1VCL(7) VCL(7)
2
3
4
6 VCL - Varnish Configuration Language
7
9 The VCL language is a small domain-specific language designed to be
10 used to describe request handling and document caching policies for
11 Varnish Cache.
12
13 When a new configuration is loaded, the varnishd management process
14 translates the VCL code to C and compiles it to a shared object which
15 is then loaded into the server process.
16
17 This document focuses on the syntax of the VCL language. For a full de‐
18 scription of syntax and semantics, with ample examples, please see the
19 online documentation at https://www.varnish-cache.org/docs/ .
20
21 Starting with Varnish 4.0, each VCL file must start by declaring its
22 version with vcl <major>.<minor>; marker at the top of the file. See
23 more about this under Versioning below.
24
25 Operators
26 The following operators are available in VCL:
27
28 = Assignment operator.
29
30 +=, -=, *=, /=
31 Assign and increment/decrement/multiply/divide operator.
32
33 For strings, += appends.
34
35 ==, !=, <, >, <=, >=
36 Comparisons
37
38 ~, !~ Match / non-match. Can either be used with regular expres‐
39 sions or ACLs.
40
41 ! Negation.
42
43 && / ||
44 Logical and/or.
45
46 Conditionals
47 VCL has if and else statements. Nested logic can be implemented with
48 the elseif statement (elsif/elif/else if are equivalent).
49
50 Note that there are no loops or iterators of any kind in VCL.
51
52 Strings, booleans, time, duration, integers and real numbers
53 These are the data types in Varnish. You can set or unset these.
54
55 Example:
56
57 set req.http.User-Agent = "unknown";
58 unset req.http.Range;
59
60 Strings
61 Basic strings are enclosed in double quotes "...", and may not contain
62 newlines. Long strings are enclosed in {"..."}. They may contain any
63 character including single double quotes ", newline and other control
64 characters except for the NUL (0x00) character.
65
66 Booleans
67 Booleans can be either true or false. In addition, in a boolean con‐
68 text some data types will evaluate to true or false depending on their
69 value.
70
71 String types will evaluate to false if they are unset. This allows
72 checks of the type if (req.http.opthdr) {} to test if a header exists,
73 even if it is empty, whereas if (req.http.opthdr == "") {} does not
74 distinguish if the header does not exist or if it is empty.
75
76 Backend types will evaluate to false if they don't have a backend as‐
77 signed; integer types will evaluate to false if their value is zero;
78 duration types will evaluate to false if their value is equal or less
79 than zero.
80
81 Time
82 VCL has time. A duration can be added to a time to make another time.
83 In string context they return a formatted string in RFC1123 format,
84 e.g. Sun, 06 Nov 1994 08:49:37 GMT.
85
86 The keyword now returns a notion of the current time, which is kept
87 consistent during VCL subroutine invocations, so during the execution
88 of a VCL state subroutine (vcl_* {}), including all user-defined sub‐
89 routines being called, now always returns the same value.
90
91 Durations
92 Durations are defined by a number followed by a unit. The number can
93 include a fractional part, e.g. 1.5s. The supported units are:
94
95 ms milliseconds
96
97 s seconds
98
99 m minutes
100
101 h hours
102
103 d days
104
105 w weeks
106
107 y years
108
109 In string context they return a string with their value rounded to 3
110 decimal places and excluding the unit, e.g. 1.500.
111
112 Integers
113 Certain fields are integers, used as expected. In string context they
114 return a string, e.g. 1234.
115
116 Real numbers
117 VCL understands real numbers. In string context they return a string
118 with their value rounded to 3 decimal places, e.g. 3.142.
119
120 Regular Expressions
121 Varnish uses Perl-compatible regular expressions (PCRE). For a complete
122 description please see the pcre(3) man page.
123
124 To send flags to the PCRE engine, such as to do case insensitive match‐
125 ing, add the flag within parens following a question mark, like this:
126
127 # If host is NOT example dot com..
128 if (req.http.host !~ "(?i)example\.com$") {
129 ...
130 }
131
132 Include statement
133 To include a VCL file in another file use the include keyword:
134
135 include "foo.vcl";
136
137 Import statement
138 The import statement is used to load Varnish Modules (VMODs.)
139
140 Example:
141
142 import std;
143 sub vcl_recv {
144 std.log("foo");
145 }
146
147 Comments
148 Single lines of VCL can be commented out using // or #. Multi-line
149 blocks can be commented out with /*block*/.
150
151 Example:
152
153 sub vcl_recv {
154 // Single line of out-commented VCL.
155 # Another way of commenting out a single line.
156 /*
157 Multi-line block of commented-out VCL.
158 */
159 }
160
161 Backend definition
162 A backend declaration creates and initialises a named backend object. A
163 declaration start with the keyword backend followed by the name of the
164 backend. The actual declaration is in curly brackets, in a key/value
165 fashion.:
166
167 backend name {
168 .attribute = "value";
169 }
170
171 One of the attributes .host or .path is mandatory (but not both). The
172 attributes will inherit their defaults from the global parameters. The
173 following attributes are available:
174
175 .host The host to be used. IP address or a hostname that resolves
176 to a single IP address. This attribute is mandatory, unless
177 .path is declared.
178
179 .path (VCL >= 4.1)
180 The absolute path of a Unix domain socket at which a backend is
181 listening. If the file at that path does not exist or is not ac‐
182 cessible to Varnish at VCL load time, then the VCL compiler is‐
183 sues a warning, but does not fail. This makes it possible to
184 start the UDS-listening peer, or set the socket file's permis‐
185 sions, after starting Varnish or loading VCL with a UDS backend.
186 But the socket file must exist and have necessary permissions
187 before the first connection is attempted, otherwise fetches will
188 fail. If the file does exist and is accessible, then it must be
189 a socket; otherwise the VCL load fails. One of .path or .host
190 must be declared (but not both). .path may only be used in VCL
191 since version 4.1.
192
193 .port The port on the backend that Varnish should connect to. Ig‐
194 nored if a Unix domain socket is declared in .path.
195
196 .host_header
197 A host header to add to probes and regular backend requests
198 if they have no such header.
199
200 .connect_timeout
201 Timeout for connections.
202
203 Default: connect_timeout parameter, see varnishd(1)
204
205 .first_byte_timeout
206 Timeout for first byte.
207
208 Default: first_byte_timeout parameter, see varnishd(1)
209
210 .between_bytes_timeout
211 Timeout between bytes.
212
213 Default: between_bytes_timeout parameter, see varnishd(1)
214
215 .probe Attach a probe to the backend. See Probes
216
217 .proxy_header
218 The PROXY protocol version Varnish should use when connecting
219 to this backend. Allowed values are 1 and 2.
220
221 Notice this setting will lead to backend connections being
222 used for a single request only (subject to future improve‐
223 ments). Thus, extra care should be taken to avoid running
224 into failing backend connections with EADDRNOTAVAIL due to no
225 local ports being available. Possible options are:
226
227 • Use additional backend connections to extra IP addresses or
228 TCP ports
229
230 • Increase the number of available ports (Linux sysctl
231 net.ipv4.ip_local_port_range)
232
233 • Reuse backend connection ports early (Linux sysctl
234 net.ipv4.tcp_tw_reuse)
235
236 .max_connections
237 Maximum number of open connections towards this backend. If
238 Varnish reaches the maximum Varnish it will start failing
239 connections.
240
241 Empty backends can also be defined using the following syntax.:
242
243 backend name none;
244
245 An empty backend will always return status code 503 as if it is sick.
246
247 Backends can be used with directors. Please see the vmod_directors(3)
248 man page for more information.
249
250 Probes
251 Probes will query the backend for status on a regular basis and mark
252 the backend as down it they fail. A probe is defined as this:
253
254 probe name {
255 .attribute = "value";
256 }
257
258 The probe named default is special and will be used for all backends
259 which do not explicitly reference a probe.
260
261 There are no mandatory options. These are the options you can set:
262
263 .url The URL to query. Defaults to /. Mutually exclusive with
264 .request
265
266 .request
267 Specify a full HTTP request using multiple strings. .request
268 will have \r\n automatically inserted after every string.
269 Mutually exclusive with .url.
270
271 Note that probes require the backend to complete sending the
272 response and close the connection within the specified time‐
273 out, so .request will, for HTTP/1.1, most likely need to con‐
274 tain a "Connection: close" string.
275
276 .expected_response
277 The expected HTTP response code. Defaults to 200.
278
279 .timeout
280 The timeout for the probe. Default is 2s.
281
282 .interval
283 How often the probe is run. Default is 5s.
284
285 .initial
286 How many of the polls in .window are considered good when
287 Varnish starts. Defaults to the value of .threshold - 1. In
288 this case, the backend starts as sick and requires one single
289 poll to be considered healthy.
290
291 .window
292 How many of the latest polls we examine to determine backend
293 health. Defaults to 8.
294
295 .threshold
296 How many of the polls in .window must have succeeded to con‐
297 sider the backend to be healthy. Defaults to 3.
298
299 Access Control List (ACL)
300 An Access Control List (ACL) declaration creates and initialises a
301 named access control list which can later be used to match client ad‐
302 dresses:
303
304 acl localnetwork {
305 "localhost"; # myself
306 "192.0.2.0"/24; # and everyone on the local network
307 ! "192.0.2.23"; # except for the dial-in router
308 }
309
310 If an ACL entry specifies a host name which Varnish is unable to re‐
311 solve, it will match any address it is compared to. Consequently, if it
312 is preceded by a negation mark, it will reject any address it is com‐
313 pared to, which may not be what you intended. If the entry is enclosed
314 in parentheses, however, it will simply be ignored.
315
316 To match an IP address against an ACL, simply use the match operator:
317
318 if (client.ip ~ localnetwork) {
319 return (pipe);
320 }
321
322 VCL objects
323 A VCL object can be instantiated with the new keyword:
324
325 sub vcl_init {
326 new b = directors.round_robin()
327 b.add_backend(node1);
328 }
329
330 This is only available in vcl_init.
331
332 Subroutines
333 A subroutine is used to group code for legibility or reusability:
334
335 sub pipe_if_local {
336 if (client.ip ~ localnetwork) {
337 return (pipe);
338 }
339 }
340
341 Subroutines in VCL do not take arguments, nor do they return values.
342 The built in subroutines all have names beginning with vcl_, which is
343 reserved.
344
345 To call a subroutine, use the call keyword followed by the subroutine's
346 name:
347
348 sub vcl_recv {
349 call pipe_if_local;
350 }
351
352 Return statements
353 The ongoing vcl_* subroutine execution ends when a return(<action>)
354 statement is made.
355
356 The <action> specifies how execution should proceed. The context de‐
357 fines which actions are available.
358
359 Multiple subroutines
360 If multiple subroutines with the name of one of the built-in ones are
361 defined, they are concatenated in the order in which they appear in the
362 source.
363
364 The built-in VCL distributed with Varnish will be implicitly concate‐
365 nated when the VCL is compiled.
366
367 VCL Variables
368 Variables provide read, write and delete access to almost all aspects
369 of the work at hand.
370
371 Reading a variable is done simply by using its name in VCL:
372
373 if (client.ip ~ bad_guys) {
374 return (synth(400));
375 }
376
377 Writing a variable, where this is possible, is done with a set state‐
378 ment:
379
380 set resp.http.never = "Let You Down";
381
382 Similarly, deleting a variable, for the few variables where this is
383 possible, is done with a unset statement:
384
385 unset req.http.cookie;
386
387 Which operations are possible on each variable is described below, of‐
388 ten with the shorthand "backend" which covers the vcl_backend_* {} sub‐
389 routines and "client" which covers the rest, except vcl_init {} and
390 vcl_fini {}.
391
392 When setting a variable, the right hand side of the equal sign must
393 have the variables type, you cannot assign a STRING to a variable of
394 type NUMBER, even if the string is "42". (Explicit conversion func‐
395 tions can be found in vmod_std(3)).
396
397 local, server, remote and client
398 These variables describe the network connection between the client and
399 varnishd.
400
401 Without PROXY protocol:
402
403 client server
404 remote local
405 v v
406 CLIENT ------------ VARNISHD
407
408 With PROXY protocol:
409
410 client server remote local
411 v v v v
412 CLIENT ------------ PROXY ------------ VARNISHD
413
414 local.ip
415 Type: IP
416
417 Readable from: client, backend
418
419 The IP address (and port number) of the local end of the TCP connec‐
420 tion, for instance 192.168.1.1:81
421
422 If the connection is a UNIX domain socket, the value will be
423 0.0.0.0:0
424
425 local.endpoint VCL >= 4.1
426 Type: STRING
427
428 Readable from: client, backend
429
430 The address of the '-a' socket the session was accepted on.
431
432 If the argument was -a foo=:81 this would be ":81"
433
434 local.socket VCL >= 4.1
435 Type: STRING
436
437 Readable from: client, backend
438
439 The name of the '-a' socket the session was accepted on.
440
441 If the argument was -a foo=:81 this would be "foo".
442
443 Note that all '-a' gets a default name on the form a%d if no name is
444 provided.
445
446 remote.ip
447 Type: IP
448
449 Readable from: client, backend
450
451 The IP address of the other end of the TCP connection. This can ei‐
452 ther be the clients IP, or the outgoing IP of a proxy server.
453
454 If the connection is a UNIX domain socket, the value will be
455 0.0.0.0:0
456
457 client.ip
458 Type: IP
459
460 Readable from: client, backend
461
462 The client's IP address, either the same as remote.ip or what the
463 PROXY protocol told us.
464
465 client.identity
466 Type: STRING
467
468 Readable from: client
469
470 Writable from: client
471
472 Identification of the client, used to load balance in the client di‐
473 rector. Defaults to client.ip
474
475 This variable can be overwritten with more precise information, for
476 instance extracted from a Cookie: header.
477
478 server.ip
479 Type: IP
480
481 Readable from: client, backend
482
483 The IP address of the socket on which the client connection was re‐
484 ceived, either the same as server.ip or what the PROXY protocol told
485 us.
486
487 server.hostname
488 Type: STRING
489
490 Readable from: all
491
492 The host name of the server, as returned by the gethostname(3) sys‐
493 tem function.
494
495 server.identity
496 Type: STRING
497
498 Readable from: all
499
500 The identity of the server, as set by the -i parameter.
501
502 If an -i parameter is not passed to varnishd, the return value from
503 gethostname(3) system function will be used.
504
505 req and req_top
506 These variables describe the present request, and when ESI:include re‐
507 quests are being processed, req_top points to the request received from
508 the client.
509
510 req
511 Type: HTTP
512
513 Readable from: client
514
515 The entire request HTTP data structure. Mostly useful for passing
516 to VMODs.
517
518 req.method
519 Type: STRING
520
521 Readable from: client
522
523 Writable from: client
524
525 The request method (e.g. "GET", "HEAD", ...)
526
527 req.hash
528 Type: BLOB
529
530 Readable from: vcl_hit, vcl_miss, vcl_pass, vcl_purge, vcl_deliver
531
532 The hash key of this request. Mostly useful for passing to VMODs,
533 but can also be useful for debugging hit/miss status.
534
535 req.url
536 Type: STRING
537
538 Readable from: client
539
540 Writable from: client
541
542 The requested URL, for instance "/robots.txt".
543
544 req.proto VCL <= 4.0
545 Type: STRING
546
547 Readable from: client
548
549 Writable from: client
550
551 The HTTP protocol version used by the client, usually "HTTP/1.1" or
552 "HTTP/2.0".
553
554 req.proto VCL >= 4.1
555 Type: STRING
556
557 Readable from: client
558
559 The HTTP protocol version used by the client, usually "HTTP/1.1" or
560 "HTTP/2.0".
561
562 req.http.*
563 Type: HEADER
564
565 Readable from: client
566
567 Writable from: client
568
569 Unsetable from: client
570
571 The headers of request, things like req.http.date.
572
573 The RFCs allow multiple headers with the same name, and both set and
574 unset will remove all headers with the name given.
575
576 req.restarts
577 Type: INT
578
579 Readable from: client
580
581 A count of how many times this request has been restarted.
582
583 req.storage
584 Type: STEVEDORE
585
586 Readable from: client
587
588 Writable from: client
589
590 The storage backend to use to save this request body.
591
592 req.esi_level
593 Type: INT
594
595 Readable from: client
596
597 A count of how many levels of ESI requests we're currently at.
598
599 req.ttl
600 Type: DURATION
601
602 Readable from: client
603
604 Writable from: client
605
606 Upper limit on the object age for cache lookups to return hit.
607
608 req.grace
609 Type: DURATION
610
611 Readable from: client
612
613 Writable from: client
614
615 Upper limit on the object grace.
616
617 During lookup the minimum of req.grace and the object's stored grace
618 value will be used as the object's grace.
619
620 req.xid
621 Type: STRING
622
623 Readable from: client
624
625 Unique ID of this request.
626
627 req.esi VCL <= 4.0
628 Type: BOOL
629
630 Readable from: client
631
632 Writable from: client
633
634 Set to false to disable ESI processing regardless of any value in
635 beresp.do_esi. Defaults to true. This variable is replaced by
636 resp.do_esi in VCL 4.1.
637
638 req.can_gzip
639 Type: BOOL
640
641 Readable from: client
642
643 True if the client provided gzip or x-gzip in the Accept-Encoding
644 header.
645
646 req.backend_hint
647 Type: BACKEND
648
649 Readable from: client
650
651 Writable from: client
652
653 Set bereq.backend to this if we attempt to fetch. When set to a di‐
654 rector, reading this variable returns an actual backend if the di‐
655 rector has resolved immediately, or the director otherwise. When
656 used in string context, returns the name of the director or backend,
657 respectively.
658
659 req.hash_ignore_busy
660 Type: BOOL
661
662 Readable from: client
663
664 Writable from: client
665
666 Default: false.
667
668 Ignore any busy object during cache lookup.
669
670 You only want to do this when you have two server looking up content
671 sideways from each other to avoid deadlocks.
672
673 req.hash_always_miss
674 Type: BOOL
675
676 Readable from: client
677
678 Writable from: client
679
680 Default: false.
681
682 Force a cache miss for this request, even if perfectly good matching
683 objects are in the cache.
684
685 This is useful to force-update the cache without invalidating exist‐
686 ing entries in case the fetch fails.
687
688 req.is_hitmiss
689 Type: BOOL
690
691 Readable from: client
692
693 If this request resulted in a hitmiss
694
695 req.is_hitpass
696 Type: BOOL
697
698 Readable from: client
699
700 If this request resulted in a hitpass
701
702 req_top.method
703 Type: STRING
704
705 Readable from: client
706
707 The request method of the top-level request in a tree of ESI re‐
708 quests. (e.g. "GET", "HEAD"). Identical to req.method in non-ESI
709 requests.
710
711 req_top.url
712 Type: STRING
713
714 Readable from: client
715
716 The requested URL of the top-level request in a tree of ESI re‐
717 quests. Identical to req.url in non-ESI requests.
718
719 req_top.http.*
720 Type: HEADER
721
722 Readable from: client
723
724 HTTP headers of the top-level request in a tree of ESI requests.
725 Identical to req.http. in non-ESI requests.
726
727 req_top.proto
728 Type: STRING
729
730 Readable from: client
731
732 HTTP protocol version of the top-level request in a tree of ESI re‐
733 quests. Identical to req.proto in non-ESI requests.
734
735 bereq
736 This is the request we send to the backend, it is built from the
737 clients req.* fields by filtering out "per-hop" fields which should not
738 be passed along (Connection:, Range: and similar).
739
740 Slightly more fields are allowed through for pass` fetches than for
741 `miss` fetches, for instance ``Range.
742
743 bereq
744 Type: HTTP
745
746 Readable from: backend
747
748 The entire backend request HTTP data structure. Mostly useful as
749 argument to VMODs.
750
751 bereq.xid
752 Type: STRING
753
754 Readable from: backend
755
756 Unique ID of this request.
757
758 bereq.retries
759 Type: INT
760
761 Readable from: backend
762
763 A count of how many times this request has been retried.
764
765 bereq.backend
766 Type: BACKEND
767
768 Readable from: vcl_pipe, backend
769
770 Writable from: vcl_pipe, backend
771
772 This is the backend or director we attempt to fetch from. When set
773 to a director, reading this variable returns an actual backend if
774 the director has resolved immediately, or the director otherwise.
775 When used in string context, returns the name of the director or
776 backend, respectively.
777
778 bereq.body
779 Type: BODY
780
781 Unsetable from: vcl_backend_fetch
782
783 The request body.
784
785 Unset will also remove bereq.http.Content-Length.
786
787 bereq.hash
788 Type: BLOB
789
790 Readable from: vcl_pipe, backend
791
792 The hash key of this request, a copy of req.hash.
793
794 bereq.method
795 Type: STRING
796
797 Readable from: vcl_pipe, backend
798
799 Writable from: vcl_pipe, backend
800
801 The request type (e.g. "GET", "HEAD").
802
803 Regular (non-pipe, non-pass) fetches are always "GET"
804
805 bereq.url
806 Type: STRING
807
808 Readable from: vcl_pipe, backend
809
810 Writable from: vcl_pipe, backend
811
812 The requested URL, copied from req.url
813
814 bereq.proto VCL <= 4.0
815 Type: STRING
816
817 Readable from: vcl_pipe, backend
818
819 Writable from: vcl_pipe, backend
820
821 The HTTP protocol version, "HTTP/1.1" unless a pass or pipe request
822 has "HTTP/1.0" in req.proto
823
824 bereq.proto VCL >= 4.1
825 Type: STRING
826
827 Readable from: vcl_pipe, backend
828
829 The HTTP protocol version, "HTTP/1.1" unless a pass or pipe request
830 has "HTTP/1.0" in req.proto
831
832 bereq.http.*
833 Type: HEADER
834
835 Readable from: vcl_pipe, backend
836
837 Writable from: vcl_pipe, backend
838
839 Unsetable from: vcl_pipe, backend
840
841 The headers to be sent to the backend.
842
843 bereq.uncacheable
844 Type: BOOL
845
846 Readable from: backend
847
848 Indicates whether this request is uncacheable due to a pass in the
849 client side or a hit on an hit-for-pass object.
850
851 bereq.connect_timeout
852 Type: DURATION
853
854 Readable from: vcl_pipe, backend
855
856 Writable from: vcl_pipe, backend
857
858 Default: .connect_timeout attribute from the backend_definition,
859 which defaults to the connect_timeout parameter, see varnishd(1).
860
861 The time in seconds to wait for a backend connection to be estab‐
862 lished.
863
864 bereq.first_byte_timeout
865 Type: DURATION
866
867 Readable from: backend
868
869 Writable from: backend
870
871 Default: .first_byte_timeout attribute from the backend_definition,
872 which defaults to the first_byte_timeout parameter, see varnishd(1).
873
874 The time in seconds to wait getting the first byte back from the
875 backend. Not available in pipe mode.
876
877 bereq.between_bytes_timeout
878 Type: DURATION
879
880 Readable from: backend
881
882 Writable from: backend
883
884 Default: .between_bytes_timeout attribute from the backend_defini‐
885 tion, which defaults to the between_bytes_timeout parameter, see
886 varnishd(1).
887
888 The time in seconds to wait between each received byte from the
889 backend. Not available in pipe mode.
890
891 bereq.is_bgfetch
892 Type: BOOL
893
894 Readable from: backend
895
896 True for fetches where the client got a hit on an object in grace,
897 and this fetch was kicked of in the background to get a fresh copy.
898
899 beresp
900 The response received from the backend, one cache misses, the store ob‐
901 ject is built from beresp.
902
903 beresp
904 Type: HTTP
905
906 Readable from: vcl_backend_response, vcl_backend_error
907
908 The entire backend response HTTP data structure, useful as argument
909 to VMOD functions.
910
911 beresp.body
912 Type: BODY
913
914 Writable from: vcl_backend_error
915
916 For producing a synthetic body.
917
918 beresp.proto VCL <= 4.0
919 Type: STRING
920
921 Readable from: vcl_backend_response, vcl_backend_error
922
923 Writable from: vcl_backend_response, vcl_backend_error
924
925 The HTTP protocol version the backend replied with.
926
927 beresp.proto VCL >= 4.1
928 Type: STRING
929
930 Readable from: vcl_backend_response, vcl_backend_error
931
932 The HTTP protocol version the backend replied with.
933
934 beresp.status
935 Type: INT
936
937 Readable from: vcl_backend_response, vcl_backend_error
938
939 Writable from: vcl_backend_response, vcl_backend_error
940
941 The HTTP status code returned by the server.
942
943 More information in the HTTP response status section.
944
945 beresp.reason
946 Type: STRING
947
948 Readable from: vcl_backend_response, vcl_backend_error
949
950 Writable from: vcl_backend_response, vcl_backend_error
951
952 The HTTP status message returned by the server.
953
954 beresp.http.*
955 Type: HEADER
956
957 Readable from: vcl_backend_response, vcl_backend_error
958
959 Writable from: vcl_backend_response, vcl_backend_error
960
961 Unsetable from: vcl_backend_response, vcl_backend_error
962
963 The HTTP headers returned from the server.
964
965 beresp.do_esi
966 Type: BOOL
967
968 Readable from: vcl_backend_response, vcl_backend_error
969
970 Writable from: vcl_backend_response, vcl_backend_error
971
972 Default: false.
973
974 Set it to true to parse the object for ESI directives. Will only be
975 honored if req.esi is true.
976
977 It is a VCL error to use beresp.do_esi after setting beresp.filters.
978
979 beresp.do_stream
980 Type: BOOL
981
982 Readable from: vcl_backend_response, vcl_backend_error
983
984 Writable from: vcl_backend_response, vcl_backend_error
985
986 Default: true.
987
988 Deliver the object to the client while fetching the whole object
989 into varnish.
990
991 For uncacheable objects, storage for parts of the body which have
992 been sent to the client may get freed early, depending on the stor‐
993 age engine used.
994
995 This variable has no effect if do_esi is true or when the response
996 body is empty.
997
998 beresp.do_gzip
999 Type: BOOL
1000
1001 Readable from: vcl_backend_response, vcl_backend_error
1002
1003 Writable from: vcl_backend_response, vcl_backend_error
1004
1005 Default: false.
1006
1007 Set to true to gzip the object while storing it.
1008
1009 If http_gzip_support is disabled, setting this variable has no ef‐
1010 fect.
1011
1012 It is a VCL error to use beresp.do_gzip after setting beresp.fil‐
1013 ters.
1014
1015 beresp.do_gunzip
1016 Type: BOOL
1017
1018 Readable from: vcl_backend_response, vcl_backend_error
1019
1020 Writable from: vcl_backend_response, vcl_backend_error
1021
1022 Default: false.
1023
1024 Set to true to gunzip the object while storing it in the cache.
1025
1026 If http_gzip_support is disabled, setting this variable has no ef‐
1027 fect.
1028
1029 It is a VCL error to use beresp.do_gunzip after setting beresp.fil‐
1030 ters.
1031
1032 beresp.was_304
1033 Type: BOOL
1034
1035 Readable from: vcl_backend_response, vcl_backend_error
1036
1037 When true this indicates that we got a 304 response to our condi‐
1038 tional fetch from the backend and turned that into beresp.status =
1039 200
1040
1041 beresp.uncacheable
1042 Type: BOOL
1043
1044 Readable from: vcl_backend_response, vcl_backend_error
1045
1046 Writable from: vcl_backend_response, vcl_backend_error
1047
1048 Inherited from bereq.uncacheable, see there.
1049
1050 Setting this variable makes the object uncacheable.
1051
1052 This may may produce a hit-for-miss object in the cache.
1053
1054 Clearing the variable has no effect and will log the warning "Ignor‐
1055 ing attempt to reset beresp.uncacheable".
1056
1057 beresp.ttl
1058 Type: DURATION
1059
1060 Readable from: vcl_backend_response, vcl_backend_error
1061
1062 Writable from: vcl_backend_response, vcl_backend_error
1063
1064 Default: Cache-Control s-maxage or max-age directives, or a value
1065 computed from the Expires header's deadline, or the default_ttl pa‐
1066 rameter.
1067
1068 The object's remaining time to live, in seconds.
1069
1070 beresp.age
1071 Type: DURATION
1072
1073 Readable from: vcl_backend_response, vcl_backend_error
1074
1075 Default: Age header, or zero.
1076
1077 The age of the object.
1078
1079 beresp.grace
1080 Type: DURATION
1081
1082 Readable from: vcl_backend_response, vcl_backend_error
1083
1084 Writable from: vcl_backend_response, vcl_backend_error
1085
1086 Default: Cache-Control stale-while-revalidate directive, or de‐
1087 fault_grace parameter.
1088
1089 Set to a period to enable grace.
1090
1091 beresp.keep
1092 Type: DURATION
1093
1094 Readable from: vcl_backend_response, vcl_backend_error
1095
1096 Writable from: vcl_backend_response, vcl_backend_error
1097
1098 Default: default_keep parameter.
1099
1100 Set to a period to enable conditional backend requests.
1101
1102 The keep time is cache lifetime in addition to the ttl.
1103
1104 Objects with ttl expired but with keep time left may be used to is‐
1105 sue conditional (If-Modified-Since / If-None-Match) requests to the
1106 backend to refresh them.
1107
1108 beresp.backend
1109 Type: BACKEND
1110
1111 Readable from: vcl_backend_response, vcl_backend_error
1112
1113 This is the backend we fetched from. If bereq.backend was set to a
1114 director, this will be the backend selected by the director. When
1115 used in string context, returns its name.
1116
1117 beresp.backend.name
1118 Type: STRING
1119
1120 Readable from: vcl_backend_response, vcl_backend_error
1121
1122 Name of the backend this response was fetched from. Same as
1123 beresp.backend.
1124
1125 beresp.backend.ip VCL <= 4.0
1126 Type: IP
1127
1128 Readable from: vcl_backend_response
1129
1130 IP of the backend this response was fetched from.
1131
1132 beresp.storage
1133 Type: STEVEDORE
1134
1135 Readable from: vcl_backend_response, vcl_backend_error
1136
1137 Writable from: vcl_backend_response, vcl_backend_error
1138
1139 The storage backend to use to save this object.
1140
1141 beresp.storage_hint VCL <= 4.0
1142 Type: STRING
1143
1144 Readable from: vcl_backend_response, vcl_backend_error
1145
1146 Writable from: vcl_backend_response, vcl_backend_error
1147
1148 Deprecated since varnish 5.1 and discontinued since VCL 4.1 (varnish
1149 6.0). Use beresp.storage instead.
1150
1151 Hint to Varnish that you want to save this object to a particular
1152 storage backend.
1153
1154 beresp.filters
1155 Type: STRING
1156
1157 Readable from: vcl_backend_response
1158
1159 Writable from: vcl_backend_response
1160
1161 List of Varnish Fetch Processor (VFP) filters the beresp.body will
1162 be pulled through. The order left to right signifies processing from
1163 backend to cache, iow the leftmost filter is run first on the body
1164 as received from the backend after decoding of any transfer encod‐
1165 ings.
1166
1167 VFP Filters change the body before going into the cache and/or being
1168 handed to the client side, where it may get processed again by
1169 resp.filters.
1170
1171 The following VFP filters exist in varnish-cache:
1172
1173 • gzip: compress a body using gzip
1174
1175 • testgunzip: Test if a body is valid gzip and refuse it otherwise
1176
1177 • gunzip: Uncompress gzip content
1178
1179 • esi: ESI-process plain text content
1180
1181 • esi_gzip: Save gzipped snippets for efficient ESI-processing
1182
1183 This filter enables stitching together ESI from individually
1184 gzipped fragments, saving processing power for re-compression on
1185 the client side at the expense of some compression efficiency.
1186
1187 Additional VFP filters are available from VMODs.
1188
1189 By default, beresp.filters is constructed as follows:
1190
1191 • gunzip gets added for gzipped content if beresp.do_gunzip or
1192 beresp.do_esi are true.
1193
1194 • esi_gzip gets added if beresp.do_esi is true together with
1195 beresp.do_gzip or content is already compressed.
1196
1197 • esi gets added if beresp.do_esi is true
1198
1199 • gzip gets added for uncompressed content if beresp.do_gzip is true
1200
1201 • testgunzip gets added for compressed content if beresp.do_gunzip
1202 is false.
1203
1204 After beresp.filters is set, using any of the beforementioned
1205 beresp.do_* switches is a VCL error.
1206
1207 obj
1208 This is the object we found in cache. It cannot be modified.
1209
1210 obj.proto
1211 Type: STRING
1212
1213 Readable from: vcl_hit
1214
1215 The HTTP protocol version stored in the object.
1216
1217 obj.status
1218 Type: INT
1219
1220 Readable from: vcl_hit
1221
1222 The HTTP status code stored in the object.
1223
1224 More information in the HTTP response status section.
1225
1226 obj.reason
1227 Type: STRING
1228
1229 Readable from: vcl_hit
1230
1231 The HTTP reason phrase stored in the object.
1232
1233 obj.hits
1234 Type: INT
1235
1236 Readable from: vcl_hit, vcl_deliver
1237
1238 The count of cache-hits on this object.
1239
1240 In vcl_deliver a value of 0 indicates a cache miss.
1241
1242 obj.http.*
1243 Type: HEADER
1244
1245 Readable from: vcl_hit
1246
1247 The HTTP headers stored in the object.
1248
1249 obj.ttl
1250 Type: DURATION
1251
1252 Readable from: vcl_hit, vcl_deliver
1253
1254 The object's remaining time to live, in seconds.
1255
1256 obj.age
1257 Type: DURATION
1258
1259 Readable from: vcl_hit, vcl_deliver
1260
1261 The age of the object.
1262
1263 obj.grace
1264 Type: DURATION
1265
1266 Readable from: vcl_hit, vcl_deliver
1267
1268 The object's grace period in seconds.
1269
1270 obj.keep
1271 Type: DURATION
1272
1273 Readable from: vcl_hit, vcl_deliver
1274
1275 The object's keep period in seconds.
1276
1277 obj.uncacheable
1278 Type: BOOL
1279
1280 Readable from: vcl_deliver
1281
1282 Whether the object is uncacheable (pass, hit-for-pass or
1283 hit-for-miss).
1284
1285 obj.storage
1286 Type: STEVEDORE
1287
1288 Readable from: vcl_hit, vcl_deliver
1289
1290 The storage backend where this object is stored.
1291
1292 obj.can_esi
1293 Type: BOOL
1294
1295 Readable from: vcl_hit, vcl_deliver
1296
1297 If the object can be ESI processed, that is if setting resp.do_esi
1298 or adding esi to resp.filters in vcl_deliver {} would cause the re‐
1299 sponse body to be ESI processed.
1300
1301 resp
1302 This is the response we send to the client, it is built from either
1303 beresp (pass/miss), obj (hits) or created from whole cloth (synth).
1304
1305 With the exception of resp.body all resp.* variables available in both
1306 vcl_deliver{} and vcl_synth{} as a matter of symmetry.
1307
1308 resp
1309 Type: HTTP
1310
1311 Readable from: vcl_deliver, vcl_synth
1312
1313 The entire response HTTP data structure, useful as argument to
1314 VMODs.
1315
1316 resp.body
1317 Type: BODY
1318
1319 Writable from: vcl_synth
1320
1321 To produce a synthetic response body, for instance for errors.
1322
1323 resp.proto VCL <= 4.0
1324 Type: STRING
1325
1326 Readable from: vcl_deliver, vcl_synth
1327
1328 Writable from: vcl_deliver, vcl_synth
1329
1330 The HTTP protocol version to use for the response.
1331
1332 resp.proto VCL >= 4.1
1333 Type: STRING
1334
1335 Readable from: vcl_deliver, vcl_synth
1336
1337 Writable from: vcl_deliver, vcl_synth
1338
1339 The HTTP protocol version to use for the response.
1340
1341 resp.status
1342 Type: INT
1343
1344 Readable from: vcl_deliver, vcl_synth
1345
1346 Writable from: vcl_deliver, vcl_synth
1347
1348 The HTTP status code that will be returned.
1349
1350 More information in the HTTP response status section.
1351
1352 resp.status 200 will get changed into 304 by core code after a re‐
1353 turn(deliver) from vcl_deliver for conditional requests to cached
1354 content if validation succeeds.
1355
1356 For the validation, first req.http.If-None-Match is compared against
1357 resp.http.Etag. If they compare equal according to the rules for
1358 weak validation (see RFC7232), a 304 is sent.
1359
1360 Secondly, req.http.If-Modified-Since is compared against
1361 resp.http.Last-Modified or, if it is unset, against the point in
1362 time when the object was last modified based on the Date and Age
1363 headers received with the backend response which created the object.
1364 If the object has not been modified based on that comparison, a 304
1365 is sent.
1366
1367 resp.reason
1368 Type: STRING
1369
1370 Readable from: vcl_deliver, vcl_synth
1371
1372 Writable from: vcl_deliver, vcl_synth
1373
1374 The HTTP status message that will be returned.
1375
1376 resp.http.*
1377 Type: HEADER
1378
1379 Readable from: vcl_deliver, vcl_synth
1380
1381 Writable from: vcl_deliver, vcl_synth
1382
1383 Unsetable from: vcl_deliver, vcl_synth
1384
1385 The HTTP headers that will be returned.
1386
1387 resp.do_esi VCL >= 4.1
1388 Type: BOOL
1389
1390 Readable from: vcl_deliver, vcl_synth
1391
1392 Writable from: vcl_deliver, vcl_synth
1393
1394 Default: obj.can_esi
1395
1396 This can be used to selectively disable ESI processing, even though
1397 ESI parsing happened during fetch. This is useful when Varnish
1398 caches peer with each other.
1399
1400 It is a VCL error to use resp.do_esi after setting resp.filters.
1401
1402 resp.is_streaming
1403 Type: BOOL
1404
1405 Readable from: vcl_deliver, vcl_synth
1406
1407 Returns true when the response will be streamed while being fetched
1408 from the backend.
1409
1410 resp.filters
1411 Type: STRING
1412
1413 Readable from: vcl_deliver, vcl_synth
1414
1415 Writable from: vcl_deliver, vcl_synth
1416
1417 List of VDP filters the resp.body will be pushed through.
1418
1419 Before resp.filters is set, the value read will be the default fil‐
1420 ter list as determined by varnish based on resp.do_esi and request
1421 headers.
1422
1423 After resp.filters is set, changing any of the conditions which oth‐
1424 erwise determine the filter selection will have no effiect. Using
1425 resp.do_esi is an error once resp.filters is set.
1426
1427 Special variables
1428 now
1429 Type: TIME
1430
1431 Readable from: all
1432
1433 The current time, in seconds since the UNIX epoch.
1434
1435 When converted to STRING in expressions it returns a formatted time‐
1436 stamp like Tue, 20 Feb 2018 09:30:31 GMT
1437
1438 sess
1439 A session corresponds to the "conversation" that Varnish has with a
1440 single client connection, over which one or more request/response
1441 transactions may take place. It may comprise the traffic over an HTTP/1
1442 keep-alive connection, or the multiplexed traffic over an HTTP/2 con‐
1443 nection.
1444
1445 sess.xid VCL >= 4.1
1446 Type: STRING
1447
1448 Readable from: client, backend
1449
1450 Unique ID of this session.
1451
1452 sess.timeout_idle
1453 Type: DURATION
1454
1455 Readable from: client
1456
1457 Writable from: client
1458
1459 Idle timeout for this session, defaults to the timeout_idle parame‐
1460 ter, see varnishd(1)
1461
1462 sess.timeout_linger
1463 Type: DURATION
1464
1465 Readable from: client
1466
1467 Writable from: client
1468
1469 Linger timeout for this session, defaults to the timeout_linger pa‐
1470 rameter, see varnishd(1)
1471
1472 sess.send_timeout
1473 Type: DURATION
1474
1475 Readable from: client
1476
1477 Writable from: client
1478
1479 Total timeout for ordinary HTTP1 responses, defaults to the
1480 send_timeout parameter, see varnishd(1)
1481
1482 sess.idle_send_timeout
1483 Type: DURATION
1484
1485 Readable from: client
1486
1487 Writable from: client
1488
1489 Send timeout for individual pieces of data on client connections,
1490 defaults to the idle_send_timeout parameter, see varnishd(1)
1491
1492 storage
1493 storage.<name>.free_space
1494 Type: BYTES
1495
1496 Readable from: client, backend
1497
1498 Free space available in the named stevedore. Only available for the
1499 malloc stevedore.
1500
1501 storage.<name>.used_space
1502 Type: BYTES
1503
1504 Readable from: client, backend
1505
1506 Used space in the named stevedore. Only available for the malloc
1507 stevedore.
1508
1509 storage.<name>.happy
1510 Type: BOOL
1511
1512 Readable from: client, backend
1513
1514 Health status for the named stevedore. Not available in any of the
1515 current stevedores.
1516
1517 HTTP response status
1518 A status code normally has 3 digits XYZ where X must be between 1 and 5
1519 included. Since it is not uncommon to see HTTP clients or servers rely‐
1520 ing on non-standard or even invalid status codes Varnish tolerates any
1521 status between 100 and 999.
1522
1523 With VCL code it is possible to use status codes in the form XXYZZ
1524 where the overall value is lower than 65536 and the Y digit is between
1525 1 and 9 included. Only the YZZ part is sent to the client.
1526
1527 The XXYZZ form of status codes can be set on resp.status and
1528 beresp.status or passed via return(synth(...)) and return(error(...))
1529 transitions.
1530
1531 XX can be therefore be used to pass information around inside VCL, for
1532 instance return(synth(22404)) from vcl_recv{} to vcl_synth{}.
1533
1534 The obj.status variable will inherit the XXYZZ form, but in a ban ex‐
1535 presion only the YZZ part will be available. The XXYZZ form is strictly
1536 limited to VCL execution.
1537
1538 Assigning an HTTP standardized code to resp.status or beresp.status
1539 will also set resp.reason or beresp.reason to the corresponding status
1540 message.
1541
1542 Functions
1543 The following built-in functions are available:
1544
1545 ban(STRING)
1546 Invalidates all objects in cache that match the given expression
1547 with the ban mechanism.
1548
1549 The format of STRING is:
1550
1551 <field> <operator> <arg> [&& <field> <oper> <arg> ...]
1552
1553 • <field>:
1554
1555 • string fields:
1556
1557 • req.url: The request url
1558
1559 • req.http.*: Any request header
1560
1561 • obj.status: The cache object status
1562
1563 • obj.http.*: Any cache object header
1564
1565 obj.status is treated as a string despite the fact that it is
1566 actually an integer.
1567
1568 • duration fields:
1569
1570 • obj.ttl: Remaining ttl at the time the ban is issued
1571
1572 • obj.age: Object age at the time the ban is issued
1573
1574 • obj.grace: The grace time of the object
1575
1576 • obj.keep: The keep time of the object
1577
1578 • <operator>:
1579
1580 • for all fields:
1581
1582 • ==: <field> and <arg> are equal
1583
1584 • !=: <field> and <arg> are unequal
1585
1586 strings are compared case sensitively
1587
1588 • for string fields:
1589
1590 • ~: <field> matches the regular expression <arg>
1591
1592 • !~:<field> does not match the regular expression <arg>
1593
1594 • for duration fields:
1595
1596 • >: <field> is greater than <arg>
1597
1598 • >=: <field> is greater than or equal to <arg>
1599
1600 • <: <field> is less than <arg>
1601
1602 • <=: <field> is less than or equal to <arg>
1603
1604 • <arg>:
1605
1606 • for string fields:
1607
1608 Either a literal string or a regular expression. Note that <arg>
1609 does not use any of the string delimiters like " or {"..."} used
1610 elsewhere in varnish. To match against strings containing white‐
1611 space, regular expressions containing \s can be used.
1612
1613 • for duration fields:
1614
1615 A VCL duration like 10s, 5m or 1h, see Durations
1616
1617 Expressions can be chained using the and operator &&. For or seman‐
1618 tics, use several bans.
1619
1620 The unset <field> is not equal to any string, such that, for a
1621 non-existing header, the operators == and ~ always evaluate as
1622 false, while the operators != and !~ always evaluate as true, re‐
1623 spectively, for any value of <arg>.
1624
1625 hash_data(input)
1626 Adds an input to the hash input. In the built-in VCL hash_data() is
1627 called on the host and URL of the request. Available in vcl_hash.
1628
1629 synthetic(STRING)
1630 Prepare a synthetic response body containing the STRING. Available
1631 in vcl_synth and vcl_backend_error.
1632
1633 Identical to set resp.body / set beresp.body.
1634
1635 regsub(str, regex, sub)
1636 Returns a copy of str with the first occurrence of the regular ex‐
1637 pression regex replaced with sub. Within sub, \0 (which can also be
1638 spelled \&) is replaced with the entire matched string, and \n is
1639 replaced with the contents of subgroup n in the matched string.
1640
1641 regsuball(str, regex, sub)
1642 As regsub(), but this replaces all occurrences.
1643
1644 For converting or casting VCL values between data types use the func‐
1645 tions available in the std VMOD.
1646
1648 Multiple versions of the VCL syntax can coexist within certain con‐
1649 straints.
1650
1651 The VCL syntax version at the start of VCL file specified with -f sets
1652 the hard limit that cannot be exceeded anywhere, and it selects the ap‐
1653 propriate version of the builtin VCL.
1654
1655 That means that you can never include vcl 9.1; from vcl 8.7;, but the
1656 opposite may be possible, to the extent the compiler supports it.
1657
1658 Files pulled in via include do not need to have a vcl X.Y; but it may
1659 be a good idea to do it anyway, to not have surprises in the future.
1660 The syntax version set in an included file only applies to that file
1661 and any files it includes - unless these set their own VCL syntax ver‐
1662 sion.
1663
1664 The version of Varnish this file belongs to supports syntax 4.0 and
1665 4.1.
1666
1668 For examples, please see the online documentation.
1669
1671 • varnishd(1)
1672
1673 • vmod_directors(3)
1674
1675 • vmod_std(3)
1676
1678 VCL was developed by Poul-Henning Kamp in cooperation with Verdens Gang
1679 AS, Redpill Linpro and Varnish Software. This manual page is written
1680 by Per Buer, Poul-Henning Kamp, Martin Blix Grydeland, Kristian Lyn‐
1681 gstøl, Lasse Karstensen and possibly others.
1682
1684 This document is licensed under the same license as Varnish itself. See
1685 LICENSE for details.
1686
1687 • Copyright (c) 2006 Verdens Gang AS
1688
1689 • Copyright (c) 2006-2015 Varnish Software AS
1690
1691
1692
1693
1694 VCL(7)