Don't forget to change it when merging both

beware, varnish resolves the IP of the domain at boot time and keep it till the end of process.
If the IP of nginx changes (for instance when the container restarts) varnish won't be able to route traffic to the new container

Do you know a workaround for this?

Several people use a local nginx configured in proxy pass.
Varnish point to nginx 127.0.0.1, and nginx performs the DNS resolution on the fly.
Some other use a script in charge of reloading varnish when the I'm change.

None is ideal to me.

In dev environment, I just restart my container, in production we use a local nginx

I suggest to let it as is for now. WDYT?

I use https://github.com/nigoroll/libvmod-dynamic.

Why? Shouldn't be an issue if the invalidator works well.
If it don't, you'll not going on prod.

It hurts the DX. When you change the code in dev, you want the new code to be executed even if the underlying resource has not been modified.

What's about 405?

I wonder if we shouldn't remove the s-max-age header too.
With this new tag feature, the app sets an arbitrary value because we known we'll be able to invalidate the varnish. Which is fine.

BUT what if an other unknown proxy is on the path? (see "proxy cache" in this old version of the documentation http://symfony.com/doc/2.2/book/http_cache.html#types-of-caches)

We should use a custom header like X-Reverse-Proxy-TTL instead of abusing s-max-age.

For instance, when using CloudFlare, the s-max-age header should be set too. I propose to keep it as is for now too. We'll see when we'll get some feedback.

We must not set an incorrect s-max-age. It's 100% dangerous. If the user needs to do that for CloudFlare, they should set it themselves (or we should provide some easy way of setting it).

I don't get your point, we don't set this value automatically, it's up to the user. We just provide a good default when using the Varnish image.

Alright. I see that the default configuration doesn't set maxage and s-maxage, so we're safe. 😄

https://github.com/api-platform/core/blob/9fa028903d1df02011c2b75504b87d1e975e7b70/src/Bridge/Symfony/Bundle/DependencyInjection/Configuration.php#L123

But we provide an unsafe default in api-platform/api-platform. A good default is a safe default. 😞

So my suggestion is that we should use a custom header, e.g. Reverse-Proxy-TTL

Simply because the HTTP cache mechanism is not designed with reverse caching proxies in mind, so it's not the right tool for the job.

My concern is that this custom header will not be taken into account by Cloudflare. Maybe can we set the smaxage as we currently do but remove it with Varnish before the request go outside our network?

If CloudFlare uses s-maxage, let the user change the shared_max_age option that we already provide in the bundle config. It's not a safe default, and the default setup in api-platform/api-platform uses Varnish anyway, not CloudFlare.

Quote ?