Ref https://confluence.ez.no/display/EZP52/Using+Varnish :

1. "Do a standard lookup on assets"
instead of using the url suffix to determine if an incoming request is for a static resource, we should use the url prefix instead (if possible).
This because some custom eZ modules might be used to generate dynamic css/js/etc... and they would also benefit of being served with the userhash

2. "x-forwarded-for"
instead of removing any such IP sent by the user browser, we just add the true IP to it.
Is this correct/safe for both the case where there is a further proxy in fornt of Varnish and for the case where there is none?
(asking because generally security guidelines tell to remove any x-forwarded-for header from upstream)

3. "vary: x-user-hash"
This is not in the vcl, but is a header sent by eZPublish with http responses.
We should probably remove this one from outgoing responses, for best performances and cleanliness

4. deny any incoming request which looks like a request for user-hash generation

5. check if it is possible to connect directly to memcache to retrieve userhash instead of connecting to ez

6. curl subrequest should specify original host:

curl.header_add("Host: " + req.http.Host);