add varnish

abra.sh

@@ -1,4 +1,32 @@
 export APP_ENTRYPOINT_VERSION=v1
 export PG_BACKUP_VERSION=v4
 export MEILI_BACKUP_VERSION=v4
+export NGINX_CONF_VERSION=eaaa
+export VARNISH_CONFIG_VERSION=baac
 
+# Bonfire.Common.Cache.HTTPPurge.bust_http_urls("/post_comments/01KHRMPNKXH659SPB55EY7R1K9")
+
+# varnishlog -g raw
+
+# defmodule Bonfire.UI.Common.Cache.HTTPPurge.Varnish do
+#   @moduledoc """
+#   HTTP cache purge adapter for Varnish.
+
+#   Configured via `VARNISH_URL` env var (default: `http://localhost:80`),
+#   which is resolved at startup in `Bonfire.Common.RuntimeConfig`.
+
+#   Tag-based purging (`bust_tags/1`) requires the `xkey` vmod and is not
+#   implemented here — extend if your Varnish setup supports it.
+#   """
+
+#   @behaviour Bonfire.Common.Cache.HTTPPurge
+#   use Untangle
+
+#   def bust_urls(urls) when is_list(urls) do
+#     Enum.each(urls, &purge_one/1)
+#     :ok
+#   end
+
+#   def bust_tags(_tags), do: :ok
+
+#   defp purge_one(path) do

compose.yml

@@ -2,6 +2,35 @@
 version: "3.8"
 
 services:
+  varnish:
+    image: varnish:stable
+    environment:
+      - STACK_NAME
+      - VARNISH_SIZE=2G
+    networks:
+    - proxy
+    - internal
+    command: "-p default_keep=300 -p thread_pool_min=50 -p thread_pool_max=1000 -p thread_pools=2 -p listen_depth=2048 -p http_resp_hdr_len=65536"
+    configs:
+     - source: varnish_config
+       target: /etc/varnish/default.vcl
+
+    ulimits:
+      nofile:
+        soft: 65536
+        hard: 65536
+
+    deploy:
+      restart_policy:
+        condition: on-failure
+      labels:
+       - "backupbot.backup=false"
+       - "traefik.enable=true"
+       - "traefik.http.services.${STACK_NAME}.loadbalancer.server.port=80"
+       - "traefik.http.routers.${STACK_NAME}.rule=Host(`${DOMAIN}`${EXTRA_DOMAINS})"
+       - "traefik.http.routers.${STACK_NAME}.entrypoints=web-secure"
+       - "traefik.http.routers.${STACK_NAME}.tls.certresolver=${LETS_ENCRYPT_ENV}"
+
   app:
     image: ${APP_DOCKER_IMAGE}
     logging:
@@ -17,6 +46,8 @@ services:
       - POSTGRES_DB=bonfire_db
       - PUBLIC_PORT=443
       - MIX_ENV=prod
+      # - VARNISH_URL=http://${STACK_NAME}_varnish:80
+      - VARNISH_URL=https://${DOMAIN}
       
       - HOSTNAME
       - INSTANCE_DESCRIPTION
@@ -108,7 +139,7 @@ services:
 
       - ORCID_CLIENT_ID
       - ORCID_CLIENT_SECRET
-      
+
     secrets:
       - postgres_password
       - secret_key_base
@@ -121,7 +152,6 @@ services:
       - upload-data:/opt/app/data/uploads
       # - backup-data:/opt/app/data/backup
     networks:
-      - proxy
       - internal
     entrypoint: ["/docker-entrypoint.sh", "./bin/bonfire", "start"]
     configs:
@@ -135,16 +165,6 @@ services:
         - "backupbot.backup=${ENABLE_BACKUPS:-true}"
         #- backupbot.backup.volumes.upload-data: "true"
         #- backupbot.backup.volumes.upload-data.path: "/opt/app/data/uploads"
-        - "traefik.enable=true"
-        - "traefik.http.services.${STACK_NAME}.loadbalancer.server.port=4000"
-        - "traefik.http.routers.${STACK_NAME}.rule=Host(`${DOMAIN}`${EXTRA_DOMAINS})"
-        - "traefik.http.routers.${STACK_NAME}.entrypoints=web-secure"
-        - "traefik.http.routers.${STACK_NAME}.tls.certresolver=${LETS_ENCRYPT_ENV}"
-        #- "traefik.http.routers.${STACK_NAME}.middlewares=error-pages-middleware"
-        #- "traefik.http.services.${STACK_NAME}.loadbalancer.server.port=80"
-        #- "traefik.http.routers.${STACK_NAME}.middlewares=${STACK_NAME}-redirect"
-        #- "traefik.http.middlewares.${STACK_NAME}-redirect.headers.SSLForceHost=true"
-        #- "traefik.http.middlewares.${STACK_NAME}-redirect.headers.SSLHost=${DOMAIN}"
     # healthcheck:
     #   test: ["CMD", "curl", "-f", "http://localhost"]
     #   interval: 30s
@@ -210,6 +230,14 @@ configs:
   pg_backup:
     name: ${STACK_NAME}_pg_backup_${PG_BACKUP_VERSION}
     file: pg_backup.sh
+  # nginx_conf:
+  #   name: ${STACK_NAME}_nginx_conf_${NGINX_CONF_VERSION}
+  #   file: nginx.conf.tmpl
+  #   template_driver: golang
+  varnish_config:
+    name: ${STACK_NAME}_varnish_config_${VARNISH_CONFIG_VERSION}
+    file: default.vcl.tmpl
+    template_driver: golang
 
 secrets:
   postgres_password:

default.vcl.tmpl

@@ -0,0 +1,23 @@
+vcl 4.1;
+
+backend default {
+    .host = "{{ env "STACK_NAME" }}_app";
+    .port = "4000";
+}
+
+sub vcl_recv {
+	if (req.method == "PURGE" || req.method == "purge") {
+        return (purge);
+	}
+
+    if (req.http.upgrade ~ "(?i)websocket") {
+        return (pipe);
+    }
+}
+
+sub vcl_pipe {
+    if (req.http.upgrade) {
+        set bereq.http.upgrade = req.http.upgrade;
+        set bereq.http.connection = req.http.connection;
+    }
+}