VConf.SET can be used to customise Peakhour.IO request/response handling. For example you might want to customise CDN caching options for your checkout process, use an alternate origin or modify WAF behaviour.



Enable or disable GZIP


Support websocket protocol.

Track sessions#

Set session id cookie if enabled. Allows to track what request were made by client during one session


Enable debug mode for host to send some special response headers to client.



Insert beacon script into rewritten html if transform_html is enabled as well.


Use lazy_sizes.js to lazy load images on page if transform_html is enabled.


Space separated list of =original:replacement= names to replace in HTML pages if transform_html option is enabled. Both =original= and =replacement= are domain names followed by optional =/subdir=.


HTTP redirect location#

Redirect to URL if set.

HTTP redirect status code#

If HTTP redirect location is set then redirect with given status code (normally either 301 (default) or 302).



Cache responses from origin.

CDN enabled#

Enable caching of content. Content is cached based on the Cache-Control header.

CDN query mode#

Criteria to use when considering and storing fetched resources and query string behaviour.

Setting Description
none don't cache resources with a query string
full cache resources using the full query string
strip cache resources but strip the query string

Implicit cache TTL#

In seconds. Specify the lifetime of cached objects.

Skip CDN if request has cookie matching given pattern. Pattern can contain * to match zero or more symbols and | to separate matches.

CDN remove query args#

Remove given query arguments with its values from request path before looking up CDN resource. Value is comma-separated list of argument names.

Cache subkey vars#

Use additional variables to construct cache key in addition to host/path. Accepts |-separated list of key[:value] variables.

Scheme Description
query cache based on query string, cache key is based on query string
header_present cache based on request header present, cache key is based on header name
header accepts request header name as value, cache key is constructed based on header value
language cache based on Accept-Language, cache key is constructed based on first value of header

Cache strip cookies#

Strip Set-Cookie headers from stored responses and Cookie from outgoing requests to potentially cacheable resources.

Cache strip set-cookies#

Strip Set-Cookie headers from cached responses.

Cache require cache control#

Skip cache store if enabled and no Cache-Control header was found in the response.

Cache ignore request cache control#

Ignore Cache-Control request directives. Useful to avid bypassing cache with max-age=0 or no-cache. Always serve cached response if present.

Edge TTL sec#

Force cache resources for at least given seconds. If resource can be cached for longer (because allowed by cache control or implicit cache ttl) then cache it for longer than given value. Zero value (default) honors origin resource headers. The value is internal and not visible to clients, they still get original headers.

Browser TTL sec#

Override Cache-Control: max-age for cached contents to have at least given value. Negative value (default) honors origin resource headers. Zero value means cached resources are not allowed to be cached by clients (max-age=0).

Force cache#

Force cache resource even if Cache-Control prohibits. Works only for GET requests. Implicitly enables Cache strip cookies and Cache strip set-cookies

Force cache html only#

Avoids force caching if content type of response is not text/html. Force cache must still be enabled to force cache.

Cache collapse#

Collapse requests to origin per URL

Bot verification#

Enable cookie shield mode: on initial request client gets served 307 Temporary Redirect and Set-Cookie and allowed to access origin only after providing given cookie back.

Bot verification#

Verify known bots by using DNS lookups (first reverse DNS lookup, then check domain name matches known, then check forward DNS lookup matches client address).

RDNS bot verification list#

List of bots to verify against published user-agent to RDNS mapping. Special value matches all known user-agents. Current verified user-agents include:

  • google
  • yandex
  • bing
  • facebook
  • alexa
  • apple
  • pinterest
  • petal
  • yahoo
  • duckduckgo
  • stripe
  • letsencrypt
  • other



Comma separated list of blocklists.

Modsecurity mode#

Specify how the WAF reacts to security violations.

Setting Description
none disable
enforce send a HTTP 403 when a rule is triggered
warn log the violation and allow to pass, useful for testing

ModSecurity rules#

List of rule rules to enabled.

Modsecurity removed rules#

List of rule rules to skip.


Load balancing mode#

Specify load balancing mode.

Setting Description
none no load balancing, requests are sent to first origin
round-robin round robin requests between origins
client-address bind client ips to a particular origin for session persistence

Origin pool#

Tag of origin pool to use.

Replace host#

Host header to use for downstream connections.

Replace path#

Replace path prefix of downstream requests. Format is ="%source% %dest%"=. .

Rate limiting#

Rate limit mode#

Choose when to block rate limited requests based on list of |-separated modes. Possible values are:

Setting Description
none no rate limiting
global use global rate limiter
vhost rate limit virtual-host
vhost-busy rate limit on virtualhost-busy
zone rate limit to zone

Rate limit zone#

Use given zone name to rate limit requests against. Make sure Rate limit mode value includes zone or all.