vhost-stack/etc/varnish/wordpress-sub.vcl

#
# Default WordPress config
#
# Much of this taken from:
# https://www.serverlab.ca/tutorials/linux/web-servers-linux/how-to-configure-varnish-4-for-wordpress/
# https://github.com/mattiasgeniar/varnish-6.0-configuration-templates/blob/master/default.vcl
#
sub wordpress {

    # Do not cache AJAX requests
    if (req.http.X-Requested-With == "XMLHttpRequest") {
        return(pass);
    }

    # Bypass REST API
    if (req.url ~ "^/wp-json/") {
        return (pass);
    }

    # Do not cache previews
    if (req.url ~ "preview=true") {
        return (pass);
    }

    # Do not cache cron
    if (req.url ~ "/wp-cron.php") {
        return (pass);
    }

    # Don't cache uploads. Should only be static files that apache can serve efficiently.
    # Use mod_expires via .htaccess so that static files are cached by clients.
    if (req.url ~ "/wp-content/uploads/") {
        return (pass);
    }

    # Undecided on these. Disabled for now, keep an eye out for issues.
#     # don't cache rss feed
#     if (req.url ~ "/feed(/)?") {
#         return ( pass );
#     }
#
#     # Don't cache search results
#     if (req.url ~ "/\?s\=") {
#         return ( pass );
#     }

    # Remove the Google Analytics added parameters, not needed by backend
    if (req.url ~ "(\?|&)(utm_source|utm_medium|utm_campaign|utm_content|gclid|cx|ie|cof|siteurl)=") {
        set req.url = regsuball(req.url, "&(utm_source|utm_medium|utm_campaign|utm_content|gclid|cx|ie|cof|siteurl)=([A-z0-9_\-\.%25]+)", "");
        set req.url = regsuball(req.url, "\?(utm_source|utm_medium|utm_campaign|utm_content|gclid|cx|ie|cof|siteurl)=([A-z0-9_\-\.%25]+)", "?");
        set req.url = regsub(req.url, "\?&", "?");
        set req.url = regsub(req.url, "\?$", "");
    }

    # Strip hash, server doesn't need it.
    if (req.url ~ "\#") {
      set req.url = regsub(req.url, "\#.*$", "");
    }

    # Strip a trailing ? if it exists
    if (req.url ~ "\?$") {
      set req.url = regsub(req.url, "\?$", "");
    }

    # Normalize the query arguments (but exclude for WordPress' backend)
    if (req.url !~ "wp-admin") {
        set req.url = std.querysort(req.url);
    }

    # Remove unneeded WP cookies
    set req.http.Cookie = regsuball(req.http.Cookie, "wordpress_test_cookie=[^;]+(; )?", "");
    set req.http.cookie = regsuball(req.http.cookie, "wp-settings-\d+=[^;]+(; )?", "");
    set req.http.cookie = regsuball(req.http.cookie, "wp-settings-time-\d+=[^;]+(; )?", "");

    # Remove the "has_js" cookie
    set req.http.Cookie = regsuball(req.http.Cookie, "has_js=[^;]+(; )?", "");

    # Remove any Google Analytics based cookies
    set req.http.Cookie = regsuball(req.http.Cookie, "__utm.=[^;]+(; )?", "");
    set req.http.Cookie = regsuball(req.http.Cookie, "_ga=[^;]+(; )?", "");
    set req.http.Cookie = regsuball(req.http.Cookie, "_gat=[^;]+(; )?", "");
    set req.http.Cookie = regsuball(req.http.Cookie, "utmctr=[^;]+(; )?", "");
    set req.http.Cookie = regsuball(req.http.Cookie, "utmcmd.=[^;]+(; )?", "");
    set req.http.Cookie = regsuball(req.http.Cookie, "utmccn.=[^;]+(; )?", "");

    # Remove DoubleClick cookies
    set req.http.Cookie = regsuball(req.http.Cookie, "__gads=[^;]+(; )?", "");

    # Remove the Quant Capital cookies (added by some plugin, all __qca)
    set req.http.Cookie = regsuball(req.http.Cookie, "__qc.=[^;]+(; )?", "");

    # Remove the AddThis cookies
    set req.http.Cookie = regsuball(req.http.Cookie, "__atuv.=[^;]+(; )?", "");

    # Remove a ";" prefix in the cookie if present
    set req.http.Cookie = regsuball(req.http.Cookie, "^;\s*", "");

    # Remove any cookies left with only spaces or that are empty
    if (req.http.cookie ~ "^ *$") {
        unset req.http.cookie;
    }

    # Remove all cookies for static files and cache now
    # Note that we already skipped the 'uploads' dir, so this really only applies to files included in WP Core, Themes & Plugins.
    # Could disable skipping of 'uploads' dir to cache all static files. Has potential to fill up varnish cache, but could be useful in some specific cases.
    if (std.tolower(req.url) ~ "^[^?]*\.(7z|avi|bmp|bz2|css|csv|doc|docx|eot|flac|flv|gif|gz|ico|jpeg|jpg|js|less|mka|mkv|mov|mp3|mp4|mpeg|mpg|odt|ogg|ogm|opus|otf|pdf|png|ppt|pptx|rar|rtf|svg|svgz|swf|tar|tbz|tgz|ttf|txt|txz|wav|webm|webp|woff|woff2|xls|xlsx|xml|xz|zip)(\?.*)?$") {
        unset req.http.Cookie;
        return (hash);
    }

    # Do not cache the admin or login pages
    if (req.url ~ "^/wp-admin/|^/wp-login\.php") {
        return (pass);
    }

    # Check for wordpress cookies that should indicate no-cache.
    if (req.http.Cookie ~ "wordpress_logged_in_" || req.http.Cookie ~ "comment_" || req.http.Cookie ~ "resetpass") {
        return (pass);
    }

    # check for woocommerce cookies
    if (req.http.Cookie ~ "(woocommerce_cart_hash|woocommerce_items_in_cart|wp_woocommerce_session_[a-zA-Z0-9]+)") {
        return (pass);
    }

    # catch-all will run next. if cookie (pass) else (hash)

}