peterjaap · September 30, 2025 15:25 · Apr 23, 2025 · Apr 18, 2025 · Apr 3, 2025 · Apr 3, 2025
diff --git a/varnish6.vcl b/varnish6.vcl
@@ -206,6 +206,11 @@ sub vcl_deliver {
         set resp.http.Expires = "-1";
         set resp.http.Cache-Control = "no-store, no-cache, must-revalidate, max-age=0";
     }
+
+    # Prevent browser caching for customer and checkout pages
+    if (req.url ~ "^/(customer|checkout)(/|$)") {
+        set resp.http.Cache-Control = "no-store, no-cache, must-revalidate";
+    }
 
     if (!resp.http.X-Magento-Debug) {
         unset resp.http.Age;

diff --git a/varnish6.vcl b/varnish6.vcl
@@ -31,6 +31,11 @@ sub vcl_recv {
     if (req.http.Cookie ~ "io.prismic.preview") {
         return (pass);
     }
+
+    # Bypass generated sitemap files
+    if (req.url ~ "^/sitemaps/") {
+        return (pass);
+    }
 
     # Remove empty query string parameters
     # e.g.: www.example.com/index.html?    

diff --git a/varnish6.vcl b/varnish6.vcl
@@ -1,5 +1,8 @@
 # A number of these changes come form the following PR's; , combines changes in https://github.com/magento/magento2/pull/29360, https://github.com/magento/magento2/pull/28944 and https://github.com/magento/magento2/pull/28894, https://github.com/magento/magento2/pull/35228, https://github.com/magento/magento2/pull/36524, https://github.com/magento/magento2/pull/34323
 # VCL version 5.0 is not supported so it should be 4.0 even though actually used Varnish version is 6
+
+# See the Xkey version here: https://gist.github.com/peterjaap/7f7bf11aa7d089792e8fcc2fb34760fa
+
 vcl 4.1;
 
 import std;

diff --git a/varnish6.vcl b/varnish6.vcl
@@ -10,13 +10,13 @@ backend default {
     .host = "/* {{ host }} */";
     .port = "/* {{ port }} */";
     .first_byte_timeout = 600s;
-    .probe = {
-        .url = "/health_check.php";
-        .timeout = 2s;
-        .interval = 5s;
-        .window = 10;
-        .threshold = 5;
-   }
+ #   .probe = {
+ #       .url = "/health_check.php";
+ #       .timeout = 2s;
+ #       .interval = 5s;
+ #       .window = 10;
+ #       .threshold = 5;
+ #  }
 }
 
 acl purge {

diff --git a/varnish6.vcl b/varnish6.vcl
@@ -93,7 +93,7 @@ sub vcl_recv {
     }
 
     # Collapse multiple cookie headers into one
-    std.collect(req.http.Cookie);
+    std.collect(req.http.Cookie, ";");
 
     # Remove all marketing get parameters to minimize the cache objects
     if (req.url ~ "(\?|&)(_branch_match_id|srsltid|_bta_c|_bta_tid|_ga|_gl|_ke|_kx|campid|cof|customid|cx|dclid|dm_i|ef_id|epik|fbclid|gad_source|gbraid|gclid|gclsrc|gdffi|gdfms|gdftrk|hsa_acc|hsa_ad|hsa_cam|hsa_grp|hsa_kw|hsa_mt|hsa_net|hsa_src|hsa_tgt|hsa_ver|ie|igshid|irclickid|matomo_campaign|matomo_cid|matomo_content|matomo_group|matomo_keyword|matomo_medium|matomo_placement|matomo_source|mc_cid|mc_eid|mkcid|mkevt|mkrid|mkwid|msclkid|mtm_campaign|mtm_cid|mtm_content|mtm_group|mtm_keyword|mtm_medium|mtm_placement|mtm_source|nb_klid|ndclid|origin|pcrid|piwik_campaign|piwik_keyword|piwik_kwd|pk_campaign|pk_keyword|pk_kwd|redirect_log_mongo_id|redirect_mongo_id|rtid|sb_referer_host|ScCid|si|siteurl|s_kwcid|sms_click|sms_source|sms_uph|toolid|trk_contact|trk_module|trk_msg|trk_sid|ttclid|twclid|utm_campaign|utm_content|utm_creative_format|utm_id|utm_marketing_tactic|utm_medium|utm_source|utm_source_platform|utm_term|wbraid|yclid|zanpid|mc_[a-z]+|utm_[a-z]+|_bta_[a-z]+)=") {

diff --git a/varnish6.vcl b/varnish6.vcl
@@ -56,22 +56,18 @@ sub vcl_recv {
         set req.grace = /* {{ grace_period }} */s;
     }
 
+    # Purge logic to remove objects from the cache
+    # Tailored to Magento's cache invalidation mechanism
+    # The X-Magento-Tags-Pattern value is matched to the tags in the X-Magento-Tags header
+    # If X-Magento-Tags-Pattern is not set, a URL-based purge is executed
     if (req.method == "PURGE") {
         if (client.ip !~ purge) {
             return (synth(405, "Method not allowed"));
         }
-        # To use the X-Pool header for purging varnish during automated deployments, make sure the X-Pool header
-        # has been added to the response in your backend server config. This is used, for example, by the
-        # capistrano-magento2 gem for purging old content from varnish during it's deploy routine.
-        if (!req.http.X-Magento-Tags-Pattern && !req.http.X-Pool) {
+        if (!req.http.X-Magento-Tags-Pattern) {
             return (purge);
         }
-        if (req.http.X-Magento-Tags-Pattern) {
-          ban("obj.http.X-Magento-Tags ~ " + req.http.X-Magento-Tags-Pattern);
-        }
-        if (req.http.X-Pool) {
-          ban("obj.http.X-Pool ~ " + req.http.X-Pool);
-        }
+        ban("obj.http.X-Magento-Tags ~ " + req.http.X-Magento-Tags-Pattern);
         return (synth(200, "Purged"));
     }
 

diff --git a/varnish6.vcl b/varnish6.vcl
@@ -100,8 +100,8 @@ sub vcl_recv {
     std.collect(req.http.Cookie);
 
     # Remove all marketing get parameters to minimize the cache objects
-    if (req.url ~ "(\?|&)(_branch_match_id|_bta_c|_bta_tid|_ga|_gl|_ke|_kx|campid|cof|customid|cx|dclid|dm_i|ef_id|epik|fbclid|gad_source|gbraid|gclid|gclsrc|gdffi|gdfms|gdftrk|hsa_acc|hsa_ad|hsa_cam|hsa_grp|hsa_kw|hsa_mt|hsa_net|hsa_src|hsa_tgt|hsa_ver|ie|igshid|irclickid|matomo_campaign|matomo_cid|matomo_content|matomo_group|matomo_keyword|matomo_medium|matomo_placement|matomo_source|mc_cid|mc_eid|mkcid|mkevt|mkrid|mkwid|msclkid|mtm_campaign|mtm_cid|mtm_content|mtm_group|mtm_keyword|mtm_medium|mtm_placement|mtm_source|nb_klid|ndclid|origin|pcrid|piwik_campaign|piwik_keyword|piwik_kwd|pk_campaign|pk_keyword|pk_kwd|redirect_log_mongo_id|redirect_mongo_id|rtid|sb_referer_host|ScCid|si|siteurl|s_kwcid|sms_click|sms_source|sms_uph|toolid|trk_contact|trk_module|trk_msg|trk_sid|ttclid|twclid|utm_campaign|utm_content|utm_creative_format|utm_id|utm_marketing_tactic|utm_medium|utm_source|utm_source_platform|utm_term|wbraid|yclid|zanpid|mc_[a-z]+|utm_[a-z]+|_bta_[a-z]+)=") {
-        set req.url = regsuball(req.url, "(_branch_match_id|_bta_c|_bta_tid|_ga|_gl|_ke|_kx|campid|cof|customid|cx|dclid|dm_i|ef_id|epik|fbclid|gad_source|gbraid|gclid|gclsrc|gdffi|gdfms|gdftrk|hsa_acc|hsa_ad|hsa_cam|hsa_grp|hsa_kw|hsa_mt|hsa_net|hsa_src|hsa_tgt|hsa_ver|ie|igshid|irclickid|matomo_campaign|matomo_cid|matomo_content|matomo_group|matomo_keyword|matomo_medium|matomo_placement|matomo_source|mc_cid|mc_eid|mkcid|mkevt|mkrid|mkwid|msclkid|mtm_campaign|mtm_cid|mtm_content|mtm_group|mtm_keyword|mtm_medium|mtm_placement|mtm_source|nb_klid|ndclid|origin|pcrid|piwik_campaign|piwik_keyword|piwik_kwd|pk_campaign|pk_keyword|pk_kwd|redirect_log_mongo_id|redirect_mongo_id|rtid|sb_referer_host|ScCid|si|siteurl|s_kwcid|sms_click|sms_source|sms_uph|toolid|trk_contact|trk_module|trk_msg|trk_sid|ttclid|twclid|utm_campaign|utm_content|utm_creative_format|utm_id|utm_marketing_tactic|utm_medium|utm_source|utm_source_platform|utm_term|wbraid|yclid|zanpid|mc_[a-z]+|utm_[a-z]+|_bta_[a-z]+)=[-_A-z0-9+(){}%.]+&?", "");
+    if (req.url ~ "(\?|&)(_branch_match_id|srsltid|_bta_c|_bta_tid|_ga|_gl|_ke|_kx|campid|cof|customid|cx|dclid|dm_i|ef_id|epik|fbclid|gad_source|gbraid|gclid|gclsrc|gdffi|gdfms|gdftrk|hsa_acc|hsa_ad|hsa_cam|hsa_grp|hsa_kw|hsa_mt|hsa_net|hsa_src|hsa_tgt|hsa_ver|ie|igshid|irclickid|matomo_campaign|matomo_cid|matomo_content|matomo_group|matomo_keyword|matomo_medium|matomo_placement|matomo_source|mc_cid|mc_eid|mkcid|mkevt|mkrid|mkwid|msclkid|mtm_campaign|mtm_cid|mtm_content|mtm_group|mtm_keyword|mtm_medium|mtm_placement|mtm_source|nb_klid|ndclid|origin|pcrid|piwik_campaign|piwik_keyword|piwik_kwd|pk_campaign|pk_keyword|pk_kwd|redirect_log_mongo_id|redirect_mongo_id|rtid|sb_referer_host|ScCid|si|siteurl|s_kwcid|sms_click|sms_source|sms_uph|toolid|trk_contact|trk_module|trk_msg|trk_sid|ttclid|twclid|utm_campaign|utm_content|utm_creative_format|utm_id|utm_marketing_tactic|utm_medium|utm_source|utm_source_platform|utm_term|wbraid|yclid|zanpid|mc_[a-z]+|utm_[a-z]+|_bta_[a-z]+)=") {
+        set req.url = regsuball(req.url, "(_branch_match_id|srsltid|_bta_c|_bta_tid|_ga|_gl|_ke|_kx|campid|cof|customid|cx|dclid|dm_i|ef_id|epik|fbclid|gad_source|gbraid|gclid|gclsrc|gdffi|gdfms|gdftrk|hsa_acc|hsa_ad|hsa_cam|hsa_grp|hsa_kw|hsa_mt|hsa_net|hsa_src|hsa_tgt|hsa_ver|ie|igshid|irclickid|matomo_campaign|matomo_cid|matomo_content|matomo_group|matomo_keyword|matomo_medium|matomo_placement|matomo_source|mc_cid|mc_eid|mkcid|mkevt|mkrid|mkwid|msclkid|mtm_campaign|mtm_cid|mtm_content|mtm_group|mtm_keyword|mtm_medium|mtm_placement|mtm_source|nb_klid|ndclid|origin|pcrid|piwik_campaign|piwik_keyword|piwik_kwd|pk_campaign|pk_keyword|pk_kwd|redirect_log_mongo_id|redirect_mongo_id|rtid|sb_referer_host|ScCid|si|siteurl|s_kwcid|sms_click|sms_source|sms_uph|toolid|trk_contact|trk_module|trk_msg|trk_sid|ttclid|twclid|utm_campaign|utm_content|utm_creative_format|utm_id|utm_marketing_tactic|utm_medium|utm_source|utm_source_platform|utm_term|wbraid|yclid|zanpid|mc_[a-z]+|utm_[a-z]+|_bta_[a-z]+)=[-_A-z0-9+(){}%.]+&?", "");
         set req.url = regsub(req.url, "[?|&]+$", "");
     }
 

diff --git a/varnish6.vcl b/varnish6.vcl
@@ -24,6 +24,11 @@ acl purge {
 }
 
 sub vcl_recv {
+    # Add support for Prismic preview functionality
+    if (req.http.Cookie ~ "io.prismic.preview") {
+        return (pass);
+    }
+
     # Remove empty query string parameters
     # e.g.: www.example.com/index.html?    
     if (req.url ~ "\?$") {

diff --git a/varnish6.vcl b/varnish6.vcl
@@ -96,7 +96,7 @@ sub vcl_recv {
 
     # Remove all marketing get parameters to minimize the cache objects
     if (req.url ~ "(\?|&)(_branch_match_id|_bta_c|_bta_tid|_ga|_gl|_ke|_kx|campid|cof|customid|cx|dclid|dm_i|ef_id|epik|fbclid|gad_source|gbraid|gclid|gclsrc|gdffi|gdfms|gdftrk|hsa_acc|hsa_ad|hsa_cam|hsa_grp|hsa_kw|hsa_mt|hsa_net|hsa_src|hsa_tgt|hsa_ver|ie|igshid|irclickid|matomo_campaign|matomo_cid|matomo_content|matomo_group|matomo_keyword|matomo_medium|matomo_placement|matomo_source|mc_cid|mc_eid|mkcid|mkevt|mkrid|mkwid|msclkid|mtm_campaign|mtm_cid|mtm_content|mtm_group|mtm_keyword|mtm_medium|mtm_placement|mtm_source|nb_klid|ndclid|origin|pcrid|piwik_campaign|piwik_keyword|piwik_kwd|pk_campaign|pk_keyword|pk_kwd|redirect_log_mongo_id|redirect_mongo_id|rtid|sb_referer_host|ScCid|si|siteurl|s_kwcid|sms_click|sms_source|sms_uph|toolid|trk_contact|trk_module|trk_msg|trk_sid|ttclid|twclid|utm_campaign|utm_content|utm_creative_format|utm_id|utm_marketing_tactic|utm_medium|utm_source|utm_source_platform|utm_term|wbraid|yclid|zanpid|mc_[a-z]+|utm_[a-z]+|_bta_[a-z]+)=") {
-        set req.url = regsuball(req.url, "(_branch_match_id|_bta_c|_bta_tid|_ga|_gl|_ke|_kx|campid|cof|customid|cx|dclid|dm_i|ef_id|epik|fbclid|gad_source|gbraid|gclid|gclsrc|gdffi|gdfms|gdftrk|hsa_acc|hsa_ad|hsa_cam|hsa_grp|hsa_kw|hsa_mt|hsa_net|hsa_src|hsa_tgt|hsa_ver|ie|igshid|irclickid|matomo_campaign|matomo_cid|matomo_content|matomo_group|matomo_keyword|matomo_medium|matomo_placement|matomo_source|mc_cid|mc_eid|mkcid|mkevt|mkrid|mkwid|msclkid|mtm_campaign|mtm_cid|mtm_content|mtm_group|mtm_keyword|mtm_medium|mtm_placement|mtm_source|nb_klid|ndclid|origin|pcrid|piwik_campaign|piwik_keyword|piwik_kwd|pk_campaign|pk_keyword|pk_kwd|redirect_log_mongo_id|redirect_mongo_id|rtid|sb_referer_host|ScCid|si|siteurl|s_kwcid|sms_click|sms_source|sms_uph|toolid|trk_contact|trk_module|trk_msg|trk_sid|ttclid|twclid|utm_campaign|utm_content|utm_creative_format|utm_id|utm_marketing_tactic|utm_medium|utm_source|utm_source_platform|utm_term|wbraid|yclid|zanpid|mc_[a-z]+|utm_[a-z]+|_bta_[a-z]+)=[-_A-z0-9+()%.]+&?", "");
+        set req.url = regsuball(req.url, "(_branch_match_id|_bta_c|_bta_tid|_ga|_gl|_ke|_kx|campid|cof|customid|cx|dclid|dm_i|ef_id|epik|fbclid|gad_source|gbraid|gclid|gclsrc|gdffi|gdfms|gdftrk|hsa_acc|hsa_ad|hsa_cam|hsa_grp|hsa_kw|hsa_mt|hsa_net|hsa_src|hsa_tgt|hsa_ver|ie|igshid|irclickid|matomo_campaign|matomo_cid|matomo_content|matomo_group|matomo_keyword|matomo_medium|matomo_placement|matomo_source|mc_cid|mc_eid|mkcid|mkevt|mkrid|mkwid|msclkid|mtm_campaign|mtm_cid|mtm_content|mtm_group|mtm_keyword|mtm_medium|mtm_placement|mtm_source|nb_klid|ndclid|origin|pcrid|piwik_campaign|piwik_keyword|piwik_kwd|pk_campaign|pk_keyword|pk_kwd|redirect_log_mongo_id|redirect_mongo_id|rtid|sb_referer_host|ScCid|si|siteurl|s_kwcid|sms_click|sms_source|sms_uph|toolid|trk_contact|trk_module|trk_msg|trk_sid|ttclid|twclid|utm_campaign|utm_content|utm_creative_format|utm_id|utm_marketing_tactic|utm_medium|utm_source|utm_source_platform|utm_term|wbraid|yclid|zanpid|mc_[a-z]+|utm_[a-z]+|_bta_[a-z]+)=[-_A-z0-9+(){}%.]+&?", "");
         set req.url = regsub(req.url, "[?|&]+$", "");
     }
 

diff --git a/varnish6.vcl b/varnish6.vcl
@@ -95,8 +95,8 @@ sub vcl_recv {
     std.collect(req.http.Cookie);
 
     # Remove all marketing get parameters to minimize the cache objects
-    if (req.url ~ "(\?|&)(gbraid|gad_source|gclid|cx|_kx|ie|cof|siteurl|zanpid|nb_klid|origin|fbclid|mc_[a-z]+|utm_[a-z]+|_bta_[a-z]+)=") {
-        set req.url = regsuball(req.url, "(gbraid|gad_source|gclid|cx|_kx|ie|cof|siteurl|zanpid|nb_klid|origin|fbclid|mc_[a-z]+|utm_[a-z]+|_bta_[a-z]+)=[-_A-z0-9+()%.]+&?", "");
+    if (req.url ~ "(\?|&)(_branch_match_id|_bta_c|_bta_tid|_ga|_gl|_ke|_kx|campid|cof|customid|cx|dclid|dm_i|ef_id|epik|fbclid|gad_source|gbraid|gclid|gclsrc|gdffi|gdfms|gdftrk|hsa_acc|hsa_ad|hsa_cam|hsa_grp|hsa_kw|hsa_mt|hsa_net|hsa_src|hsa_tgt|hsa_ver|ie|igshid|irclickid|matomo_campaign|matomo_cid|matomo_content|matomo_group|matomo_keyword|matomo_medium|matomo_placement|matomo_source|mc_cid|mc_eid|mkcid|mkevt|mkrid|mkwid|msclkid|mtm_campaign|mtm_cid|mtm_content|mtm_group|mtm_keyword|mtm_medium|mtm_placement|mtm_source|nb_klid|ndclid|origin|pcrid|piwik_campaign|piwik_keyword|piwik_kwd|pk_campaign|pk_keyword|pk_kwd|redirect_log_mongo_id|redirect_mongo_id|rtid|sb_referer_host|ScCid|si|siteurl|s_kwcid|sms_click|sms_source|sms_uph|toolid|trk_contact|trk_module|trk_msg|trk_sid|ttclid|twclid|utm_campaign|utm_content|utm_creative_format|utm_id|utm_marketing_tactic|utm_medium|utm_source|utm_source_platform|utm_term|wbraid|yclid|zanpid|mc_[a-z]+|utm_[a-z]+|_bta_[a-z]+)=") {
+        set req.url = regsuball(req.url, "(_branch_match_id|_bta_c|_bta_tid|_ga|_gl|_ke|_kx|campid|cof|customid|cx|dclid|dm_i|ef_id|epik|fbclid|gad_source|gbraid|gclid|gclsrc|gdffi|gdfms|gdftrk|hsa_acc|hsa_ad|hsa_cam|hsa_grp|hsa_kw|hsa_mt|hsa_net|hsa_src|hsa_tgt|hsa_ver|ie|igshid|irclickid|matomo_campaign|matomo_cid|matomo_content|matomo_group|matomo_keyword|matomo_medium|matomo_placement|matomo_source|mc_cid|mc_eid|mkcid|mkevt|mkrid|mkwid|msclkid|mtm_campaign|mtm_cid|mtm_content|mtm_group|mtm_keyword|mtm_medium|mtm_placement|mtm_source|nb_klid|ndclid|origin|pcrid|piwik_campaign|piwik_keyword|piwik_kwd|pk_campaign|pk_keyword|pk_kwd|redirect_log_mongo_id|redirect_mongo_id|rtid|sb_referer_host|ScCid|si|siteurl|s_kwcid|sms_click|sms_source|sms_uph|toolid|trk_contact|trk_module|trk_msg|trk_sid|ttclid|twclid|utm_campaign|utm_content|utm_creative_format|utm_id|utm_marketing_tactic|utm_medium|utm_source|utm_source_platform|utm_term|wbraid|yclid|zanpid|mc_[a-z]+|utm_[a-z]+|_bta_[a-z]+)=[-_A-z0-9+()%.]+&?", "");
         set req.url = regsub(req.url, "[?|&]+$", "");
     }
 

diff --git a/varnish6.vcl b/varnish6.vcl
@@ -48,7 +48,7 @@ sub vcl_recv {
     # Reduce grace to the configured setting if the backend is healthy
     # In case of an unhealthy backend, the original grace is used
     if (std.healthy(req.backend_hint)) {
-        set req.grace = /* {{ grace }} */s;
+        set req.grace = /* {{ grace_period }} */s;
     }
 
     if (req.method == "PURGE") {

diff --git a/varnish6.vcl b/varnish6.vcl
@@ -95,8 +95,8 @@ sub vcl_recv {
     std.collect(req.http.Cookie);
 
     # Remove all marketing get parameters to minimize the cache objects
-    if (req.url ~ "(\?|&)(gad_source|gclid|cx|_kx|ie|cof|siteurl|zanpid|nb_klid|origin|fbclid|mc_[a-z]+|utm_[a-z]+|_bta_[a-z]+)=") {
-        set req.url = regsuball(req.url, "(gad_source|gclid|cx|_kx|ie|cof|siteurl|zanpid|nb_klid|origin|fbclid|mc_[a-z]+|utm_[a-z]+|_bta_[a-z]+)=[-_A-z0-9+()%.]+&?", "");
+    if (req.url ~ "(\?|&)(gbraid|gad_source|gclid|cx|_kx|ie|cof|siteurl|zanpid|nb_klid|origin|fbclid|mc_[a-z]+|utm_[a-z]+|_bta_[a-z]+)=") {
+        set req.url = regsuball(req.url, "(gbraid|gad_source|gclid|cx|_kx|ie|cof|siteurl|zanpid|nb_klid|origin|fbclid|mc_[a-z]+|utm_[a-z]+|_bta_[a-z]+)=[-_A-z0-9+()%.]+&?", "");
         set req.url = regsub(req.url, "[?|&]+$", "");
     }
 

diff --git a/varnish6.vcl b/varnish6.vcl
@@ -95,8 +95,8 @@ sub vcl_recv {
     std.collect(req.http.Cookie);
 
     # Remove all marketing get parameters to minimize the cache objects
-    if (req.url ~ "(\?|&)(gad_source|gclid|cx|_kx|ie|cof|siteurl|zanpid|origin|fbclid|mc_[a-z]+|utm_[a-z]+|_bta_[a-z]+)=") {
-        set req.url = regsuball(req.url, "(gad_source|gclid|cx|_kx|ie|cof|siteurl|zanpid|origin|fbclid|mc_[a-z]+|utm_[a-z]+|_bta_[a-z]+)=[-_A-z0-9+()%.]+&?", "");
+    if (req.url ~ "(\?|&)(gad_source|gclid|cx|_kx|ie|cof|siteurl|zanpid|nb_klid|origin|fbclid|mc_[a-z]+|utm_[a-z]+|_bta_[a-z]+)=") {
+        set req.url = regsuball(req.url, "(gad_source|gclid|cx|_kx|ie|cof|siteurl|zanpid|nb_klid|origin|fbclid|mc_[a-z]+|utm_[a-z]+|_bta_[a-z]+)=[-_A-z0-9+()%.]+&?", "");
         set req.url = regsub(req.url, "[?|&]+$", "");
     }
 

diff --git a/varnish6.vcl b/varnish6.vcl
@@ -95,8 +95,8 @@ sub vcl_recv {
     std.collect(req.http.Cookie);
 
     # Remove all marketing get parameters to minimize the cache objects
-    if (req.url ~ "(\?|&)(gclid|cx|_kx|ie|cof|siteurl|zanpid|origin|fbclid|mc_[a-z]+|utm_[a-z]+|_bta_[a-z]+)=") {
-        set req.url = regsuball(req.url, "(gclid|cx|_kx|ie|cof|siteurl|zanpid|origin|fbclid|mc_[a-z]+|utm_[a-z]+|_bta_[a-z]+)=[-_A-z0-9+()%.]+&?", "");
+    if (req.url ~ "(\?|&)(gad_source|gclid|cx|_kx|ie|cof|siteurl|zanpid|origin|fbclid|mc_[a-z]+|utm_[a-z]+|_bta_[a-z]+)=") {
+        set req.url = regsuball(req.url, "(gad_source|gclid|cx|_kx|ie|cof|siteurl|zanpid|origin|fbclid|mc_[a-z]+|utm_[a-z]+|_bta_[a-z]+)=[-_A-z0-9+()%.]+&?", "");
         set req.url = regsub(req.url, "[?|&]+$", "");
     }
 

diff --git a/varnish6.vcl b/varnish6.vcl
@@ -41,7 +41,7 @@ sub vcl_recv {
     unset req.http.proxy;
 
     # Add X-Forwarded-Proto header when using https
-    if (!req.http.X-Forwarded-Proto && (std.port(server.ip) == 443) || std.port(server.ip) == 8443)) {
+    if (!req.http.X-Forwarded-Proto && (std.port(server.ip) == 443 || std.port(server.ip) == 8443)) {
         set req.http.X-Forwarded-Proto = "https";
     }
 

diff --git a/varnish6.vcl b/varnish6.vcl
@@ -40,8 +40,8 @@ sub vcl_recv {
     # See https://httpoxy.org/    
     unset req.http.proxy;
 
-    # Add X-Forwarded-Proto header when using https as a fallback
-    if (!req.http.X-Forwarded-Proto && (std.port(server.ip) == 443)) {
+    # Add X-Forwarded-Proto header when using https
+    if (!req.http.X-Forwarded-Proto && (std.port(server.ip) == 443) || std.port(server.ip) == 8443)) {
         set req.http.X-Forwarded-Proto = "https";
     }
 

diff --git a/varnish6.vcl b/varnish6.vcl
@@ -145,36 +145,40 @@ sub vcl_backend_response {
 	# Perform asynchronous revalidation while stale content is served
     set beresp.grace = 3d;
 
+    # All text-based content can be parsed as ESI
     if (beresp.http.content-type ~ "text") {
         set beresp.do_esi = true;
     }
 
+    # Allow GZIP compression on all JavaScript files and all text-based content
     if (bereq.url ~ "\.js$" || beresp.http.content-type ~ "text") {
         set beresp.do_gzip = true;
     }
-
+
+    # Add debug headers
     if (beresp.http.X-Magento-Debug) {
         set beresp.http.X-Magento-Cache-Control = beresp.http.Cache-Control;
     }
 
-    # cache only successfully responses and 404s that are not marked as private
-    if ((beresp.status != 200 && beresp.status != 404) || beresp.http.Cache-Control ~ "no-cache|no-store|private") {
+    # Only cache HTTP 200 and HTTP 404 responses
+    if (beresp.status != 200 && beresp.status != 404) {
+        set beresp.ttl = 120s;
         set beresp.uncacheable = true;
-        set beresp.ttl = 86400s;
         return (deliver);
     }
-
-    # validate if we need to cache it and prevent from setting cookie
-    if (beresp.ttl > 0s && (bereq.method == "GET" || bereq.method == "HEAD")) {
-        unset beresp.http.set-cookie;
-    }
-
-    # If the cache key in the Magento response doesn't match (which happens for example after user logs in, or changes store, or changes currency) the one that was sent in the request, don't cache under the request's key
+
+    # Don't cache if the request cache ID doesn't match the response cache ID for graphql requests
     if (bereq.url ~ "/graphql" && bereq.http.X-Magento-Cache-Id && bereq.http.X-Magento-Cache-Id != beresp.http.X-Magento-Cache-Id) {
        set beresp.ttl = 120s;
        set beresp.uncacheable = true;
        return (deliver);
     }
+
+    # Remove the Set-Cookie header for cacheable content
+    # Only for HTTP GET & HTTP HEAD requests
+    if (beresp.ttl > 0s && (bereq.method == "GET" || bereq.method == "HEAD")) {
+        unset beresp.http.Set-Cookie;
+    }
 }
 
 sub vcl_deliver {

diff --git a/varnish6.vcl b/varnish6.vcl
@@ -145,32 +145,35 @@ sub vcl_backend_response {
 	# Perform asynchronous revalidation while stale content is served
     set beresp.grace = 3d;
 
-    # All text-based content can be parsed as ESI
     if (beresp.http.content-type ~ "text") {
         set beresp.do_esi = true;
     }
 
-    # Allow GZIP compression on all JavaScript files and all text-based content
     if (bereq.url ~ "\.js$" || beresp.http.content-type ~ "text") {
         set beresp.do_gzip = true;
     }
-
-    # Add debug headers
+
     if (beresp.http.X-Magento-Debug) {
         set beresp.http.X-Magento-Cache-Control = beresp.http.Cache-Control;
     }
 
-    # Only cache HTTP 200 and HTTP 404 responses
-    if (beresp.status != 200 && beresp.status != 404) {
-        set beresp.ttl = 120s;
+    # cache only successfully responses and 404s that are not marked as private
+    if ((beresp.status != 200 && beresp.status != 404) || beresp.http.Cache-Control ~ "no-cache|no-store|private") {
         set beresp.uncacheable = true;
+        set beresp.ttl = 86400s;
         return (deliver);
     }
 
-    # Remove the Set-Cookie header for cacheable content
-    # Only for HTTP GET & HTTP HEAD requests
+    # validate if we need to cache it and prevent from setting cookie
     if (beresp.ttl > 0s && (bereq.method == "GET" || bereq.method == "HEAD")) {
-        unset beresp.http.Set-Cookie;
+        unset beresp.http.set-cookie;
+    }
+
+    # If the cache key in the Magento response doesn't match (which happens for example after user logs in, or changes store, or changes currency) the one that was sent in the request, don't cache under the request's key
+    if (bereq.url ~ "/graphql" && bereq.http.X-Magento-Cache-Id && bereq.http.X-Magento-Cache-Id != beresp.http.X-Magento-Cache-Id) {
+       set beresp.ttl = 120s;
+       set beresp.uncacheable = true;
+       return (deliver);
     }
 }
 
@@ -201,4 +204,4 @@ sub vcl_deliver {
     unset resp.http.X-Varnish;
     unset resp.http.Via;
     unset resp.http.Link;
-}
+}
diff --git a/varnish6.vcl b/varnish6.vcl
@@ -145,35 +145,32 @@ sub vcl_backend_response {
 	# Perform asynchronous revalidation while stale content is served
     set beresp.grace = 3d;
 
+    # All text-based content can be parsed as ESI
     if (beresp.http.content-type ~ "text") {
         set beresp.do_esi = true;
     }
 
+    # Allow GZIP compression on all JavaScript files and all text-based content
     if (bereq.url ~ "\.js$" || beresp.http.content-type ~ "text") {
         set beresp.do_gzip = true;
     }
-
+
+    # Add debug headers
     if (beresp.http.X-Magento-Debug) {
         set beresp.http.X-Magento-Cache-Control = beresp.http.Cache-Control;
     }
 
-    # cache only successfully responses and 404s that are not marked as private
-    if ((beresp.status != 200 && beresp.status != 404) || beresp.http.Cache-Control ~ "no-cache|no-store|private") {
+    # Only cache HTTP 200 and HTTP 404 responses
+    if (beresp.status != 200 && beresp.status != 404) {
+        set beresp.ttl = 120s;
         set beresp.uncacheable = true;
-        set beresp.ttl = 86400s;
         return (deliver);
     }
 
-    # validate if we need to cache it and prevent from setting cookie
+    # Remove the Set-Cookie header for cacheable content
+    # Only for HTTP GET & HTTP HEAD requests
     if (beresp.ttl > 0s && (bereq.method == "GET" || bereq.method == "HEAD")) {
-        unset beresp.http.set-cookie;
-    }
-
-    # If the cache key in the Magento response doesn't match (which happens for example after user logs in, or changes store, or changes currency) the one that was sent in the request, don't cache under the request's key
-    if (bereq.url ~ "/graphql" && bereq.http.X-Magento-Cache-Id && bereq.http.X-Magento-Cache-Id != beresp.http.X-Magento-Cache-Id) {
-       set beresp.ttl = 120s;
-       set beresp.uncacheable = true;
-       return (deliver);
+        unset beresp.http.Set-Cookie;
     }
 }
 

diff --git a/varnish6.vcl b/varnish6.vcl
@@ -1,3 +1,4 @@
+# A number of these changes come form the following PR's; , combines changes in https://github.com/magento/magento2/pull/29360, https://github.com/magento/magento2/pull/28944 and https://github.com/magento/magento2/pull/28894, https://github.com/magento/magento2/pull/35228, https://github.com/magento/magento2/pull/36524, https://github.com/magento/magento2/pull/34323
 # VCL version 5.0 is not supported so it should be 4.0 even though actually used Varnish version is 6
 vcl 4.1;
 

diff --git a/varnish6.vcl b/varnish6.vcl
@@ -157,7 +157,7 @@ sub vcl_backend_response {
     }
 
     # cache only successfully responses and 404s that are not marked as private
-    if ((beresp.status != 200 && beresp.status != 404) || beresp.http.Cache-Control ~ "private") {
+    if ((beresp.status != 200 && beresp.status != 404) || beresp.http.Cache-Control ~ "no-cache|no-store|private") {
         set beresp.uncacheable = true;
         set beresp.ttl = 86400s;
         return (deliver);

diff --git a/varnish6.vcl b/varnish6.vcl
@@ -157,7 +157,7 @@ sub vcl_backend_response {
     }
 
     # cache only successfully responses and 404s that are not marked as private
-    if (beresp.status != 200 && beresp.status != 404) {
+    if ((beresp.status != 200 && beresp.status != 404) || beresp.http.Cache-Control ~ "private") {
         set beresp.uncacheable = true;
         set beresp.ttl = 86400s;
         return (deliver);

diff --git a/varnish6.vcl b/varnish6.vcl
@@ -157,7 +157,7 @@ sub vcl_backend_response {
     }
 
     # cache only successfully responses and 404s that are not marked as private
-    if ((beresp.status != 200 && beresp.status != 404) || beresp.http.Cache-Control ~ "private") {
+    if (beresp.status != 200 && beresp.status != 404) {
         set beresp.uncacheable = true;
         set beresp.ttl = 86400s;
         return (deliver);

diff --git a/varnish6.vcl b/varnish6.vcl
@@ -140,6 +140,8 @@ sub vcl_hash {
 }
 
 sub vcl_backend_response {
+	# Serve stale content for three days after object expiration
+	# Perform asynchronous revalidation while stale content is served
     set beresp.grace = 3d;
 
     if (beresp.http.content-type ~ "text") {

diff --git a/varnish6.vcl b/varnish6.vcl
@@ -125,9 +125,6 @@ sub vcl_hash {
 
     # To make sure http users don't see ssl warning
     hash_data(req.http./* {{ ssl_offloaded_header }} */);
-
-    # Create cache variations depending on the request protocol when mixed mode is used
-    hash_data(req.http.X-Forwarded-Proto);
 
     /* {{ design_exceptions_code }} */
 

diff --git a/varnish6.vcl b/varnish6.vcl
@@ -119,7 +119,7 @@ sub vcl_recv {
 }
 
 sub vcl_hash {
-    if ((req.url !~ "/graphql" || !req.http.X-Magento-Cache-Id) && req.http.cookie ~ "X-Magento-Vary=") {
+    if (req.url !~ "/graphql" && req.http.cookie ~ "X-Magento-Vary=") {
         hash_data(regsub(req.http.cookie, "^.*?X-Magento-Vary=([^;]+);*.*$", "\1"));
     }
 

diff --git a/varnish6.vcl b/varnish6.vcl
@@ -110,8 +110,8 @@ sub vcl_recv {
         #unset req.http.Cookie;
     }
 
-    # Bypass authenticated GraphQL requests without a X-Magento-Cache-Id
-    if (req.url ~ "/graphql" && !req.http.X-Magento-Cache-Id && req.http.Authorization ~ "^Bearer") {
+    # Don't cache the authenticated GraphQL requests
+    if (req.url ~ "/graphql" && req.http.Authorization ~ "^Bearer") {
         return (pass);
     }
 
@@ -134,11 +134,6 @@ sub vcl_hash {
     if (req.url ~ "/graphql") {
         if (req.http.X-Magento-Cache-Id) {
             hash_data(req.http.X-Magento-Cache-Id);
-
-            # When the frontend stops sending the auth token, make sure users stop getting results cached for logged-in users
-            if (req.http.Authorization ~ "^Bearer") {
-                hash_data("Authorized");
-            }
         } else {
             # if no X-Magento-Cache-Id (which already contains Store & Currency) is not set, use the HTTP headers
             hash_data(req.http.Store);

diff --git a/varnish6.vcl b/varnish6.vcl
@@ -174,7 +174,7 @@ sub vcl_backend_response {
         unset beresp.http.set-cookie;
     }
 
-    # If the cache key in the Magento response doesn't match the one that was sent in the request, don't cache under the request's key
+    # If the cache key in the Magento response doesn't match (which happens for example after user logs in, or changes store, or changes currency) the one that was sent in the request, don't cache under the request's key
     if (bereq.url ~ "/graphql" && bereq.http.X-Magento-Cache-Id && bereq.http.X-Magento-Cache-Id != beresp.http.X-Magento-Cache-Id) {
        set beresp.ttl = 120s;
        set beresp.uncacheable = true;

diff --git a/varnish6.vcl b/varnish6.vcl
@@ -132,23 +132,19 @@ sub vcl_hash {
     /* {{ design_exceptions_code }} */
 
     if (req.url ~ "/graphql") {
-        call process_graphql_headers;
-    }
-}
-
-sub process_graphql_headers {
-    if (req.http.X-Magento-Cache-Id) {
-        hash_data(req.http.X-Magento-Cache-Id);
-
-        # When the frontend stops sending the auth token, make sure users stop getting results cached for logged-in users
-        if (req.http.Authorization ~ "^Bearer") {
-            hash_data("Authorized");
+        if (req.http.X-Magento-Cache-Id) {
+            hash_data(req.http.X-Magento-Cache-Id);
+
+            # When the frontend stops sending the auth token, make sure users stop getting results cached for logged-in users
+            if (req.http.Authorization ~ "^Bearer") {
+                hash_data("Authorized");
+            }
+        } else {
+            # if no X-Magento-Cache-Id (which already contains Store & Currency) is not set, use the HTTP headers
+            hash_data(req.http.Store);
+            hash_data(req.http.Content-Currency);
         }
     }
-
-    hash_data(req.http.Store);
-
-    hash_data(req.http.Content-Currency);
 }
 
 sub vcl_backend_response {