1VCL(7) VCL(7)
2
3
4
6 VCL - Varnish Configuration Language
7
9 The VCL language is a small domain-specific language designed to be
10 used to describe request handling and document caching policies for
11 Varnish Cache.
12
13 When a new configuration is loaded, the varnishd management process
14 translates the VCL code to C and compiles it to a shared object which
15 is then loaded into the server process.
16
17 This document focuses on the syntax of the VCL language. For a full
18 description of syntax and semantics, with ample examples, please see
19 the online documentation at https://www.varnish-cache.org/docs/ .
20
21 Starting with Varnish 4.0, each VCL file must start by declaring its
22 version with vcl <major>.<minor>; marker at the top of the file. See
23 more about this under Versioning below.
24
25 Operators
26 The following operators are available in VCL:
27
28 = Assignment operator.
29
30 +=, -=, *=, /=
31 Assign and increment/decrement/multiply/divide operator.
32
33 For strings, += appends.
34
35 ==, !=, <, >, <=, >=
36 Comparisons
37
38 ~, !~ Match / non-match. Can either be used with regular expres‐
39 sions or ACLs.
40
41 ! Negation.
42
43 && / ||
44 Logical and/or.
45
46 Conditionals
47 VCL has if and else statements. Nested logic can be implemented with
48 the elseif statement (elsif/elif/else if are equivalent).
49
50 Note that there are no loops or iterators of any kind in VCL.
51
52 Strings, booleans, time, duration, integers and real numbers
53 These are the data types in Varnish. You can set or unset these.
54
55 Example:
56
57 set req.http.User-Agent = "unknown";
58 unset req.http.Range;
59
60 Strings
61 Basic strings are enclosed in double quotes "...", and may not contain
62 newlines. Long strings are enclosed in {"..."}. They may contain any
63 character including single double quotes ", newline and other control
64 characters except for the NUL (0x00) character.
65
66 Booleans
67 Booleans can be either true or false. In addition, in a boolean con‐
68 text some data types will evaluate to true or false depending on their
69 value.
70
71 String types will evaluate to false if they are unset. This allows
72 checks of the type if (req.http.opthdr) {} to test if a header exists,
73 even if it is empty, whereas if (req.http.opthdr == "") {} does not
74 distinguish if the header does not exist or if it is empty.
75
76 Backend types will evaluate to false if they don't have a backend
77 assigned; integer types will evaluate to false if their value is zero;
78 duration types will evaluate to false if their value is equal or less
79 than zero.
80
81 Time
82 VCL has time. A duration can be added to a time to make another time.
83 In string context they return a formatted string in RFC1123 format,
84 e.g. Sun, 06 Nov 1994 08:49:37 GMT.
85
86 The keyword now returns a notion of the current time, which is kept
87 consistent during VCL subroutine invocations, so during the execution
88 of a VCL state subroutine (vcl_* {}), including all user-defined sub‐
89 routines being called, now always returns the same value.
90
91 Durations
92 Durations are defined by a number followed by a unit. The number can
93 include a fractional part, e.g. 1.5s. The supported units are:
94
95 ms milliseconds
96
97 s seconds
98
99 m minutes
100
101 h hours
102
103 d days
104
105 w weeks
106
107 y years
108
109 In string context they return a string with their value rounded to 3
110 decimal places and excluding the unit, e.g. 1.500.
111
112 Integers
113 Certain fields are integers, used as expected. In string context they
114 return a string, e.g. 1234.
115
116 Real numbers
117 VCL understands real numbers. In string context they return a string
118 with their value rounded to 3 decimal places, e.g. 3.142.
119
120 Regular Expressions
121 Varnish uses Perl-compatible regular expressions (PCRE). For a complete
122 description please see the pcre(3) man page.
123
124 To send flags to the PCRE engine, such as to do case insensitive match‐
125 ing, add the flag within parens following a question mark, like this:
126
127 # If host is NOT example dot com..
128 if (req.http.host !~ "(?i)example\.com$") {
129 ...
130 }
131
132 Include statement
133 To include a VCL file in another file use the include keyword:
134
135 include "foo.vcl";
136
137 Import statement
138 The import statement is used to load Varnish Modules (VMODs.)
139
140 Example:
141
142 import std;
143 sub vcl_recv {
144 std.log("foo");
145 }
146
147 Comments
148 Single lines of VCL can be commented out using // or #. Multi-line
149 blocks can be commented out with /*block*/.
150
151 Example:
152
153 sub vcl_recv {
154 // Single line of out-commented VCL.
155 # Another way of commenting out a single line.
156 /*
157 Multi-line block of commented-out VCL.
158 */
159 }
160
161 Backend definition
162 A backend declaration creates and initialises a named backend object. A
163 declaration start with the keyword backend followed by the name of the
164 backend. The actual declaration is in curly brackets, in a key/value
165 fashion.:
166
167 backend name {
168 .attribute = "value";
169 }
170
171 One of the attributes .host or .path is mandatory (but not both). The
172 attributes will inherit their defaults from the global parameters. The
173 following attributes are available:
174
175 .host The host to be used. IP address or a hostname that resolves
176 to a single IP address. This attribute is mandatory, unless
177 .path is declared.
178
179 .path (VCL >= 4.1)
180 The absolute path of a Unix domain socket at which a backend is
181 listening. If the file at that path does not exist or is not
182 accessible to Varnish at VCL load time, then the VCL compiler
183 issues a warning, but does not fail. This makes it possible to
184 start the UDS-listening peer, or set the socket file's permis‐
185 sions, after starting Varnish or loading VCL with a UDS backend.
186 But the socket file must exist and have necessary permissions
187 before the first connection is attempted, otherwise fetches will
188 fail. If the file does exist and is accessible, then it must be
189 a socket; otherwise the VCL load fails. One of .path or .host
190 must be declared (but not both). .path may only be used in VCL
191 since version 4.1.
192
193 .port The port on the backend that Varnish should connect to.
194 Ignored if a Unix domain socket is declared in .path.
195
196 .host_header
197 A host header to add to probes and regular backend requests
198 if they have no such header.
199
200 .connect_timeout
201 Timeout for connections.
202
203 Default: connect_timeout parameter, see varnishd(1)
204
205 .first_byte_timeout
206 Timeout for first byte.
207
208 Default: first_byte_timeout parameter, see varnishd(1)
209
210 .between_bytes_timeout
211 Timeout between bytes.
212
213 Default: between_bytes_timeout parameter, see varnishd(1)
214
215 .probe Attach a probe to the backend. See Probes
216
217 .proxy_header
218 The PROXY protocol version Varnish should use when connecting
219 to this backend. Allowed values are 1 and 2.
220
221 Notice this setting will lead to backend connections being
222 used for a single request only (subject to future improve‐
223 ments). Thus, extra care should be taken to avoid running
224 into failing backend connections with EADDRNOTAVAIL due to no
225 local ports being available. Possible options are:
226
227 · Use additional backend connections to extra IP addresses or
228 TCP ports
229
230 · Increase the number of available ports (Linux sysctl
231 net.ipv4.ip_local_port_range)
232
233 · Reuse backend connection ports early (Linux sysctl
234 net.ipv4.tcp_tw_reuse)
235
236 .max_connections
237 Maximum number of open connections towards this backend. If
238 Varnish reaches the maximum Varnish it will start failing
239 connections.
240
241 Empty backends can also be defined using the following syntax.:
242
243 backend name none;
244
245 An empty backend will always return status code 503 as if it is sick.
246
247 Backends can be used with directors. Please see the vmod_directors(3)
248 man page for more information.
249
250 Probes
251 Probes will query the backend for status on a regular basis and mark
252 the backend as down it they fail. A probe is defined as this:
253
254 probe name {
255 .attribute = "value";
256 }
257
258 The probe named default is special and will be used for all backends
259 which do not explicitly reference a probe.
260
261 There are no mandatory options. These are the options you can set:
262
263 .url The URL to query. Defaults to /. Mutually exclusive with
264 .request
265
266 .request
267 Specify a full HTTP request using multiple strings. .request
268 will have \r\n automatically inserted after every string.
269 Mutually exclusive with .url.
270
271 Note that probes require the backend to complete sending the
272 response and close the connection within the specified time‐
273 out, so .request will, for HTTP/1.1, most likely need to con‐
274 tain a "Connection: close" string.
275
276 .expected_response
277 The expected HTTP response code. Defaults to 200.
278
279 .timeout
280 The timeout for the probe. Default is 2s.
281
282 .interval
283 How often the probe is run. Default is 5s.
284
285 .initial
286 How many of the polls in .window are considered good when
287 Varnish starts. Defaults to the value of .threshold - 1. In
288 this case, the backend starts as sick and requires one single
289 poll to be considered healthy.
290
291 .window
292 How many of the latest polls we examine to determine backend
293 health. Defaults to 8.
294
295 .threshold
296 How many of the polls in .window must have succeeded to con‐
297 sider the backend to be healthy. Defaults to 3.
298
299 Access Control List (ACL)
300 An Access Control List (ACL) declaration creates and initialises a
301 named access control list which can later be used to match client
302 addresses:
303
304 acl localnetwork {
305 "localhost"; # myself
306 "192.0.2.0"/24; # and everyone on the local network
307 ! "192.0.2.23"; # except for the dial-in router
308 }
309
310 If an ACL entry specifies a host name which Varnish is unable to
311 resolve, it will match any address it is compared to. Consequently, if
312 it is preceded by a negation mark, it will reject any address it is
313 compared to, which may not be what you intended. If the entry is
314 enclosed in parentheses, however, it will simply be ignored.
315
316 To match an IP address against an ACL, simply use the match operator:
317
318 if (client.ip ~ localnetwork) {
319 return (pipe);
320 }
321
322 VCL objects
323 A VCL object can be instantiated with the new keyword:
324
325 sub vcl_init {
326 new b = directors.round_robin()
327 b.add_backend(node1);
328 }
329
330 This is only available in vcl_init.
331
332 Subroutines
333 A subroutine is used to group code for legibility or reusability:
334
335 sub pipe_if_local {
336 if (client.ip ~ localnetwork) {
337 return (pipe);
338 }
339 }
340
341 Subroutines in VCL do not take arguments, nor do they return values.
342 The built in subroutines all have names beginning with vcl_, which is
343 reserved.
344
345 To call a subroutine, use the call keyword followed by the subroutine's
346 name:
347
348 sub vcl_recv {
349 call pipe_if_local;
350 }
351
352 Return statements
353 The ongoing vcl_* subroutine execution ends when a return(<action>)
354 statement is made.
355
356 The <action> specifies how execution should proceed. The context
357 defines which actions are available.
358
359 Multiple subroutines
360 If multiple subroutines with the name of one of the built-in ones are
361 defined, they are concatenated in the order in which they appear in the
362 source.
363
364 The built-in VCL distributed with Varnish will be implicitly concate‐
365 nated when the VCL is compiled.
366
367 VCL Variables
368 Variables provide read, write and delete access to almost all aspects
369 of the work at hand.
370
371 Reading a variable is done simply by using its name in VCL:
372
373 if (client.ip ~ bad_guys) {
374 return (synth(400));
375 }
376
377 Writing a variable, where this is possible, is done with a set state‐
378 ment:
379
380 set resp.http.never = "Let You Down";
381
382 Similarly, deleting a variable, for the few variables where this is
383 possible, is done with a unset statement:
384
385 unset req.http.cookie;
386
387 Which operations are possible on each variable is described below,
388 often with the shorthand "backend" which covers the vcl_backend_* sub‐
389 routines and "client" which covers the rest, except vcl_init and
390 vcl_fini.
391
392 When setting a variable, the right hand side of the equal sign must
393 have the variables type, you cannot assign a STRING to a variable of
394 type NUMBER, even if the string is "42". (Explicit conversion func‐
395 tions can be found in vmod_std(3)).
396
397 local, server, remote and client
398 These variables describe the network connection between the client and
399 varnishd.
400
401 Without PROXY protocol:
402
403 client server
404 remote local
405 v v
406 CLIENT ------------ VARNISHD
407
408 With PROXY protocol:
409
410 client server remote local
411 v v v v
412 CLIENT ------------ PROXY ------------ VARNISHD
413
414 local.ip
415 Type: IP
416
417 Readable from: client, backend
418
419 The IP address (and port number) of the local end of the TCP connec‐
420 tion, for instance 192.168.1.1:81
421
422 If the connection is a UNIX domain socket, the value will be
423 0.0.0.0:0
424
425 local.endpoint VCL >= 4.1
426 Type: STRING
427
428 Readable from: client, backend
429
430 The address of the '-a' socket the session was accepted on.
431
432 If the argument was -a foo=:81 this would be ":81"
433
434 local.socket VCL >= 4.1
435 Type: STRING
436
437 Readable from: client, backend
438
439 The name of the '-a' socket the session was accepted on.
440
441 If the argument was -a foo=:81 this would be "foo".
442
443 Note that all '-a' gets a default name on the form a%d if no name is
444 provided.
445
446 remote.ip
447 Type: IP
448
449 Readable from: client, backend
450
451 The IP address of the other end of the TCP connection. This can
452 either be the clients IP, or the outgoing IP of a proxy server.
453
454 If the connection is a UNIX domain socket, the value will be
455 0.0.0.0:0
456
457 client.ip
458 Type: IP
459
460 Readable from: client, backend
461
462 The client's IP address, either the same as local.ip or what the
463 PROXY protocol told us.
464
465 client.identity
466 Type: STRING
467
468 Readable from: client
469
470 Writable from: client
471
472 Identification of the client, used to load balance in the client
473 director. Defaults to client.ip
474
475 This variable can be overwritten with more precise information, for
476 instance extracted from a Cookie: header.
477
478 server.ip
479 Type: IP
480
481 Readable from: client, backend
482
483 The IP address of the socket on which the client connection was
484 received, either the same as server.ip or what the PROXY protocol
485 told us.
486
487 server.hostname
488 Type: STRING
489
490 Readable from: all
491
492 The host name of the server, as returned by the gethostname(3) sys‐
493 tem function.
494
495 server.identity
496 Type: STRING
497
498 Readable from: all
499
500 The identity of the server, as set by the -i parameter.
501
502 If an -i parameter is not passed to varnishd, the return value from
503 gethostname(3) system function will be used.
504
505 req and req_top
506 These variables describe the present request, and when ESI:include
507 requests are being processed, req_top points to the request received
508 from the client.
509
510 req
511 Type: HTTP
512
513 Readable from: client
514
515 The entire request HTTP data structure. Mostly useful for passing
516 to VMODs.
517
518 req.method
519 Type: STRING
520
521 Readable from: client
522
523 Writable from: client
524
525 The request method (e.g. "GET", "HEAD", ...)
526
527 req.hash
528 Type: BLOB
529
530 Readable from: vcl_hit, vcl_miss, vcl_pass, vcl_purge, vcl_deliver
531
532 The hash key of this request. Mostly useful for passing to VMODs,
533 but can also be useful for debugging hit/miss status.
534
535 req.url
536 Type: STRING
537
538 Readable from: client
539
540 Writable from: client
541
542 The requested URL, for instance "/robots.txt".
543
544 req.proto VCL <= 4.0
545 Type: STRING
546
547 Readable from: client
548
549 Writable from: client
550
551 The HTTP protocol version used by the client, usually "HTTP/1.1" or
552 "HTTP/2.0".
553
554 req.proto VCL >= 4.1
555 Type: STRING
556
557 Readable from: client
558
559 The HTTP protocol version used by the client, usually "HTTP/1.1" or
560 "HTTP/2.0".
561
562 req.http.*
563 Type: HEADER
564
565 Readable from: client
566
567 Writable from: client
568
569 Unsetable from: client
570
571 The headers of request, things like req.http.date.
572
573 The RFCs allow multiple headers with the same name, and both set and
574 unset will remove all headers with the name given.
575
576 req.restarts
577 Type: INT
578
579 Readable from: client
580
581 A count of how many times this request has been restarted.
582
583 req.storage
584 Type: STEVEDORE
585
586 Readable from: client
587
588 Writable from: client
589
590 The storage backend to use to save this request body.
591
592 req.esi_level
593 Type: INT
594
595 Readable from: client
596
597 A count of how many levels of ESI requests we're currently at.
598
599 req.ttl
600 Type: DURATION
601
602 Readable from: client
603
604 Writable from: client
605
606 Upper limit on the object age for cache lookups to return hit.
607
608 req.grace
609 Type: DURATION
610
611 Readable from: client
612
613 Writable from: client
614
615 Upper limit on the object grace.
616
617 During lookup the minimum of req.grace and the object's stored grace
618 value will be used as the object's grace.
619
620 req.xid
621 Type: STRING
622
623 Readable from: client
624
625 Unique ID of this request.
626
627 req.esi VCL <= 4.0
628 Type: BOOL
629
630 Readable from: client
631
632 Writable from: client
633
634 Set to false to disable ESI processing regardless of any value in
635 beresp.do_esi. Defaults to true. This variable is replaced by
636 resp.do_esi in VCL 4.1.
637
638 req.can_gzip
639 Type: BOOL
640
641 Readable from: client
642
643 True if the client provided gzip or x-gzip in the Accept-Encoding
644 header.
645
646 req.backend_hint
647 Type: BACKEND
648
649 Readable from: client
650
651 Writable from: client
652
653 Set bereq.backend to this if we attempt to fetch. When set to a
654 director, reading this variable returns an actual backend if the
655 director has resolved immediately, or the director otherwise. When
656 used in string context, returns the name of the director or backend,
657 respectively.
658
659 req.hash_ignore_busy
660 Type: BOOL
661
662 Readable from: client
663
664 Writable from: client
665
666 Default: false.
667
668 Ignore any busy object during cache lookup.
669
670 You only want to do this when you have two server looking up content
671 sideways from each other to avoid deadlocks.
672
673 req.hash_always_miss
674 Type: BOOL
675
676 Readable from: client
677
678 Writable from: client
679
680 Default: false.
681
682 Force a cache miss for this request, even if perfectly good matching
683 objects are in the cache.
684
685 This is useful to force-update the cache without invalidating exist‐
686 ing entries in case the fetch fails.
687
688 req.is_hitmiss
689 Type: BOOL
690
691 Readable from: client
692
693 If this request resulted in a hitmiss
694
695 req.is_hitpass
696 Type: BOOL
697
698 Readable from: client
699
700 If this request resulted in a hitpass
701
702 req_top.method
703 Type: STRING
704
705 Readable from: client
706
707 The request method of the top-level request in a tree of ESI
708 requests. (e.g. "GET", "HEAD"). Identical to req.method in non-ESI
709 requests.
710
711 req_top.url
712 Type: STRING
713
714 Readable from: client
715
716 The requested URL of the top-level request in a tree of ESI
717 requests. Identical to req.url in non-ESI requests.
718
719 req_top.http.*
720 Type: HEADER
721
722 Readable from: client
723
724 HTTP headers of the top-level request in a tree of ESI requests.
725 Identical to req.http. in non-ESI requests.
726
727 req_top.proto
728 Type: STRING
729
730 Readable from: client
731
732 HTTP protocol version of the top-level request in a tree of ESI
733 requests. Identical to req.proto in non-ESI requests.
734
735 bereq
736 This is the request we send to the backend, it is built from the
737 clients req.* fields by filtering out "per-hop" fields which should not
738 be passed along (Connection:, Range: and similar).
739
740 Slightly more fields are allowed through for pass fetches than for miss
741 fetches, for instance Range.
742
743 bereq
744 Type: HTTP
745
746 Readable from: backend
747
748 The entire backend request HTTP data structure. Mostly useful as
749 argument to VMODs.
750
751 bereq.xid
752 Type: STRING
753
754 Readable from: backend
755
756 Unique ID of this request.
757
758 bereq.retries
759 Type: INT
760
761 Readable from: backend
762
763 A count of how many times this request has been retried.
764
765 bereq.backend
766 Type: BACKEND
767
768 Readable from: vcl_pipe, backend
769
770 Writable from: vcl_pipe, backend
771
772 This is the backend or director we attempt to fetch from. When set
773 to a director, reading this variable returns an actual backend if
774 the director has resolved immediately, or the director otherwise.
775 When used in string context, returns the name of the director or
776 backend, respectively.
777
778 bereq.body
779 Type: BODY
780
781 Unsetable from: vcl_backend_fetch
782
783 The request body.
784
785 Unset will also remove bereq.http.Content-Length.
786
787 bereq.hash
788 Type: BLOB
789
790 Readable from: vcl_pipe, backend
791
792 The hash key of this request, a copy of req.hash.
793
794 bereq.method
795 Type: STRING
796
797 Readable from: vcl_pipe, backend
798
799 Writable from: vcl_pipe, backend
800
801 The request type (e.g. "GET", "HEAD").
802
803 Regular (non-pipe, non-pass) fetches are always "GET"
804
805 bereq.url
806 Type: STRING
807
808 Readable from: vcl_pipe, backend
809
810 Writable from: vcl_pipe, backend
811
812 The requested URL, copied from req.url
813
814 bereq.proto VCL <= 4.0
815 Type: STRING
816
817 Readable from: vcl_pipe, backend
818
819 Writable from: vcl_pipe, backend
820
821 The HTTP protocol version, "HTTP/1.1" unless a pass or pipe request
822 has "HTTP/1.0" in req.proto
823
824 bereq.proto VCL >= 4.1
825 Type: STRING
826
827 Readable from: vcl_pipe, backend
828
829 The HTTP protocol version, "HTTP/1.1" unless a pass or pipe request
830 has "HTTP/1.0" in req.proto
831
832 bereq.http.*
833 Type: HEADER
834
835 Readable from: vcl_pipe, backend
836
837 Writable from: vcl_pipe, backend
838
839 Unsetable from: vcl_pipe, backend
840
841 The headers to be sent to the backend.
842
843 bereq.uncacheable
844 Type: BOOL
845
846 Readable from: backend
847
848 Indicates whether this request is uncacheable due to a pass in the
849 client side or a hit on an hit-for-pass object.
850
851 bereq.connect_timeout
852 Type: DURATION
853
854 Readable from: vcl_pipe, backend
855
856 Writable from: vcl_pipe, backend
857
858 Default: .connect_timeout attribute from the backend_definition,
859 which defaults to the connect_timeout parameter, see varnishd(1).
860
861 The time in seconds to wait for a backend connection to be estab‐
862 lished.
863
864 bereq.first_byte_timeout
865 Type: DURATION
866
867 Readable from: backend
868
869 Writable from: backend
870
871 Default: .first_byte_timeout attribute from the backend_definition,
872 which defaults to the first_byte_timeout parameter, see varnishd(1).
873
874 The time in seconds to wait getting the first byte back from the
875 backend. Not available in pipe mode.
876
877 bereq.between_bytes_timeout
878 Type: DURATION
879
880 Readable from: backend
881
882 Writable from: backend
883
884 Default: .between_bytes_timeout attribute from the backend_defini‐
885 tion, which defaults to the between_bytes_timeout parameter, see
886 varnishd(1).
887
888 The time in seconds to wait between each received byte from the
889 backend. Not available in pipe mode.
890
891 bereq.is_bgfetch
892 Type: BOOL
893
894 Readable from: backend
895
896 True for fetches where the client got a hit on an object in grace,
897 and this fetch was kicked of in the background to get a fresh copy.
898
899 beresp
900 The response received from the backend, one cache misses, the store
901 object is built from beresp.
902
903 beresp
904 Type: HTTP
905
906 Readable from: vcl_backend_response, vcl_backend_error
907
908 The entire backend response HTTP data structure, useful as argument
909 to VMOD functions.
910
911 beresp.body
912 Type: BODY
913
914 Writable from: vcl_backend_error
915
916 For producing a synthetic body.
917
918 beresp.proto VCL <= 4.0
919 Type: STRING
920
921 Readable from: vcl_backend_response, vcl_backend_error
922
923 Writable from: vcl_backend_response, vcl_backend_error
924
925 The HTTP protocol version the backend replied with.
926
927 beresp.proto VCL >= 4.1
928 Type: STRING
929
930 Readable from: vcl_backend_response, vcl_backend_error
931
932 The HTTP protocol version the backend replied with.
933
934 beresp.status
935 Type: INT
936
937 Readable from: vcl_backend_response, vcl_backend_error
938
939 Writable from: vcl_backend_response, vcl_backend_error
940
941 The HTTP status code returned by the server.
942
943 Status codes on the form XXYZZ can be set where XXYZZ is less than
944 65536 and Y is [1...9]. Only YZZ will be sent back to clients.
945
946 XX can be therefore be used to pass information around inside VCL,
947 for instance return(synth(22404)) from vcl_recv{} to vcl_synth{}
948
949 beresp.reason
950 Type: STRING
951
952 Readable from: vcl_backend_response, vcl_backend_error
953
954 Writable from: vcl_backend_response, vcl_backend_error
955
956 The HTTP status message returned by the server.
957
958 beresp.http.*
959 Type: HEADER
960
961 Readable from: vcl_backend_response, vcl_backend_error
962
963 Writable from: vcl_backend_response, vcl_backend_error
964
965 Unsetable from: vcl_backend_response, vcl_backend_error
966
967 The HTTP headers returned from the server.
968
969 beresp.do_esi
970 Type: BOOL
971
972 Readable from: vcl_backend_response, vcl_backend_error
973
974 Writable from: vcl_backend_response, vcl_backend_error
975
976 Default: false.
977
978 Set it to true to parse the object for ESI directives. Will only be
979 honored if req.esi is true.
980
981 beresp.do_stream
982 Type: BOOL
983
984 Readable from: vcl_backend_response, vcl_backend_error
985
986 Writable from: vcl_backend_response, vcl_backend_error
987
988 Default: true.
989
990 Deliver the object to the client while fetching the whole object
991 into varnish.
992
993 For uncacheable objects, storage for parts of the body which have
994 been sent to the client may get freed early, depending on the stor‐
995 age engine used.
996
997 This variable has no effect if do_esi is true or when the response
998 body is empty.
999
1000 beresp.do_gzip
1001 Type: BOOL
1002
1003 Readable from: vcl_backend_response, vcl_backend_error
1004
1005 Writable from: vcl_backend_response, vcl_backend_error
1006
1007 Default: false.
1008
1009 Set to true to gzip the object while storing it.
1010
1011 If http_gzip_support is disabled, setting this variable has no
1012 effect.
1013
1014 beresp.do_gunzip
1015 Type: BOOL
1016
1017 Readable from: vcl_backend_response, vcl_backend_error
1018
1019 Writable from: vcl_backend_response, vcl_backend_error
1020
1021 Default: false.
1022
1023 Set to true to gunzip the object while storing it in the cache.
1024
1025 If http_gzip_support is disabled, setting this variable has no
1026 effect.
1027
1028 beresp.was_304
1029 Type: BOOL
1030
1031 Readable from: vcl_backend_response, vcl_backend_error
1032
1033 When true this indicates that we got a 304 response to our condi‐
1034 tional fetch from the backend and turned that into beresp.status =
1035 200
1036
1037 beresp.uncacheable
1038 Type: BOOL
1039
1040 Readable from: vcl_backend_response, vcl_backend_error
1041
1042 Writable from: vcl_backend_response, vcl_backend_error
1043
1044 Inherited from bereq.uncacheable, see there.
1045
1046 Setting this variable makes the object uncacheable.
1047
1048 This may may produce a hit-for-miss object in the cache.
1049
1050 Clearing the variable has no effect and will log the warning "Ignor‐
1051 ing attempt to reset beresp.uncacheable".
1052
1053 beresp.ttl
1054 Type: DURATION
1055
1056 Readable from: vcl_backend_response, vcl_backend_error
1057
1058 Writable from: vcl_backend_response, vcl_backend_error
1059
1060 Default: Cache-Control s-maxage or max-age directives, or a value
1061 computed from the Expires header's deadline, or the default_ttl
1062 parameter.
1063
1064 The object's remaining time to live, in seconds.
1065
1066 beresp.age
1067 Type: DURATION
1068
1069 Readable from: vcl_backend_response, vcl_backend_error
1070
1071 Default: Age header, or zero.
1072
1073 The age of the object.
1074
1075 beresp.grace
1076 Type: DURATION
1077
1078 Readable from: vcl_backend_response, vcl_backend_error
1079
1080 Writable from: vcl_backend_response, vcl_backend_error
1081
1082 Default: Cache-Control stale-while-revalidate directive, or
1083 default_grace parameter.
1084
1085 Set to a period to enable grace.
1086
1087 beresp.keep
1088 Type: DURATION
1089
1090 Readable from: vcl_backend_response, vcl_backend_error
1091
1092 Writable from: vcl_backend_response, vcl_backend_error
1093
1094 Default: default_keep parameter.
1095
1096 Set to a period to enable conditional backend requests.
1097
1098 The keep time is cache lifetime in addition to the ttl.
1099
1100 Objects with ttl expired but with keep time left may be used to
1101 issue conditional (If-Modified-Since / If-None-Match) requests to
1102 the backend to refresh them.
1103
1104 beresp.backend
1105 Type: BACKEND
1106
1107 Readable from: vcl_backend_response, vcl_backend_error
1108
1109 This is the backend we fetched from. If bereq.backend was set to a
1110 director, this will be the backend selected by the director. When
1111 used in string context, returns its name.
1112
1113 beresp.backend.name
1114 Type: STRING
1115
1116 Readable from: vcl_backend_response, vcl_backend_error
1117
1118 Name of the backend this response was fetched from. Same as
1119 beresp.backend.
1120
1121 beresp.backend.ip VCL <= 4.0
1122 Type: IP
1123
1124 Readable from: vcl_backend_response
1125
1126 IP of the backend this response was fetched from.
1127
1128 beresp.storage
1129 Type: STEVEDORE
1130
1131 Readable from: vcl_backend_response, vcl_backend_error
1132
1133 Writable from: vcl_backend_response, vcl_backend_error
1134
1135 The storage backend to use to save this object.
1136
1137 beresp.storage_hint VCL <= 4.0
1138 Type: STRING
1139
1140 Readable from: vcl_backend_response, vcl_backend_error
1141
1142 Writable from: vcl_backend_response, vcl_backend_error
1143
1144 Deprecated since varnish 5.1 and discontinued since VCL 4.1 (varnish
1145 6.0). Use beresp.storage instead.
1146
1147 Hint to Varnish that you want to save this object to a particular
1148 storage backend.
1149
1150 beresp.filters
1151 Type: STRING
1152
1153 Readable from: vcl_backend_response
1154
1155 Writable from: vcl_backend_response
1156
1157 List of Varnish Fetch Processor (VFP) filters the beresp.body will
1158 be pulled through. The order left to right signifies processing from
1159 backend to cache, iow the leftmost filter is run first on the body
1160 as received from the backend after decoding of any transfer encod‐
1161 ings.
1162
1163 VFP Filters change the body before going into the cache and/or being
1164 handed to the client side, where it may get processed again by
1165 resp.filters.
1166
1167 The following VFP filters exist in varnish-cache:
1168
1169 · gzip: compress a body using gzip
1170
1171 · testgunzip: Test if a body is valid gzip and refuse it otherwise
1172
1173 · gunzip: Uncompress gzip content
1174
1175 · esi: ESI-process plain text content
1176
1177 · esi_gzip: Save gzipped snippets for efficient ESI-processing
1178
1179 This filter enables stitching together ESI from individually
1180 gzipped fragments, saving processing power for re-compression on
1181 the client side at the expense of some compression efficiency.
1182
1183 Additional VFP filters are available from VMODs.
1184
1185 By default, beresp.filters is constructed as follows:
1186
1187 · gunzip gets added for gzipped content if beresp.do_gunzip or
1188 beresp.do_esi are true.
1189
1190 · esi_gzip gets added if beresp.do_esi is true together with
1191 beresp.do_gzip or content is already compressed.
1192
1193 · esi gets added if beresp.do_esi is true
1194
1195 · gzip gets added for uncompressed content if beresp.do_gzip is true
1196
1197 · testgunzip gets added for compressed content if beresp.do_gunzip
1198 is false.
1199
1200 obj
1201 This is the object we found in cache. It cannot be modified.
1202
1203 obj.proto
1204 Type: STRING
1205
1206 Readable from: vcl_hit
1207
1208 The HTTP protocol version stored in the object.
1209
1210 obj.status
1211 Type: INT
1212
1213 Readable from: vcl_hit
1214
1215 The HTTP status code stored in the object.
1216
1217 obj.reason
1218 Type: STRING
1219
1220 Readable from: vcl_hit
1221
1222 The HTTP reason phrase stored in the object.
1223
1224 obj.hits
1225 Type: INT
1226
1227 Readable from: vcl_hit, vcl_deliver
1228
1229 The count of cache-hits on this object.
1230
1231 In vcl_deliver a value of 0 indicates a cache miss.
1232
1233 obj.http.*
1234 Type: HEADER
1235
1236 Readable from: vcl_hit
1237
1238 The HTTP headers stored in the object.
1239
1240 obj.ttl
1241 Type: DURATION
1242
1243 Readable from: vcl_hit, vcl_deliver
1244
1245 The object's remaining time to live, in seconds.
1246
1247 obj.age
1248 Type: DURATION
1249
1250 Readable from: vcl_hit, vcl_deliver
1251
1252 The age of the object.
1253
1254 obj.grace
1255 Type: DURATION
1256
1257 Readable from: vcl_hit, vcl_deliver
1258
1259 The object's grace period in seconds.
1260
1261 obj.keep
1262 Type: DURATION
1263
1264 Readable from: vcl_hit, vcl_deliver
1265
1266 The object's keep period in seconds.
1267
1268 obj.uncacheable
1269 Type: BOOL
1270
1271 Readable from: vcl_deliver
1272
1273 Whether the object is uncacheable (pass, hit-for-pass or
1274 hit-for-miss).
1275
1276 obj.storage
1277 Type: STEVEDORE
1278
1279 Readable from: vcl_hit, vcl_deliver
1280
1281 The storage backend where this object is stored.
1282
1283 resp
1284 This is the response we send to the client, it is built from either
1285 beresp (pass/miss), obj (hits) or created from whole cloth (synth).
1286
1287 With the exception of resp.body all resp.* variables available in both
1288 vcl_deliver{} and vcl_synth{} as a matter of symmetry.
1289
1290 resp
1291 Type: HTTP
1292
1293 Readable from: vcl_deliver, vcl_synth
1294
1295 The entire response HTTP data structure, useful as argument to
1296 VMODs.
1297
1298 resp.body
1299 Type: BODY
1300
1301 Writable from: vcl_synth
1302
1303 To produce a synthetic response body, for instance for errors.
1304
1305 resp.proto VCL <= 4.0
1306 Type: STRING
1307
1308 Readable from: vcl_deliver, vcl_synth
1309
1310 Writable from: vcl_deliver, vcl_synth
1311
1312 The HTTP protocol version to use for the response.
1313
1314 resp.proto VCL >= 4.1
1315 Type: STRING
1316
1317 Readable from: vcl_deliver, vcl_synth
1318
1319 Writable from: vcl_deliver, vcl_synth
1320
1321 The HTTP protocol version to use for the response.
1322
1323 resp.status
1324 Type: INT
1325
1326 Readable from: vcl_deliver, vcl_synth
1327
1328 Writable from: vcl_deliver, vcl_synth
1329
1330 The HTTP status code that will be returned.
1331
1332 Assigning a HTTP standardized code to resp.status will also set
1333 resp.reason to the corresponding status message.
1334
1335 resp.status 200 will get changed into 304 by core code after a
1336 return(deliver) from vcl_deliver for conditional requests to cached
1337 content if validation succeeds.
1338
1339 For the validation, first req.http.If-None-Match is compared against
1340 resp.http.Etag. If they compare equal according to the rules for
1341 weak validation (see RFC7232), a 304 is sent.
1342
1343 Secondly, req.http.If-Modified-Since is compared against
1344 resp.http.Last-Modified or, if it is unset, against the point in
1345 time when the object was last modified based on the Date and Age
1346 headers received with the backend response which created the object.
1347 If the object has not been modified based on that comparison, a 304
1348 is sent.
1349
1350 resp.reason
1351 Type: STRING
1352
1353 Readable from: vcl_deliver, vcl_synth
1354
1355 Writable from: vcl_deliver, vcl_synth
1356
1357 The HTTP status message that will be returned.
1358
1359 resp.http.*
1360 Type: HEADER
1361
1362 Readable from: vcl_deliver, vcl_synth
1363
1364 Writable from: vcl_deliver, vcl_synth
1365
1366 Unsetable from: vcl_deliver, vcl_synth
1367
1368 The HTTP headers that will be returned.
1369
1370 resp.do_esi VCL >= 4.1
1371 Type: BOOL
1372
1373 Readable from: vcl_deliver, vcl_synth
1374
1375 Writable from: vcl_deliver, vcl_synth
1376
1377 Default: Set if ESI parsing has happened.
1378
1379 This can be used to selectively disable ESI processing, even though
1380 ESI parsing happened during fetch. This is useful when Varnish
1381 caches peer with each other.
1382
1383 resp.is_streaming
1384 Type: BOOL
1385
1386 Readable from: vcl_deliver, vcl_synth
1387
1388 Returns true when the response will be streamed while being fetched
1389 from the backend.
1390
1391 resp.filters
1392 Type: STRING
1393
1394 Readable from: vcl_deliver, vcl_synth
1395
1396 Writable from: vcl_deliver, vcl_synth
1397
1398 List of VDP filters the resp.body will be pushed through.
1399
1400 Special variables
1401 now
1402 Type: TIME
1403
1404 Readable from: all
1405
1406 The current time, in seconds since the UNIX epoch.
1407
1408 When converted to STRING in expressions it returns a formatted time‐
1409 stamp like Tue, 20 Feb 2018 09:30:31 GMT
1410
1411 sess
1412 A session corresponds to the "conversation" that Varnish has with a
1413 single client connection, over which one or more request/response
1414 transactions may take place. It may comprise the traffic over an HTTP/1
1415 keep-alive connection, or the multiplexed traffic over an HTTP/2 con‐
1416 nection.
1417
1418 sess.xid VCL >= 4.1
1419 Type: STRING
1420
1421 Readable from: client, backend
1422
1423 Unique ID of this session.
1424
1425 sess.timeout_idle
1426 Type: DURATION
1427
1428 Readable from: client
1429
1430 Writable from: client
1431
1432 Idle timeout for this session, defaults to the timeout_idle parame‐
1433 ter, see varnishd(1)
1434
1435 sess.timeout_linger
1436 Type: DURATION
1437
1438 Readable from: client
1439
1440 Writable from: client
1441
1442 Linger timeout for this session, defaults to the timeout_linger
1443 parameter, see varnishd(1)
1444
1445 sess.send_timeout
1446 Type: DURATION
1447
1448 Readable from: client
1449
1450 Writable from: client
1451
1452 Total timeout for ordinary HTTP1 responses, defaults to the
1453 send_timeout parameter, see varnishd(1)
1454
1455 sess.idle_send_timeout
1456 Type: DURATION
1457
1458 Readable from: client
1459
1460 Writable from: client
1461
1462 Send timeout for individual pieces of data on client connections,
1463 defaults to the idle_send_timeout parameter, see varnishd(1)
1464
1465 storage
1466 storage.<name>.free_space
1467 Type: BYTES
1468
1469 Readable from: client, backend
1470
1471 Free space available in the named stevedore. Only available for the
1472 malloc stevedore.
1473
1474 storage.<name>.used_space
1475 Type: BYTES
1476
1477 Readable from: client, backend
1478
1479 Used space in the named stevedore. Only available for the malloc
1480 stevedore.
1481
1482 storage.<name>.happy
1483 Type: BOOL
1484
1485 Readable from: client, backend
1486
1487 Health status for the named stevedore. Not available in any of the
1488 current stevedores.
1489
1490 Functions
1491 The following built-in functions are available:
1492
1493 ban(STRING)
1494 Invalidates all objects in cache that match the given expression
1495 with the ban mechanism.
1496
1497 The format of STRING is:
1498
1499 <field> <operator> <arg> [&& <field> <oper> <arg> ...]
1500
1501 · <field>:
1502
1503 · string fields:
1504
1505 · req.url: The request url
1506
1507 · req.http.*: Any request header
1508
1509 · obj.status: The cache object status
1510
1511 · obj.http.*: Any cache object header
1512
1513 obj.status is treated as a string despite the fact that it is
1514 actually an integer.
1515
1516 · duration fields:
1517
1518 · obj.ttl: Remaining ttl at the time the ban is issued
1519
1520 · obj.age: Object age at the time the ban is issued
1521
1522 · obj.grace: The grace time of the object
1523
1524 · obj.keep: The keep time of the object
1525
1526 · <operator>:
1527
1528 · for all fields:
1529
1530 · ==: <field> and <arg> are equal
1531
1532 · !=: <field> and <arg> are unequal
1533
1534 strings are compared case sensitively
1535
1536 · for string fields:
1537
1538 · ~: <field> matches the regular expression <arg>
1539
1540 · !~:<field> does not match the regular expression <arg>
1541
1542 · for duration fields:
1543
1544 · >: <field> is greater than <arg>
1545
1546 · >=: <field> is greater than or equal to <arg>
1547
1548 · <: <field> is less than <arg>
1549
1550 · <=: <field> is less than or equal to <arg>
1551
1552 · <arg>:
1553
1554 · for string fields:
1555
1556 Either a literal string or a regular expression. Note that <arg>
1557 does not use any of the string delimiters like " or {"..."} used
1558 elsewhere in varnish. To match against strings containing white‐
1559 space, regular expressions containing \s can be used.
1560
1561 · for duration fields:
1562
1563 A VCL duration like 10s, 5m or 1h, see Durations
1564
1565 Expressions can be chained using the and operator &&. For or seman‐
1566 tics, use several bans.
1567
1568 The unset <field> is not equal to any string, such that, for a
1569 non-existing header, the operators == and ~ always evaluate as
1570 false, while the operators != and !~ always evaluate as true,
1571 respectively, for any value of <arg>.
1572
1573 hash_data(input)
1574 Adds an input to the hash input. In the built-in VCL hash_data() is
1575 called on the host and URL of the request. Available in vcl_hash.
1576
1577 synthetic(STRING)
1578 Prepare a synthetic response body containing the STRING. Available
1579 in vcl_synth and vcl_backend_error.
1580
1581 Identical to set resp.body / set beresp.body.
1582
1583 regsub(str, regex, sub)
1584 Returns a copy of str with the first occurrence of the regular
1585 expression regex replaced with sub. Within sub, \0 (which can also
1586 be spelled \&) is replaced with the entire matched string, and \n is
1587 replaced with the contents of subgroup n in the matched string.
1588
1589 regsuball(str, regex, sub)
1590 As regsub(), but this replaces all occurrences.
1591
1592 For converting or casting VCL values between data types use the func‐
1593 tions available in the std VMOD.
1594
1596 Multiple versions of the VCL syntax can coexist within certain con‐
1597 straints.
1598
1599 The VCL syntax version at the start of VCL file specified with -f sets
1600 the hard limit that cannot be exceeded anywhere, and it selects the
1601 appropriate version of the builtin VCL.
1602
1603 That means that you can never include vcl 9.1; from vcl 8.7;, but the
1604 opposite may be possible, to the extent the compiler supports it.
1605
1606 Files pulled in via include do not need to have a vcl X.Y; but it may
1607 be a good idea to do it anyway, to not have surprises in the future.
1608 The syntax version set in an included file only applies to that file
1609 and any files it includes - unless these set their own VCL syntax ver‐
1610 sion.
1611
1612 The version of Varnish this file belongs to supports syntax 4.0 and
1613 4.1.
1614
1616 For examples, please see the online documentation.
1617
1619 · varnishd(1)
1620
1621 · vmod_directors(3)
1622
1623 · vmod_std(3)
1624
1626 VCL was developed by Poul-Henning Kamp in cooperation with Verdens Gang
1627 AS, Redpill Linpro and Varnish Software. This manual page is written
1628 by Per Buer, Poul-Henning Kamp, Martin Blix Grydeland, Kristian Lyn‐
1629 gstøl, Lasse Karstensen and possibly others.
1630
1632 This document is licensed under the same license as Varnish itself. See
1633 LICENSE for details.
1634
1635 · Copyright (c) 2006 Verdens Gang AS
1636
1637 · Copyright (c) 2006-2015 Varnish Software AS
1638
1639
1640
1641
1642 VCL(7)