1VCL(7)                                                                  VCL(7)
2
3
4

NAME

6       VCL - Varnish Configuration Language
7

DESCRIPTION

9       The  VCL  language  is  a small domain-specific language designed to be
10       used to describe request handling and  document  caching  policies  for
11       Varnish Cache.
12
13       When  a  new  configuration  is loaded, the varnishd management process
14       translates the VCL code to C and compiles it to a shared  object  which
15       is then loaded into the server process.
16
17       This document focuses on the syntax of the VCL language. For a full de‐
18       scription of syntax and semantics, with ample examples, please see  the
19       online documentation at https://www.varnish-cache.org/docs/ .
20
21       Starting  with  Varnish  4.0, each VCL file must start by declaring its
22       version with vcl <major>.<minor>; marker at the top of the  file.   See
23       more about this under Versioning below.
24
25   Operators
26       The following operators are available in VCL:
27
28          =      Assignment operator.
29
30          +=, -=, *=, /=
31                 Assign and increment/decrement/multiply/divide operator.
32
33                 For strings, += appends.
34
35          ==, !=, <, >, <=, >=
36                 Comparisons
37
38          ~, !~  Match  /  non-match.  Can either be used with regular expres‐
39                 sions or ACLs.
40
41          !      Negation.
42
43          && / ||
44                 Logical and/or.
45
46   Conditionals
47       VCL has if and else statements. Nested logic can  be  implemented  with
48       the elseif statement (elsif/elif/else if are equivalent).
49
50       Note that there are no loops or iterators of any kind in VCL.
51
52   Strings, booleans, time, duration, integers and real numbers
53       These are the data types in Varnish. You can set or unset these.
54
55       Example:
56
57          set req.http.User-Agent = "unknown";
58          unset req.http.Range;
59
60   Strings
61       Basic  strings are enclosed in double quotes "...", and may not contain
62       newlines. Long strings are enclosed in {"..."}. They  may  contain  any
63       character  including  single double quotes ", newline and other control
64       characters except for the NUL (0x00) character.
65
66   Booleans
67       Booleans can be either true or false.  In addition, in a  boolean  con‐
68       text  some data types will evaluate to true or false depending on their
69       value.
70
71       String types will evaluate to false if they  are  unset.   This  allows
72       checks  of the type if (req.http.opthdr) {} to test if a header exists,
73       even if it is empty, whereas if (req.http.opthdr ==  "")  {}  does  not
74       distinguish if the header does not exist or if it is empty.
75
76       Backend  types  will evaluate to false if they don't have a backend as‐
77       signed; integer types will evaluate to false if their  value  is  zero;
78       duration  types  will evaluate to false if their value is equal or less
79       than zero.
80
81   Time
82       VCL has time. A duration can be added to a time to make  another  time.
83       In  string  context  they  return a formatted string in RFC1123 format,
84       e.g. Sun, 06 Nov 1994 08:49:37 GMT.
85
86       The keyword now returns a notion of the current  time,  which  is  kept
87       consistent  during  VCL subroutine invocations, so during the execution
88       of a VCL state subroutine (vcl_* {}), including all  user-defined  sub‐
89       routines being called, now always returns the same value.
90
91   Durations
92       Durations  are  defined  by a number followed by a unit. The number can
93       include a fractional part, e.g. 1.5s. The supported units are:
94
95          ms     milliseconds
96
97          s      seconds
98
99          m      minutes
100
101          h      hours
102
103          d      days
104
105          w      weeks
106
107          y      years
108
109       In string context they return a string with their value  rounded  to  3
110       decimal places and excluding the unit, e.g.  1.500.
111
112   Integers
113       Certain  fields  are integers, used as expected. In string context they
114       return a string, e.g. 1234.
115
116   Real numbers
117       VCL understands real numbers. In string context they  return  a  string
118       with their value rounded to 3 decimal places, e.g. 3.142.
119
120   Regular Expressions
121       Varnish uses Perl-compatible regular expressions (PCRE). For a complete
122       description please see the pcre(3) man page.
123
124       To send flags to the PCRE engine, such as to do case insensitive match‐
125       ing, add the flag within parens following a question mark, like this:
126
127          # If host is NOT example dot com..
128          if (req.http.host !~ "(?i)example\.com$") {
129              ...
130          }
131
132   Include statement
133       To include a VCL file in another file use the include keyword:
134
135          include "foo.vcl";
136
137   Import statement
138       The import statement is used to load Varnish Modules (VMODs.)
139
140       Example:
141
142          import std;
143          sub vcl_recv {
144              std.log("foo");
145          }
146
147   Comments
148       Single  lines  of  VCL  can  be commented out using // or #. Multi-line
149       blocks can be commented out with /*block*/.
150
151       Example:
152
153          sub vcl_recv {
154              // Single line of out-commented VCL.
155              # Another way of commenting out a single line.
156              /*
157                  Multi-line block of commented-out VCL.
158              */
159          }
160
161   Backend definition
162       A backend declaration creates and initialises a named backend object. A
163       declaration  start with the keyword backend followed by the name of the
164       backend. The actual declaration is in curly brackets,  in  a  key/value
165       fashion.:
166
167          backend name {
168              .attribute = "value";
169          }
170
171       One  of  the attributes .host or .path is mandatory (but not both). The
172       attributes will inherit their defaults from the global parameters.  The
173       following attributes are available:
174
175          .host  The  host  to be used. IP address or a hostname that resolves
176                 to a single IP address. This attribute is  mandatory,  unless
177                 .path is declared.
178
179          .path     (VCL >= 4.1)
180              The  absolute path of a Unix domain socket at which a backend is
181              listening. If the file at that path does not exist or is not ac‐
182              cessible  to Varnish at VCL load time, then the VCL compiler is‐
183              sues a warning, but does not fail. This  makes  it  possible  to
184              start  the  UDS-listening peer, or set the socket file's permis‐
185              sions, after starting Varnish or loading VCL with a UDS backend.
186              But  the  socket  file must exist and have necessary permissions
187              before the first connection is attempted, otherwise fetches will
188              fail.  If the file does exist and is accessible, then it must be
189              a socket; otherwise the VCL load fails. One of  .path  or  .host
190              must  be  declared (but not both). .path may only be used in VCL
191              since version 4.1.
192
193          .port  The port on the backend that Varnish should connect  to.  Ig‐
194                 nored if a Unix domain socket is declared in .path.
195
196          .host_header
197                 A  host  header to add to probes and regular backend requests
198                 if they have no such header.
199
200          .connect_timeout
201                 Timeout for connections.
202
203                 Default: connect_timeout parameter, see varnishd(1)
204
205          .first_byte_timeout
206                 Timeout for first byte.
207
208                 Default: first_byte_timeout parameter, see varnishd(1)
209
210          .between_bytes_timeout
211                 Timeout between bytes.
212
213                 Default: between_bytes_timeout parameter, see varnishd(1)
214
215          .probe Attach a probe to the backend. See Probes
216
217          .proxy_header
218                 The PROXY protocol version Varnish should use when connecting
219                 to this backend. Allowed values are 1 and 2.
220
221                 Notice  this  setting  will lead to backend connections being
222                 used for a single request only (subject  to  future  improve‐
223                 ments).  Thus,  extra  care  should be taken to avoid running
224                 into failing backend connections with EADDRNOTAVAIL due to no
225                 local ports being available. Possible options are:
226
227                 • Use additional backend connections to extra IP addresses or
228                   TCP ports
229
230                 • Increase  the  number  of  available  ports  (Linux  sysctl
231                   net.ipv4.ip_local_port_range)
232
233                 • Reuse   backend   connection   ports  early  (Linux  sysctl
234                   net.ipv4.tcp_tw_reuse)
235
236          .max_connections
237                 Maximum number of open connections towards this  backend.  If
238                 Varnish  reaches  the  maximum  Varnish it will start failing
239                 connections.
240
241       Empty backends can also be defined using the following syntax.:
242
243          backend name none;
244
245       An empty backend will always return status code 503 as if it is sick.
246
247       Backends can be used with directors. Please see  the  vmod_directors(3)
248       man page for more information.
249
250   Probes
251       Probes  will  query  the backend for status on a regular basis and mark
252       the backend as down it they fail. A probe is defined as this:
253
254          probe name {
255              .attribute = "value";
256          }
257
258       The probe named default is special and will be used  for  all  backends
259       which do not explicitly reference a probe.
260
261       There are no mandatory options. These are the options you can set:
262
263          .url   The  URL  to  query.  Defaults to /.  Mutually exclusive with
264                 .request
265
266          .request
267                 Specify a full HTTP request using multiple strings.  .request
268                 will  have  \r\n  automatically  inserted after every string.
269                 Mutually exclusive with .url.
270
271                 Note that probes require the backend to complete sending  the
272                 response  and close the connection within the specified time‐
273                 out, so .request will, for HTTP/1.1, most likely need to con‐
274                 tain a "Connection: close" string.
275
276          .expected_response
277                 The expected HTTP response code. Defaults to 200.
278
279          .timeout
280                 The timeout for the probe. Default is 2s.
281
282          .interval
283                 How often the probe is run. Default is 5s.
284
285          .initial
286                 How  many  of  the  polls in .window are considered good when
287                 Varnish starts. Defaults to the value of .threshold -  1.  In
288                 this case, the backend starts as sick and requires one single
289                 poll to be considered healthy.
290
291          .window
292                 How many of the latest polls we examine to determine  backend
293                 health.  Defaults to 8.
294
295          .threshold
296                 How  many of the polls in .window must have succeeded to con‐
297                 sider the backend to be healthy.  Defaults to 3.
298
299   Access Control List (ACL)
300       An Access Control List (ACL)  declaration  creates  and  initialises  a
301       named  access  control list which can later be used to match client ad‐
302       dresses:
303
304          acl localnetwork {
305              "localhost";    # myself
306              "192.0.2.0"/24; # and everyone on the local network
307              ! "192.0.2.23"; # except for the dial-in router
308          }
309
310       If an ACL entry specifies a host name which Varnish is  unable  to  re‐
311       solve, it will match any address it is compared to. Consequently, if it
312       is preceded by a negation mark, it will reject any address it  is  com‐
313       pared  to, which may not be what you intended. If the entry is enclosed
314       in parentheses, however, it will simply be ignored.
315
316       To match an IP address against an ACL, simply use the match operator:
317
318          if (client.ip ~ localnetwork) {
319              return (pipe);
320          }
321
322   VCL objects
323       A VCL object can be instantiated with the new keyword:
324
325          sub vcl_init {
326              new b = directors.round_robin()
327              b.add_backend(node1);
328          }
329
330       This is only available in vcl_init.
331
332   Subroutines
333       A subroutine is used to group code for legibility or reusability:
334
335          sub pipe_if_local {
336              if (client.ip ~ localnetwork) {
337                  return (pipe);
338              }
339          }
340
341       Subroutines in VCL do not take arguments, nor do  they  return  values.
342       The  built  in subroutines all have names beginning with vcl_, which is
343       reserved.
344
345       To call a subroutine, use the call keyword followed by the subroutine's
346       name:
347
348          sub vcl_recv {
349              call pipe_if_local;
350          }
351
352   Return statements
353       The  ongoing  vcl_*  subroutine  execution ends when a return(<action>)
354       statement is made.
355
356       The <action> specifies how execution should proceed.  The  context  de‐
357       fines which actions are available.
358
359   Multiple subroutines
360       If  multiple  subroutines with the name of one of the built-in ones are
361       defined, they are concatenated in the order in which they appear in the
362       source.
363
364       The  built-in  VCL distributed with Varnish will be implicitly concate‐
365       nated when the VCL is compiled.
366
367   VCL Variables
368       Variables provide read, write and delete access to almost  all  aspects
369       of the work at hand.
370
371       Reading a variable is done simply by using its name in VCL:
372
373          if (client.ip ~ bad_guys) {
374              return (synth(400));
375          }
376
377       Writing  a  variable, where this is possible, is done with a set state‐
378       ment:
379
380          set resp.http.never = "Let You Down";
381
382       Similarly, deleting a variable, for the few  variables  where  this  is
383       possible, is done with a unset statement:
384
385          unset req.http.cookie;
386
387       Which  operations are possible on each variable is described below, of‐
388       ten with the shorthand "backend" which covers the vcl_backend_* {} sub‐
389       routines  and  "client"  which  covers the rest, except vcl_init {} and
390       vcl_fini {}.
391
392       When setting a variable, the right hand side of  the  equal  sign  must
393       have  the  variables  type, you cannot assign a STRING to a variable of
394       type NUMBER, even if the string is "42".   (Explicit  conversion  func‐
395       tions can be found in vmod_std(3)).
396
397   local, server, remote and client
398       These  variables describe the network connection between the client and
399       varnishd.
400
401       Without PROXY protocol:
402
403               client    server
404               remote    local
405                 v          v
406          CLIENT ------------ VARNISHD
407
408       With PROXY protocol:
409
410               client    server   remote     local
411                 v          v       v          v
412          CLIENT ------------ PROXY ------------ VARNISHD
413
414       local.ip
415          Type: IP
416
417          Readable from: client, backend
418
419          The IP address (and port number) of the local end of the TCP connec‐
420          tion, for instance 192.168.1.1:81
421
422          If  the  connection  is  a  UNIX  domain  socket,  the value will be
423          0.0.0.0:0
424
425       local.endpoint  VCL >= 4.1
426          Type: STRING
427
428          Readable from: client, backend
429
430          The address of the '-a' socket the session was accepted on.
431
432          If the argument was -a foo=:81 this would be ":81"
433
434       local.socket    VCL >= 4.1
435          Type: STRING
436
437          Readable from: client, backend
438
439          The name of the '-a' socket the session was accepted on.
440
441          If the argument was -a foo=:81 this would be "foo".
442
443          Note that all '-a' gets a default name on the form a%d if no name is
444          provided.
445
446       remote.ip
447          Type: IP
448
449          Readable from: client, backend
450
451          The IP address of the other end of the TCP connection.  This can ei‐
452          ther be the clients IP, or the outgoing IP of a proxy server.
453
454          If the connection is  a  UNIX  domain  socket,  the  value  will  be
455          0.0.0.0:0
456
457       client.ip
458          Type: IP
459
460          Readable from: client, backend
461
462          The  client's  IP  address, either the same as remote.ip or what the
463          PROXY protocol told us.
464
465       client.identity
466          Type: STRING
467
468          Readable from: client
469
470          Writable from: client
471
472          Identification of the client, used to load balance in the client di‐
473          rector.  Defaults to client.ip
474
475          This  variable can be overwritten with more precise information, for
476          instance extracted from a Cookie: header.
477
478       server.ip
479          Type: IP
480
481          Readable from: client, backend
482
483          The IP address of the socket on which the client connection was  re‐
484          ceived, either the same as server.ip or what the PROXY protocol told
485          us.
486
487       server.hostname
488          Type: STRING
489
490          Readable from: all
491
492          The host name of the server, as returned by the gethostname(3)  sys‐
493          tem function.
494
495       server.identity
496          Type: STRING
497
498          Readable from: all
499
500          The identity of the server, as set by the -i parameter.
501
502          If  an -i parameter is not passed to varnishd, the return value from
503          gethostname(3) system function will be used.
504
505   req and req_top
506       These variables describe the present request, and when ESI:include  re‐
507       quests are being processed, req_top points to the request received from
508       the client.
509
510       req
511          Type: HTTP
512
513          Readable from: client
514
515          The entire request HTTP data structure.  Mostly useful  for  passing
516          to VMODs.
517
518       req.method
519          Type: STRING
520
521          Readable from: client
522
523          Writable from: client
524
525          The request method (e.g. "GET", "HEAD", ...)
526
527       req.hash
528          Type: BLOB
529
530          Readable from: vcl_hit, vcl_miss, vcl_pass, vcl_purge, vcl_deliver
531
532          The  hash  key of this request.  Mostly useful for passing to VMODs,
533          but can also be useful for debugging hit/miss status.
534
535       req.url
536          Type: STRING
537
538          Readable from: client
539
540          Writable from: client
541
542          The requested URL, for instance "/robots.txt".
543
544       req.proto       VCL <= 4.0
545          Type: STRING
546
547          Readable from: client
548
549          Writable from: client
550
551          The HTTP protocol version used by the client, usually "HTTP/1.1"  or
552          "HTTP/2.0".
553
554       req.proto       VCL >= 4.1
555          Type: STRING
556
557          Readable from: client
558
559          The  HTTP protocol version used by the client, usually "HTTP/1.1" or
560          "HTTP/2.0".
561
562       req.http.*
563          Type: HEADER
564
565          Readable from: client
566
567          Writable from: client
568
569          Unsetable from: client
570
571          The headers of request, things like req.http.date.
572
573          The RFCs allow multiple headers with the same name, and both set and
574          unset will remove all headers with the name given.
575
576       req.restarts
577          Type: INT
578
579          Readable from: client
580
581          A count of how many times this request has been restarted.
582
583       req.storage
584          Type: STEVEDORE
585
586          Readable from: client
587
588          Writable from: client
589
590          The storage backend to use to save this request body.
591
592       req.esi_level
593          Type: INT
594
595          Readable from: client
596
597          A count of how many levels of ESI requests we're currently at.
598
599       req.ttl
600          Type: DURATION
601
602          Readable from: client
603
604          Writable from: client
605
606          Upper limit on the object age for cache lookups to return hit.
607
608       req.grace
609          Type: DURATION
610
611          Readable from: client
612
613          Writable from: client
614
615          Upper limit on the object grace.
616
617          During lookup the minimum of req.grace and the object's stored grace
618          value will be used as the object's grace.
619
620       req.xid
621          Type: STRING
622
623          Readable from: client
624
625          Unique ID of this request.
626
627       req.esi VCL <= 4.0
628          Type: BOOL
629
630          Readable from: client
631
632          Writable from: client
633
634          Set to false to disable ESI processing regardless of  any  value  in
635          beresp.do_esi.  Defaults  to  true.  This  variable  is  replaced by
636          resp.do_esi in VCL 4.1.
637
638       req.can_gzip
639          Type: BOOL
640
641          Readable from: client
642
643          True if the client provided gzip or x-gzip  in  the  Accept-Encoding
644          header.
645
646       req.backend_hint
647          Type: BACKEND
648
649          Readable from: client
650
651          Writable from: client
652
653          Set bereq.backend to this if we attempt to fetch.  When set to a di‐
654          rector, reading this variable returns an actual backend if  the  di‐
655          rector  has  resolved  immediately, or the director otherwise.  When
656          used in string context, returns the name of the director or backend,
657          respectively.
658
659       req.hash_ignore_busy
660          Type: BOOL
661
662          Readable from: client
663
664          Writable from: client
665
666          Default: false.
667
668          Ignore any busy object during cache lookup.
669
670          You only want to do this when you have two server looking up content
671          sideways from each other to avoid deadlocks.
672
673       req.hash_always_miss
674          Type: BOOL
675
676          Readable from: client
677
678          Writable from: client
679
680          Default: false.
681
682          Force a cache miss for this request, even if perfectly good matching
683          objects are in the cache.
684
685          This is useful to force-update the cache without invalidating exist‐
686          ing entries in case the fetch fails.
687
688       req.is_hitmiss
689          Type: BOOL
690
691          Readable from: client
692
693          If this request resulted in a hitmiss
694
695       req.is_hitpass
696          Type: BOOL
697
698          Readable from: client
699
700          If this request resulted in a hitpass
701
702       req_top.method
703          Type: STRING
704
705          Readable from: client
706
707          The request method of the top-level request in a  tree  of  ESI  re‐
708          quests.  (e.g.  "GET",  "HEAD").  Identical to req.method in non-ESI
709          requests.
710
711       req_top.url
712          Type: STRING
713
714          Readable from: client
715
716          The requested URL of the top-level request in  a  tree  of  ESI  re‐
717          quests.  Identical to req.url in non-ESI requests.
718
719       req_top.http.*
720          Type: HEADER
721
722          Readable from: client
723
724          HTTP  headers  of  the  top-level request in a tree of ESI requests.
725          Identical to req.http. in non-ESI requests.
726
727       req_top.proto
728          Type: STRING
729
730          Readable from: client
731
732          HTTP protocol version of the top-level request in a tree of ESI  re‐
733          quests.  Identical to req.proto in non-ESI requests.
734
735   bereq
736       This  is  the  request  we  send  to  the backend, it is built from the
737       clients req.* fields by filtering out "per-hop" fields which should not
738       be passed along (Connection:, Range: and similar).
739
740       Slightly  more  fields  are  allowed through for pass` fetches than for
741       `miss` fetches, for instance ``Range.
742
743       bereq
744          Type: HTTP
745
746          Readable from: backend
747
748          The entire backend request HTTP data structure.   Mostly  useful  as
749          argument to VMODs.
750
751       bereq.xid
752          Type: STRING
753
754          Readable from: backend
755
756          Unique ID of this request.
757
758       bereq.retries
759          Type: INT
760
761          Readable from: backend
762
763          A count of how many times this request has been retried.
764
765       bereq.backend
766          Type: BACKEND
767
768          Readable from: vcl_pipe, backend
769
770          Writable from: vcl_pipe, backend
771
772          This  is the backend or director we attempt to fetch from.  When set
773          to a director, reading this variable returns an  actual  backend  if
774          the  director  has  resolved immediately, or the director otherwise.
775          When used in string context, returns the name  of  the  director  or
776          backend, respectively.
777
778       bereq.body
779          Type: BODY
780
781          Unsetable from: vcl_backend_fetch
782
783          The request body.
784
785          Unset will also remove bereq.http.Content-Length.
786
787       bereq.hash
788          Type: BLOB
789
790          Readable from: vcl_pipe, backend
791
792          The hash key of this request, a copy of req.hash.
793
794       bereq.method
795          Type: STRING
796
797          Readable from: vcl_pipe, backend
798
799          Writable from: vcl_pipe, backend
800
801          The request type (e.g. "GET", "HEAD").
802
803          Regular (non-pipe, non-pass) fetches are always "GET"
804
805       bereq.url
806          Type: STRING
807
808          Readable from: vcl_pipe, backend
809
810          Writable from: vcl_pipe, backend
811
812          The requested URL, copied from req.url
813
814       bereq.proto     VCL <= 4.0
815          Type: STRING
816
817          Readable from: vcl_pipe, backend
818
819          Writable from: vcl_pipe, backend
820
821          The  HTTP protocol version, "HTTP/1.1" unless a pass or pipe request
822          has "HTTP/1.0" in req.proto
823
824       bereq.proto     VCL >= 4.1
825          Type: STRING
826
827          Readable from: vcl_pipe, backend
828
829          The HTTP protocol version, "HTTP/1.1" unless a pass or pipe  request
830          has "HTTP/1.0" in req.proto
831
832       bereq.http.*
833          Type: HEADER
834
835          Readable from: vcl_pipe, backend
836
837          Writable from: vcl_pipe, backend
838
839          Unsetable from: vcl_pipe, backend
840
841          The headers to be sent to the backend.
842
843       bereq.uncacheable
844          Type: BOOL
845
846          Readable from: backend
847
848          Indicates  whether  this request is uncacheable due to a pass in the
849          client side or a hit on an hit-for-pass object.
850
851       bereq.connect_timeout
852          Type: DURATION
853
854          Readable from: vcl_pipe, backend
855
856          Writable from: vcl_pipe, backend
857
858          Default: .connect_timeout  attribute  from  the  backend_definition,
859          which defaults to the connect_timeout parameter, see varnishd(1).
860
861          The  time  in  seconds to wait for a backend connection to be estab‐
862          lished.
863
864       bereq.first_byte_timeout
865          Type: DURATION
866
867          Readable from: backend
868
869          Writable from: backend
870
871          Default: .first_byte_timeout attribute from the  backend_definition,
872          which defaults to the first_byte_timeout parameter, see varnishd(1).
873
874          The  time  in  seconds  to wait getting the first byte back from the
875          backend.  Not available in pipe mode.
876
877       bereq.between_bytes_timeout
878          Type: DURATION
879
880          Readable from: backend
881
882          Writable from: backend
883
884          Default: .between_bytes_timeout attribute from  the  backend_defini‐
885          tion,  which  defaults  to  the between_bytes_timeout parameter, see
886          varnishd(1).
887
888          The time in seconds to wait between  each  received  byte  from  the
889          backend.  Not available in pipe mode.
890
891       bereq.is_bgfetch
892          Type: BOOL
893
894          Readable from: backend
895
896          True  for  fetches where the client got a hit on an object in grace,
897          and this fetch was kicked of in the background to get a fresh copy.
898
899   beresp
900       The response received from the backend, one cache misses, the store ob‐
901       ject is built from beresp.
902
903       beresp
904          Type: HTTP
905
906          Readable from: vcl_backend_response, vcl_backend_error
907
908          The  entire backend response HTTP data structure, useful as argument
909          to VMOD functions.
910
911       beresp.body
912          Type: BODY
913
914          Writable from: vcl_backend_error
915
916          For producing a synthetic body.
917
918       beresp.proto    VCL <= 4.0
919          Type: STRING
920
921          Readable from: vcl_backend_response, vcl_backend_error
922
923          Writable from: vcl_backend_response, vcl_backend_error
924
925          The HTTP protocol version the backend replied with.
926
927       beresp.proto    VCL >= 4.1
928          Type: STRING
929
930          Readable from: vcl_backend_response, vcl_backend_error
931
932          The HTTP protocol version the backend replied with.
933
934       beresp.status
935          Type: INT
936
937          Readable from: vcl_backend_response, vcl_backend_error
938
939          Writable from: vcl_backend_response, vcl_backend_error
940
941          The HTTP status code returned by the server.
942
943          More information in the HTTP response status section.
944
945       beresp.reason
946          Type: STRING
947
948          Readable from: vcl_backend_response, vcl_backend_error
949
950          Writable from: vcl_backend_response, vcl_backend_error
951
952          The HTTP status message returned by the server.
953
954       beresp.http.*
955          Type: HEADER
956
957          Readable from: vcl_backend_response, vcl_backend_error
958
959          Writable from: vcl_backend_response, vcl_backend_error
960
961          Unsetable from: vcl_backend_response, vcl_backend_error
962
963          The HTTP headers returned from the server.
964
965       beresp.do_esi
966          Type: BOOL
967
968          Readable from: vcl_backend_response, vcl_backend_error
969
970          Writable from: vcl_backend_response, vcl_backend_error
971
972          Default: false.
973
974          Set it to true to parse the object for ESI directives.  Will only be
975          honored if req.esi is true.
976
977          It is a VCL error to use beresp.do_esi after setting beresp.filters.
978
979       beresp.do_stream
980          Type: BOOL
981
982          Readable from: vcl_backend_response, vcl_backend_error
983
984          Writable from: vcl_backend_response, vcl_backend_error
985
986          Default: true.
987
988          Deliver  the  object  to  the client while fetching the whole object
989          into varnish.
990
991          For uncacheable objects, storage for parts of the  body  which  have
992          been  sent to the client may get freed early, depending on the stor‐
993          age engine used.
994
995          This variable has no effect if do_esi is true or when  the  response
996          body is empty.
997
998       beresp.do_gzip
999          Type: BOOL
1000
1001          Readable from: vcl_backend_response, vcl_backend_error
1002
1003          Writable from: vcl_backend_response, vcl_backend_error
1004
1005          Default: false.
1006
1007          Set to true to gzip the object while storing it.
1008
1009          If  http_gzip_support  is disabled, setting this variable has no ef‐
1010          fect.
1011
1012          It is a VCL error to use beresp.do_gzip  after  setting  beresp.fil‐
1013          ters.
1014
1015       beresp.do_gunzip
1016          Type: BOOL
1017
1018          Readable from: vcl_backend_response, vcl_backend_error
1019
1020          Writable from: vcl_backend_response, vcl_backend_error
1021
1022          Default: false.
1023
1024          Set to true to gunzip the object while storing it in the cache.
1025
1026          If  http_gzip_support  is disabled, setting this variable has no ef‐
1027          fect.
1028
1029          It is a VCL error to use beresp.do_gunzip after setting  beresp.fil‐
1030          ters.
1031
1032       beresp.was_304
1033          Type: BOOL
1034
1035          Readable from: vcl_backend_response, vcl_backend_error
1036
1037          When  true  this  indicates that we got a 304 response to our condi‐
1038          tional fetch from the backend and turned that into  beresp.status  =
1039          200
1040
1041       beresp.uncacheable
1042          Type: BOOL
1043
1044          Readable from: vcl_backend_response, vcl_backend_error
1045
1046          Writable from: vcl_backend_response, vcl_backend_error
1047
1048          Inherited from bereq.uncacheable, see there.
1049
1050          Setting this variable makes the object uncacheable.
1051
1052          This may may produce a hit-for-miss object in the cache.
1053
1054          Clearing the variable has no effect and will log the warning "Ignor‐
1055          ing attempt to reset beresp.uncacheable".
1056
1057       beresp.ttl
1058          Type: DURATION
1059
1060          Readable from: vcl_backend_response, vcl_backend_error
1061
1062          Writable from: vcl_backend_response, vcl_backend_error
1063
1064          Default: Cache-Control s-maxage or max-age directives,  or  a  value
1065          computed  from the Expires header's deadline, or the default_ttl pa‐
1066          rameter.
1067
1068          The object's remaining time to live, in seconds.
1069
1070       beresp.age
1071          Type: DURATION
1072
1073          Readable from: vcl_backend_response, vcl_backend_error
1074
1075          Default: Age header, or zero.
1076
1077          The age of the object.
1078
1079       beresp.grace
1080          Type: DURATION
1081
1082          Readable from: vcl_backend_response, vcl_backend_error
1083
1084          Writable from: vcl_backend_response, vcl_backend_error
1085
1086          Default:  Cache-Control  stale-while-revalidate  directive,  or  de‐
1087          fault_grace parameter.
1088
1089          Set to a period to enable grace.
1090
1091       beresp.keep
1092          Type: DURATION
1093
1094          Readable from: vcl_backend_response, vcl_backend_error
1095
1096          Writable from: vcl_backend_response, vcl_backend_error
1097
1098          Default: default_keep parameter.
1099
1100          Set to a period to enable conditional backend requests.
1101
1102          The keep time is cache lifetime in addition to the ttl.
1103
1104          Objects  with ttl expired but with keep time left may be used to is‐
1105          sue conditional (If-Modified-Since / If-None-Match) requests to  the
1106          backend to refresh them.
1107
1108       beresp.backend
1109          Type: BACKEND
1110
1111          Readable from: vcl_backend_response, vcl_backend_error
1112
1113          This  is the backend we fetched from.  If bereq.backend was set to a
1114          director, this will be the backend selected by the  director.   When
1115          used in string context, returns its name.
1116
1117       beresp.backend.name
1118          Type: STRING
1119
1120          Readable from: vcl_backend_response, vcl_backend_error
1121
1122          Name  of  the  backend  this  response  was  fetched  from.  Same as
1123          beresp.backend.
1124
1125       beresp.backend.ip       VCL <= 4.0
1126          Type: IP
1127
1128          Readable from: vcl_backend_response
1129
1130          IP of the backend this response was fetched from.
1131
1132       beresp.storage
1133          Type: STEVEDORE
1134
1135          Readable from: vcl_backend_response, vcl_backend_error
1136
1137          Writable from: vcl_backend_response, vcl_backend_error
1138
1139          The storage backend to use to save this object.
1140
1141       beresp.storage_hint     VCL <= 4.0
1142          Type: STRING
1143
1144          Readable from: vcl_backend_response, vcl_backend_error
1145
1146          Writable from: vcl_backend_response, vcl_backend_error
1147
1148          Deprecated since varnish 5.1 and discontinued since VCL 4.1 (varnish
1149          6.0). Use beresp.storage instead.
1150
1151          Hint  to  Varnish  that you want to save this object to a particular
1152          storage backend.
1153
1154       beresp.filters
1155          Type: STRING
1156
1157          Readable from: vcl_backend_response
1158
1159          Writable from: vcl_backend_response
1160
1161          List of Varnish Fetch Processor (VFP) filters the  beresp.body  will
1162          be pulled through. The order left to right signifies processing from
1163          backend to cache, iow the leftmost filter is run first on  the  body
1164          as  received  from the backend after decoding of any transfer encod‐
1165          ings.
1166
1167          VFP Filters change the body before going into the cache and/or being
1168          handed  to  the  client  side,  where  it may get processed again by
1169          resp.filters.
1170
1171          The following VFP filters exist in varnish-cache:
1172
1173gzip: compress a body using gzip
1174
1175testgunzip: Test if a body is valid gzip and refuse it otherwise
1176
1177gunzip: Uncompress gzip content
1178
1179esi: ESI-process plain text content
1180
1181esi_gzip: Save gzipped snippets for efficient ESI-processing
1182
1183            This filter  enables  stitching  together  ESI  from  individually
1184            gzipped  fragments,  saving processing power for re-compression on
1185            the client side at the expense of some compression efficiency.
1186
1187          Additional VFP filters are available from VMODs.
1188
1189          By default, beresp.filters is constructed as follows:
1190
1191gunzip gets added  for  gzipped  content  if  beresp.do_gunzip  or
1192            beresp.do_esi are true.
1193
1194esi_gzip  gets  added  if  beresp.do_esi  is  true  together  with
1195            beresp.do_gzip or content is already compressed.
1196
1197esi gets added if beresp.do_esi is true
1198
1199gzip gets added for uncompressed content if beresp.do_gzip is true
1200
1201testgunzip gets added for compressed content  if  beresp.do_gunzip
1202            is false.
1203
1204          After  beresp.filters  is  set,  using  any  of  the beforementioned
1205          beresp.do_* switches is a VCL error.
1206
1207   obj
1208       This is the object we found in cache.  It cannot be modified.
1209
1210       obj.proto
1211          Type: STRING
1212
1213          Readable from: vcl_hit
1214
1215          The HTTP protocol version stored in the object.
1216
1217       obj.status
1218          Type: INT
1219
1220          Readable from: vcl_hit
1221
1222          The HTTP status code stored in the object.
1223
1224          More information in the HTTP response status section.
1225
1226       obj.reason
1227          Type: STRING
1228
1229          Readable from: vcl_hit
1230
1231          The HTTP reason phrase stored in the object.
1232
1233       obj.hits
1234          Type: INT
1235
1236          Readable from: vcl_hit, vcl_deliver
1237
1238          The count of cache-hits on this object.
1239
1240          In vcl_deliver a value of 0 indicates a cache miss.
1241
1242       obj.http.*
1243          Type: HEADER
1244
1245          Readable from: vcl_hit
1246
1247          The HTTP headers stored in the object.
1248
1249       obj.ttl
1250          Type: DURATION
1251
1252          Readable from: vcl_hit, vcl_deliver
1253
1254          The object's remaining time to live, in seconds.
1255
1256       obj.age
1257          Type: DURATION
1258
1259          Readable from: vcl_hit, vcl_deliver
1260
1261          The age of the object.
1262
1263       obj.grace
1264          Type: DURATION
1265
1266          Readable from: vcl_hit, vcl_deliver
1267
1268          The object's grace period in seconds.
1269
1270       obj.keep
1271          Type: DURATION
1272
1273          Readable from: vcl_hit, vcl_deliver
1274
1275          The object's keep period in seconds.
1276
1277       obj.uncacheable
1278          Type: BOOL
1279
1280          Readable from: vcl_deliver
1281
1282          Whether  the  object   is   uncacheable   (pass,   hit-for-pass   or
1283          hit-for-miss).
1284
1285       obj.storage
1286          Type: STEVEDORE
1287
1288          Readable from: vcl_hit, vcl_deliver
1289
1290          The storage backend where this object is stored.
1291
1292       obj.can_esi
1293          Type: BOOL
1294
1295          Readable from: vcl_hit, vcl_deliver
1296
1297          If  the  object can be ESI processed, that is if setting resp.do_esi
1298          or adding esi to resp.filters in vcl_deliver {} would cause the  re‐
1299          sponse body to be ESI processed.
1300
1301   resp
1302       This  is  the  response  we send to the client, it is built from either
1303       beresp (pass/miss), obj (hits) or created from whole cloth (synth).
1304
1305       With the exception of resp.body all resp.* variables available in  both
1306       vcl_deliver{} and vcl_synth{} as a matter of symmetry.
1307
1308       resp
1309          Type: HTTP
1310
1311          Readable from: vcl_deliver, vcl_synth
1312
1313          The  entire  response  HTTP  data  structure,  useful as argument to
1314          VMODs.
1315
1316       resp.body
1317          Type: BODY
1318
1319          Writable from: vcl_synth
1320
1321          To produce a synthetic response body, for instance for errors.
1322
1323       resp.proto      VCL <= 4.0
1324          Type: STRING
1325
1326          Readable from: vcl_deliver, vcl_synth
1327
1328          Writable from: vcl_deliver, vcl_synth
1329
1330          The HTTP protocol version to use for the response.
1331
1332       resp.proto      VCL >= 4.1
1333          Type: STRING
1334
1335          Readable from: vcl_deliver, vcl_synth
1336
1337          Writable from: vcl_deliver, vcl_synth
1338
1339          The HTTP protocol version to use for the response.
1340
1341       resp.status
1342          Type: INT
1343
1344          Readable from: vcl_deliver, vcl_synth
1345
1346          Writable from: vcl_deliver, vcl_synth
1347
1348          The HTTP status code that will be returned.
1349
1350          More information in the HTTP response status section.
1351
1352          resp.status 200 will get changed into 304 by core code after  a  re‐
1353          turn(deliver)  from  vcl_deliver  for conditional requests to cached
1354          content if validation succeeds.
1355
1356          For the validation, first req.http.If-None-Match is compared against
1357          resp.http.Etag.  If  they  compare  equal according to the rules for
1358          weak validation (see RFC7232), a 304 is sent.
1359
1360          Secondly,    req.http.If-Modified-Since    is    compared    against
1361          resp.http.Last-Modified  or,  if  it  is unset, against the point in
1362          time when the object was last modified based on  the  Date  and  Age
1363          headers received with the backend response which created the object.
1364          If the object has not been modified based on that comparison, a  304
1365          is sent.
1366
1367       resp.reason
1368          Type: STRING
1369
1370          Readable from: vcl_deliver, vcl_synth
1371
1372          Writable from: vcl_deliver, vcl_synth
1373
1374          The HTTP status message that will be returned.
1375
1376       resp.http.*
1377          Type: HEADER
1378
1379          Readable from: vcl_deliver, vcl_synth
1380
1381          Writable from: vcl_deliver, vcl_synth
1382
1383          Unsetable from: vcl_deliver, vcl_synth
1384
1385          The HTTP headers that will be returned.
1386
1387       resp.do_esi     VCL >= 4.1
1388          Type: BOOL
1389
1390          Readable from: vcl_deliver, vcl_synth
1391
1392          Writable from: vcl_deliver, vcl_synth
1393
1394          Default: obj.can_esi
1395
1396          This  can be used to selectively disable ESI processing, even though
1397          ESI parsing happened during fetch.   This  is  useful  when  Varnish
1398          caches peer with each other.
1399
1400          It is a VCL error to use resp.do_esi after setting resp.filters.
1401
1402       resp.is_streaming
1403          Type: BOOL
1404
1405          Readable from: vcl_deliver, vcl_synth
1406
1407          Returns  true when the response will be streamed while being fetched
1408          from the backend.
1409
1410       resp.filters
1411          Type: STRING
1412
1413          Readable from: vcl_deliver, vcl_synth
1414
1415          Writable from: vcl_deliver, vcl_synth
1416
1417          List of VDP filters the resp.body will be pushed through.
1418
1419          Before resp.filters is set, the value read will be the default  fil‐
1420          ter  list  as determined by varnish based on resp.do_esi and request
1421          headers.
1422
1423          After resp.filters is set, changing any of the conditions which oth‐
1424          erwise  determine  the  filter selection will have no effiect. Using
1425          resp.do_esi is an error once resp.filters is set.
1426
1427   Special variables
1428       now
1429          Type: TIME
1430
1431          Readable from: all
1432
1433          The current time, in seconds since the UNIX epoch.
1434
1435          When converted to STRING in expressions it returns a formatted time‐
1436          stamp like Tue, 20 Feb 2018 09:30:31 GMT
1437
1438   sess
1439       A  session  corresponds  to  the "conversation" that Varnish has with a
1440       single client connection,  over  which  one  or  more  request/response
1441       transactions may take place. It may comprise the traffic over an HTTP/1
1442       keep-alive connection, or the multiplexed traffic over an  HTTP/2  con‐
1443       nection.
1444
1445       sess.xid        VCL >= 4.1
1446          Type: STRING
1447
1448          Readable from: client, backend
1449
1450          Unique ID of this session.
1451
1452       sess.timeout_idle
1453          Type: DURATION
1454
1455          Readable from: client
1456
1457          Writable from: client
1458
1459          Idle  timeout for this session, defaults to the timeout_idle parame‐
1460          ter, see varnishd(1)
1461
1462       sess.timeout_linger
1463          Type: DURATION
1464
1465          Readable from: client
1466
1467          Writable from: client
1468
1469          Linger timeout for this session, defaults to the timeout_linger  pa‐
1470          rameter, see varnishd(1)
1471
1472       sess.send_timeout
1473          Type: DURATION
1474
1475          Readable from: client
1476
1477          Writable from: client
1478
1479          Total   timeout  for  ordinary  HTTP1  responses,  defaults  to  the
1480          send_timeout parameter, see varnishd(1)
1481
1482       sess.idle_send_timeout
1483          Type: DURATION
1484
1485          Readable from: client
1486
1487          Writable from: client
1488
1489          Send timeout for individual pieces of data  on  client  connections,
1490          defaults to the idle_send_timeout parameter, see varnishd(1)
1491
1492   storage
1493       storage.<name>.free_space
1494          Type: BYTES
1495
1496          Readable from: client, backend
1497
1498          Free  space available in the named stevedore. Only available for the
1499          malloc stevedore.
1500
1501       storage.<name>.used_space
1502          Type: BYTES
1503
1504          Readable from: client, backend
1505
1506          Used space in the named stevedore. Only  available  for  the  malloc
1507          stevedore.
1508
1509       storage.<name>.happy
1510          Type: BOOL
1511
1512          Readable from: client, backend
1513
1514          Health  status  for the named stevedore. Not available in any of the
1515          current stevedores.
1516
1517   HTTP response status
1518       A status code normally has 3 digits XYZ where X must be between 1 and 5
1519       included. Since it is not uncommon to see HTTP clients or servers rely‐
1520       ing on non-standard or even invalid status codes Varnish tolerates  any
1521       status between 100 and 999.
1522
1523       With  VCL  code  it  is  possible to use status codes in the form XXYZZ
1524       where the overall value is lower than 65536 and the Y digit is  between
1525       1 and 9 included.  Only the YZZ part is sent to the client.
1526
1527       The  XXYZZ  form  of  status  codes  can  be  set  on  resp.status  and
1528       beresp.status or passed via return(synth(...))  and  return(error(...))
1529       transitions.
1530
1531       XX  can be therefore be used to pass information around inside VCL, for
1532       instance return(synth(22404)) from vcl_recv{} to vcl_synth{}.
1533
1534       The obj.status variable will inherit the XXYZZ form, but in a  ban  ex‐
1535       presion only the YZZ part will be available. The XXYZZ form is strictly
1536       limited to VCL execution.
1537
1538       Assigning an HTTP standardized code  to  resp.status  or  beresp.status
1539       will also set resp.reason or beresp.reason  to the corresponding status
1540       message.
1541
1542   Functions
1543       The following built-in functions are available:
1544
1545   ban(STRING)
1546          Invalidates all objects in cache that  match  the  given  expression
1547          with the ban mechanism.
1548
1549          The format of STRING is:
1550
1551              <field> <operator> <arg> [&& <field> <oper> <arg> ...]
1552
1553<field>:
1554
1555            • string fields:
1556
1557req.url: The request url
1558
1559req.http.*: Any request header
1560
1561obj.status: The cache object status
1562
1563obj.http.*: Any cache object header
1564
1565              obj.status  is  treated  as a string despite the fact that it is
1566              actually an integer.
1567
1568            • duration fields:
1569
1570obj.ttl: Remaining ttl at the time the ban is issued
1571
1572obj.age: Object age at the time the ban is issued
1573
1574obj.grace: The grace time of the object
1575
1576obj.keep: The keep time of the object
1577
1578<operator>:
1579
1580            • for all fields:
1581
1582==: <field> and <arg> are equal
1583
1584!=: <field> and <arg> are unequal
1585
1586              strings are compared case sensitively
1587
1588            • for string fields:
1589
1590~: <field> matches the regular expression <arg>
1591
1592!~:<field> does not match the regular expression <arg>
1593
1594            • for duration fields:
1595
1596>: <field> is greater than <arg>
1597
1598>=: <field> is greater than or equal to <arg>
1599
1600<: <field> is less than <arg>
1601
1602<=: <field> is less than or equal to <arg>
1603
1604<arg>:
1605
1606            • for string fields:
1607
1608              Either a literal string or a regular expression. Note that <arg>
1609              does not use any of the string delimiters like " or {"..."} used
1610              elsewhere in varnish. To match against strings containing white‐
1611              space, regular expressions containing \s can be used.
1612
1613            • for duration fields:
1614
1615              A VCL duration like 10s, 5m or 1h, see Durations
1616
1617          Expressions  can be chained using the and operator &&. For or seman‐
1618          tics, use several bans.
1619
1620          The unset <field> is not equal to  any  string,  such  that,  for  a
1621          non-existing  header,  the  operators  ==  and  ~ always evaluate as
1622          false, while the operators != and !~ always evaluate  as  true,  re‐
1623          spectively, for any value of <arg>.
1624
1625   hash_data(input)
1626          Adds  an input to the hash input. In the built-in VCL hash_data() is
1627          called on the host and URL of the request. Available in vcl_hash.
1628
1629   synthetic(STRING)
1630          Prepare a synthetic response body containing the  STRING.  Available
1631          in vcl_synth and vcl_backend_error.
1632
1633          Identical to set resp.body /  set beresp.body.
1634
1635   regsub(str, regex, sub)
1636          Returns  a  copy of str with the first occurrence of the regular ex‐
1637          pression regex replaced with sub. Within sub, \0 (which can also  be
1638          spelled  \&)  is  replaced with the entire matched string, and \n is
1639          replaced with the contents of subgroup n in the matched string.
1640
1641   regsuball(str, regex, sub)
1642          As regsub(), but this replaces all occurrences.
1643
1644       For converting or casting VCL values between data types use  the  func‐
1645       tions available in the std VMOD.
1646

VERSIONING

1648       Multiple  versions  of  the  VCL syntax can coexist within certain con‐
1649       straints.
1650
1651       The VCL syntax version at the start of VCL file specified with -f  sets
1652       the hard limit that cannot be exceeded anywhere, and it selects the ap‐
1653       propriate version of the builtin VCL.
1654
1655       That means that you can never include vcl 9.1; from vcl 8.7;,  but  the
1656       opposite may be possible, to the extent the compiler supports it.
1657
1658       Files  pulled  in via include do not need to have a vcl X.Y; but it may
1659       be a good idea to do it anyway, to not have surprises  in  the  future.
1660       The  syntax  version  set in an included file only applies to that file
1661       and any files it includes - unless these set their own VCL syntax  ver‐
1662       sion.
1663
1664       The  version  of  Varnish  this file belongs to supports syntax 4.0 and
1665       4.1.
1666

EXAMPLES

1668       For examples, please see the online documentation.
1669

SEE ALSO

1671varnishd(1)
1672
1673vmod_directors(3)
1674
1675vmod_std(3)
1676

HISTORY

1678       VCL was developed by Poul-Henning Kamp in cooperation with Verdens Gang
1679       AS,  Redpill  Linpro and Varnish Software.  This manual page is written
1680       by Per Buer, Poul-Henning Kamp, Martin Blix  Grydeland,  Kristian  Lyn‐
1681       gstøl, Lasse Karstensen and possibly others.
1682
1684       This document is licensed under the same license as Varnish itself. See
1685       LICENSE for details.
1686
1687       • Copyright (c) 2006 Verdens Gang AS
1688
1689       • Copyright (c) 2006-2015 Varnish Software AS
1690
1691
1692
1693
1694                                                                        VCL(7)
Impressum