« Back to Index

[varnish hit-for-pass explanation]

View original Gist on GitHub

Tags: #varnish #vcl

varnish hit-for-pass explanation.md

Hit For Pass

You may notice in vcl_fetch some logic like:

if (beresp.http.Cache-Control ~ "private") {
  return(pass);
}

The reason we return(pass) is because we don’t want to cache this content (because we can see the response headers tell us it should be “private”).

But in doing so varnish does still create an object and caches it?

The object it creates is called “hit-for-pass” and it has a ttl of 120s.

Note: the ttl can be changed using vcl but it should be kept small

The reason varnish does this is because if it didn’t, then when the content is not cached and another request is made for that content, we would find that “request collapsing” starts causing an issue.

Request collapsing is where varnish blocks requests for the same uncached content in order to prevent overloading your origin. But in the case of uncachable content, users are blocked waiting for another request to complete only to find that the request wasn’t cached and so the request is made again for the current user.

As you can imagine, this is very bad because the requests for this uncachable content has resulted in sequential processing.

So when we “pass” inside of vcl_fetch varnish prevents this bad sequential processing. It does this creating a “hit-for-pass” object which has a short ttl of 120s, and so for the next 120s any requests for this same resource will not result in request collapsing (i.e. user requests to origin will not be blocked waiting for an already “in-flight” origin request to complete). Meaning, all requests will be sent straight through to the origin.

Note: you’ll see in vcl_hit it looks out for obj.cacheable being false and subsequently executes return(pass) to allow the request to flow through to origin. When Varnish executes return(pass) inside of vcl_fetch it caches the “hit-for-pass” object with the cacheable attribute set to false.

The reason the ttl is supposed to be short is because for that ttl time period your origin is susceptible to multiple requests.

See the following link for a more detailed explanation:
https://info.varnish-software.com/blog/hit-for-pass-varnish-cache