver‐
1610       sion.
1611
1612       The  version  of  Varnish  this file belongs to supports syntax 4.0 and
1613       4.1.
1614

EXAMPLES

1616       For examples, please see the online documentation.
1617

SEE ALSO

1619       · varnishd(1)
1620
1621       · vmod_directors(3)
1622
1623       · vmod_std(3)
1624

HISTORY

1626       VCL was developed by Poul-Henning Kamp in cooperation with Verdens Gang
1627       AS,  Redpill  Linpro and Varnish Software.  This manual page is written
1628       by Per Buer, Poul-Henning Kamp, Martin Blix  Grydeland,  Kristian  Lyn‐
1629       gstøl, Lasse Karstensen and possibly others.
1630
1632       This document is licensed under the same license as Varnish itself. See
1633       LICENSE for details.
1634
1635       · Copyright (c) 2006 Verdens Gang AS
1636
1637       · Copyright (c) 2006-2015 Varnish Software AS
1638
1639
1640
1641
1642                                                                        VCL(7)
Impressum