Varnish poisoned cache avoidance

[pub crawler]

Thanks Ken, you input is very valuable to me.  There's so much to
learn from others using Varnish. Very impressed with Varnish and
community.

I took the approach of blocking IPs at firewall level to protect our
app servers.  Lots of these banned IPs are malicious, hack attempts -
others are repetitive comment spammer bots.   Every request that gets
past the firewall consumes resources of our web server, reverse proxy,
app server, database, etc.   When multiplied the consumption is
enormous and unnecessary.  I am moving more towards an escalation
process where first time you get banned for short time at app server,
then it increases and moves up the server stack where finally banned
at firewall.  It's a dance to keep control and management of this at
an application level while feeding block info to various parts of our
systems.

I have to look at our applications and adding cache pragma or expires
information.   I am not in control of all aspects of our programs due
to third party applications and other folks code in our environment.

That's why I thought having Varnish cache everything regardless of
cookies and headers was the way to go.  Then simply provide a list of
URLs to not cache.   Can this be done?

> As an alternate IP blocking implementation, you could create a list of banned IPs in a file
> that your VCL includes; a Varnish reload causes essentially no outage.  But then you're
> adding an extra linear lookup for /every/ hit to Varnish.

Does anyone have an example on how to do a VCL include to facilitate
this banning of IPs?

Thanks so much!