## Varnish version: 3.0.7-1~trusty
acl  Blacklist {
 "172.16.54.2";
 "10.0.0.25";
 "192.168.0.1";
 }
backend default {
    .host = "<webserver-IP";
    .port = "80";
    .connect_timeout = 120s;
    .first_byte_timeout = 120s;
    .between_bytes_timeout = 120s;
}
acl purge {
  "localhost";
  "127.0.0.1";
  "<IP1>";
  "<Network-IP1>"/28;
  "<Network-IP2>"/28;
}
acl passem {
#        "194.xxx.xxx.xxx";  ## Office Public IP
}
## VARNISH PURGE PLUGIN -- begin -- ##
# Regex purging
# Treat the request URL as a regular expression.
sub purge_regex {
  ban("obj.http.X-Req-URL ~ " + req.url + " && obj.http.X-Req-Host == " + req.http.host);
}

# Page purging (default)
# Use the exact request URL, but ignore any query params
sub purge_page {
  set req.url = regsub(req.url, "\?.*$", "");
  ban("obj.http.X-Req-URL-Base == " + req.url + " && obj.http.X-Req-Host == " + req.http.host);
}
## VARNISH PURGE PLUGIN -- end -- ##

## VARNISH MOBILE DETECTION -- begin -- ##
sub detect_device {
  # Define the desktop device
  set req.http.X-Device = "desktop";

  if (req.http.User-Agent ~ "iP(hone|od)" || req.http.User-Agent ~ "Android" || req.http.User-Agent ~ "iPad") {
    # Define smartphones and tablets
    set req.http.X-Device = "smart";
  }

  elseif (req.http.User-Agent ~ "SymbianOS" || req.http.User-Agent ~ "^BlackBerry" || req.http.User-Agent ~ "^SonyEricsson" || req.http.User-Agent ~ "^Nokia" ||
  req.http.User-Agent ~ "^SAMSUNG" || req.http.User-Agent ~ "^LG") {
    # Define every other mobile device
    set req.http.X-Device = "other";
  }
}
## VARNISH MOBILE DETECTION -- end -- ##

sub vcl_recv {

  call detect_device;

  # Shortcut for DFind requests
  if (req.url ~ "^/w00tw00t") {
    error 404 "Not Found";
  }
  if ( (client.ip ~ Blacklist) ) {
  error 403 "Access denied";
  }
  if(req.url ~ "/xmlrpc.php"){
    error 403 "Access denied";
  }
  if(req.url ~ "127.0.0.1"){
    error 404 "Access denied";
  }
# Compatibility with Apache format log
  if (req.restarts == 0) {
    if (req.http.x-forwarded-for) {
      set req.http.X-Forwarded-For = req.http.X-Forwarded-For + ", " + client.ip;
    } else {
        set req.http.X-Forwarded-For = client.ip;
      }
  }

  if (req.request != "GET" &&
    req.request != "HEAD" &&
    req.request != "PUT" &&
    req.request != "POST" &&
    req.request != "TRACE" &&
    req.request != "OPTIONS" &&
    req.request != "DELETE" &&
    req.request != "PURGE") {
      return (pipe);
    }
    # normalize Aceept-Encoding header
    # http://varnish.projects.linpro.no/wiki/FAQ/Compression
    if (req.http.Accept-Encoding) {
        if (req.url ~ "\.(jpg|png|gif|gz|tgz|bz2|tbz|mp3|ogg|swf|flv)$") {
            # No point in compressing these
            remove req.http.Accept-Encoding;
        } elsif (req.http.Accept-Encoding ~ "gzip") {
            set req.http.Accept-Encoding = "gzip";
        } elsif (req.http.Accept-Encoding ~ "deflate" && req.http.user-agent !~ "MSIE") {
            set req.http.Accept-Encoding = "deflate";
        } else {
            # unkown algorithm
            remove req.http.Accept-Encoding;
        }
    }

## VARNISH PURGE PLUGIN -- begin -- ##
  if (req.request == "PURGE" || req.request == "BAN") {
    if (client.ip !~ purge) {
      error 405 "Not allowed.";
    }

    if (req.http.X-Purge-Method) {
      if (req.http.X-Purge-Method ~ "(?i)regex") {
        call purge_regex;
      } else {
        call purge_page;
      }
    } else {
      # No X-Purge-Method header was specified.
      # Do our best to figure out which one they want.
      if (req.url ~ "\.\*" || req.url ~ "^\^" || req.url ~ "\$$" || req.url ~ "\\[.?*+^$|()]") {
        call purge_regex;
      } else {
        call purge_page;
      }
    }
    error 200 "Purged.";
  }
## VARNISH PURGE PLUGIN -- end -- ##

### RETURN PASS  -- begin -- ###
# if (req.http.Authorization || req.http.Cookie) {
 # Not cacheable by default
#  return (pass);
# }

# Exit cache if remote IP matches
  if (client.ip ~ passem) {
    return (pass);
  }

  # Don't cache ajax requests
  if(req.http.X-Requested-With == "XMLHttpRequest" || req.url ~ "nocache" || req.request == "POST" || req.url ~ "(routes.php|control.php|wp-comments-post.php|wp-login.php|bb-login.php|bb-reset-password.php|register.php)") {
      return (pass);
  }

  if (req.url ~ "/wp-(login|admin)") {
    return (pass);
  }

  # Dont cache the RSS feed
  if (req.url ~ "feed") {
    return (pass);
  }



# Don't cache sitemap.xml
  if(req.url ~ "/sitemap.xml"){
    return (pass);
  }

  if (req.url ~ "/wp-(login|admin)") {
    return (pass);
  }

### RETURN PASS  -- end -- ###

# shortcut for DFind requests
  if (req.url ~ "^/w00tw00t") {
        error 404 "Not Found";
  }

  if (req.http.cookie ~ "(wordpress_|wp-settings-|no_cache)") {
      return(pass);
  } else {
      unset req.http.cookie;
      return(lookup);
  }
}

sub vcl_hash {
  #Existing hash configuration

  # And then add the device to the hash (if its a mobile device)
  if (req.http.X-Device ~ "smart" || req.http.X-Device ~ "other") {
#    set req.hash += req.http.X-Device;
    hash_data(req.http.X-Device);
  }
}

sub vcl_fetch {
# Pass basic auth for Apache
#if (req.http.Authorization || req.http.Authenticate) {
#  return (hit_for_pass);
#}

  # VARNISH PURGE
  set beresp.http.X-Req-Host = req.http.host;
  set beresp.http.X-Req-URL = req.url;
  set beresp.http.X-Req-URL-Base = regsub(req.url, "\?.*$", "");
  # VARNISH PURGE

  # Remove User-Agent before caching
  if (beresp.http.Vary ~ "User-Agent") {
    unset beresp.http.Vary;
  }

  if (req.url ~ "(wp-(login|admin)|logout)" || req.url ~ "preview=true" || req.url ~ "xmlrpc.php" || req.request == "POST") {
    return (hit_for_pass);
  }
  if (req.request == "GET" ) {
    unset beresp.http.set-cookie;
  }
  if (req.url ~ "\.(gif|jpg|jpeg|swf|css|js|flv|mp3|mp4|pdf|ico|png)(\?.*|)$") {
    set beresp.ttl = 4h;
  }
  if (beresp.http.Content-Type ~ "text/html" || beresp.http.Content-Type ~ "text/xml" || beresp.http.Content-Type ~ "text/htm"){
    set beresp.ttl = 15m;
  }
  set beresp.grace = 6h;
}

sub vcl_deliver {

# multi-server webfarm? set a variable here so you can check
# the headers to see which frontend served the request
#   set resp.http.X-Server = "server-01";
  if (obj.hits > 0) {
     set resp.http.X-Cache = "HIT";
     set resp.http.X-Cache-Hits = obj.hits;
  } else {
     set resp.http.X-Cache = "MISS";
  }

  # Remove some headers: PHP version
  unset resp.http.X-Powered-By;

  # Remove some headers: Apache version & OS
  unset resp.http.Server;

  # Remove some heanders: Varnish
  unset resp.http.Via;
  unset resp.http.X-Varnish;

  # VARNISH PURGE
  unset resp.http.X-Req-Host;
  unset resp.http.X-Req-URL;
  unset resp.http.X-Req-URL-Base;
  # VARNISH PURGE

  return (deliver);
}
sub vcl_error {
  set obj.http.Content-Type = "text/html; charset=utf-8";
  if (obj.status == 404) {
      synthetic {"
        <!DOCTYPE html>
        <html>
            <head>
                <title>404 Access denied!</title>
            </head>
            <body>
                <h1>Error 404 Access denied!</h1>
                <p>Access Denied</p>
            </body>
        </html>
      "};
  } else {
      synthetic {"
        <!DOCTYPE html>
        <html>
            <head>
                <title>An Error has accurred</title>
            </head>
            <body>
                <h1>An Error has accurred</h1>
                <p></p>
            </body>
        </html>
      "};
  }
  return (deliver);
}