Varnish Orca
← Orca documentation

Virtual Registry Changelog

Here’s an overview of the latest Varnish Virtual Registry releases, describing feature additions, changes, fixes and removals per version.

Virtual Registry 0.13.1

Released: 2026-06-17

Varnish version: 6.0.18r2

Artifact Firewall version: 0.3.2

Fixed

  • Pass JFrog UI requests straight through, so flows like npm login --auth-type web are no longer misclassified as package requests and blocked.

Virtual Registry 0.13.0

Released: 2026-06-16

Varnish version: 6.0.18r2

Artifact Firewall version: 0.3.2

Added

  • NuGet (V3) registry support: caching and Artifact Firewall enforcement, including under JFrog Artifactory virtual repos.

Fixed

  • Enforce Artifact Firewall rules when Orca fronts a JFrog Artifactory virtual repo (npm, pypi, maven). The Artifactory path prefix previously left the firewall with incorrect package coordinates, so denied packages were allowed.

Virtual Registry 0.12.1

Released: 2026-06-13

Varnish version: 6.0.18r2

Artifact Firewall version: 0.3.2

Added

  • Added Virtual Registry options redirects.deny_unknown_hosts and redirects.extra_known_hosts to restrict /redirectz upstream hosts and transparent redirect targets to configured remotes and extras.

Fixed

  • Fixed /redirectz cache entries being keyed only on the path, so responses fetched from one upstream host could be served on requests targeting a different host at the same path.

Virtual Registry 0.12.0

Released: 2026-06-11

Varnish version: 6.0.18r2

Artifact Firewall version: 0.3.1

Added

  • Added short-lived caching of GitHub GraphQL API (POST /graphql) query responses, keyed by request body. Schema introspection queries get a longer TTL, while mutations, subscriptions, and rateLimit queries bypass the cache.
  • Added preserve_host option to remotes. When enabled, the original request Host header is forwarded to the remote while the connection still targets the remote url. Useful when a single backend routes internally on the Host. Takes precedence over preserve_subdomain.
  • Added virtual_registry.base_url, a default base URL applied to all registries that do not configure their own base_url.
  • X-Forwarded-Proto: https from an upstream TLS terminator is now honored when auto-detecting the request scheme for base_url. Varnish also sets X-Forwarded-Proto toward the remote when the inbound request was TLS or when the registry’s base_url uses https://.

Changed

  • ACME challenge server no longer binds to port 80.
  • Requests that arrive with a non-canonical Host header (a bare IPv4/IPv6 literal or localhost, e.g. clients reaching a node by IP or over a local tunnel) now have their Host rewritten to the host of the applicable base_url (registry-specific or global), so they are handled as if they had arrived at the registry’s canonical hostname.

Fixed

  • Fixed config validation preventing scheme-only base_url.
  • Fixed transparent redirect-follow consuming Set-Cookie on JFrog UI and OAuth callback responses, breaking SSO login flows.

Virtual Registry 0.11.0

Released: 2026-06-03

Varnish version: 6.0.18r1

Artifact Firewall version: 0.3.1

Added

  • Added support for caching Debian apt artifacts.
  • Added disable_cache option to disable artifact caching on a per-registry basis.
  • Added support for caching responses from the GitHub REST API on GitHub.com and GitHub Enterprise Server (GHES). This includes metadata endpoints, SHA-addressed git objects and source archives, and release-asset and Actions artifact downloads served via signed-blob redirects.
  • Added HMAC signing of /redirectz URL matrix parameters, emitted as an additional ;sig=... matrix parameter. Enable via virtual_registry.redirects.signing.enabled; the signing key is read from the environment variable named in virtual_registry.redirects.signing.key_env.
  • Added option to disable the /redirectz endpoint entirely through virtual_registry.redirects.enabled.
  • Added Varnish Enterprise license reload when supervisor is reloaded via SIGHUP
  • Bumped Artifact Firewall to 0.3.0, which adds Maven support, per-version artifact preflight blocking, ruleset persistent storage, and the ability to disable rules at runtime via the admin API. The Supervisor continues to run the firewall in integrated deployment mode behind Virtual Registry, and now registers manifest transformers for the NuGet and Maven ecosystems in addition to npm and PyPI.
  • Added top-level otel.endpoint configuration that sets OTEL_EXPORTER_OTLP_ENDPOINT, used by all signals when no signal-specific endpoint is configured. The OTLP SDK auto-appends /v1/<signal> for HTTP protocols.

Fixed

  • Fixed default configuration values being silently lost when a user-provided YAML file set only a subset of fields in the same section.
  • Fixed Artifact Firewall returning 503 when firewall.address was omitted from config.
  • Fixed fsnotify on user-provided certificates so that they are reloaded when files change on disk.

Virtual Registry 0.10.0

Released: 2026-05-11

Varnish version: 6.0.17r3

Artifact Firewall version: 0.2.2

Added

  • Added new Virtual Registry option cache_req_body_limit to set the maximum request body size to buffer for cacheable POSTs (e.g. git-upload-pack).
  • Added Git URL cache key normalization. The URL part of Git cache keys is now lowercased and .git extension agnostic.
  • Added Git request body cache key normalization. For small request bodies (<10k), agent and session-id telemetry attributes are excluded from the cache key.

Changed

  • Increased default request body buffer size for cacheable POSTs (e.g. git-upload-pack) from 1MB to 10MB.

Fixed

  • Fixed an issue where large Git v2 POST requests would exhaust workspace and fail the transaction.
  • Fixed git repository name parsing bug.

Virtual Registry 0.9.0

Released: 2026-04-21

Varnish version: 6.0.16r13

Added

  • Added Supervisor packages and Orca Docker image for arm64.
  • Added support for caching Git LFS objects. This includes rewriting LFS batch API download URLs to route through the Virtual Registry, where objects are cached as immutable content-addressed downloads.
  • Added support for caching PHP/Composer artifacts. This includes rewriting absolute URLs in Composer manifests with the Virtual Registry base_url, enabling caching of both dist archive downloads and source repository clones.
  • Added more known OCI User-Agents for pattern matching.

Changed

  • URL rewrites now use matrix parameters to convey extra information about the rewritten URL. This leads to better classification and cache policy for requests to the /redirectz endpoint.
  • Caching of HEAD requests from OCI clients is re-enabled. The HEAD requests are not transparently converted to GET requests, opting instead to preserve the request method and cache it separately. This works around the issue of Docker registries that give different response status for HEAD and GET requests.
  • For OCI requests, increased cache TTL for the /v2/ ping endpoint to 60s.
  • Unsuccessful HEAD preflight requests are now restarted with GET to be able to serve a response body. Like the initial preflight request, the client Authorization header is added to the cache key of the restarted GET request.
  • The preflight request for OCI manifests is now re-used by OCI blobs. This means that a single preflight request now authorizes a user for an entire image, instead of needing two.

Fixed

  • Fixed an issue where a license would be considered invalid when the no_restart or shutdown date were set and did not match the expiry date.

Removed

  • Stopped building new packages for Debian Bullseye and RHEL 8. There are no arm64 Varnish packages available for these distributions, and no customers currently relying on them.

Virtual Registry 0.8.3

Released: 2026-04-13

Varnish version: 6.0.16r13

Added

  • Added varnish-supervisor packages for Debian Trixie
  • Added varnish-supervisor packages for RHEL 10

Fixed

  • Fixed an issue where interrupting the supervisor during VCL loading would hang for 30 seconds before exiting.

Virtual Registry 0.8.2

Released: 2026-03-23

Varnish version: 6.0.16r13

Added

  • Added --validate flag which validates the config and exits.
  • Added stricter config validation.

Fixed

  • Fixed missing support for custom CA server URLs.
  • Fixed an issue where some parts of the configuration would ignore unknown fields instead of exiting with an error.
  • Fixed an issue where NPM clients would revalidate their local manifest cache instead of using the new one sent by the Artifact Firewall.

Virtual Registry 0.8.1

Released: 2026-03-12

Varnish version: 6.0.16r13

Added

  • Added preparations for Artifact Firewall becoming generally available.

Changed

  • Setting base_url to either http:// or https:// without a domain now determines the scheme of client redirects. This is useful for deployments where the Virtual Registry is deployed behind a TLS terminating proxy, especially when preserve_subdomain is used for the Virtual Registry remotes.

Virtual Registry 0.8.0

Released: 2026-03-05

Varnish version: 6.0.16r12

Added

  • Added Cluster option (premium).
  • Added dns_ttl option to remotes. This can be used to override the DNS resolution interval indicated by DNS records.
  • Added routes option to virtual registries. A route is a glob pattern (fnmatch) that enables more flexible registry routing, where only subdomain-based routing was available before. The subdomain routing still has the highest order of precedence, with routes being matched against the Host header in order of appearance.
  • Added preserve_subdomain option to remotes. When used, the incoming subdomain (final component) is appended to the remote Host header when fetching from the remote. The final hostname is also used for DNS and TLS SNI.
  • Added readonly option to virtual registries. When enabled, all uploads to the virtual registry are blocked.
  • Added extended support for Conan artifacts.
  • Added support for caching Ansible artifacts (roles and collections). This includes rewriting the download_url in manifests with the Virtual Registry base_url.
  • Added extended support for PyPi manifests. This includes rewriting absolute manifest URLs with the Virtual Registry base_url.
  • Added preserve_manifest option to virtual registries. When enabled, base_url insertion into manifests is disabled.

Fixed

  • Fixed subdomain not being parsed correctly for single component Host headers with port.
  • Fixed parsing of Docker distribution protocol requests not separating query parameter from manifests referenced by SHA, leading to the being marked as “must-revalidate” instead of “immutable”.
  • Fixed Git v2 protocol ls-refs commands not being assigned a “resource_manifest” cache key.

Virtual Registry 0.7.1

Released: 2026-02-27

Varnish version: 6.0.16r12

Fixed

  • Fixed an issue where some OCI uploads with Docker clients would fail due to an absolute POST redirect being rewritten with a different prefix than the initial challenge. This caused the Docker client to omit the Authorization header on subsequent PATCH requests, resulting in the upload being aborted with a 401 response. Absolute redirects from the registry are now rewritten as relative redirects.
  • Fixed an issue where some base_url rewrites would not restore the original Host header on fetch to the remote.

Virtual Registry 0.7.0

Released: 2026-02-23

Varnish version: 6.0.16r10

Added

  • Added OTEL logs support via the otel.logs configuration block. Logs are exported to a configurable OTLP endpoint and do not require a license.

  • Added configurable trace sampling via the otel.tracing.sampler configuration option. Supported samplers: always_on, always_off, traceidratio, parentbased_always_on, parentbased_always_off, parentbased_traceidratio. Ratio-based samplers accept an otel.tracing.sampler_arg value between 0.0 and 1.0.

  • Added a cache invalidation yKeys for resource types. All objects now get a resource_manifest, resource_package or resource_other key.

  • Added base_url option to the virtual registry configuration. This is used whenever the proxy needs to rewrite a response header or body to direct the client back to the virtual registry.

  • Added policy for proxying JFrog UI.

  • Added dns_ttl option to remotes. When set, this option overrides the DNS resolution interval for the remote, ignoring DNS record TTLs.

Changed

  • Upgraded varnish-otel to v2.2.0, which adds trace sampling and OTEL logs support.

  • Remote endpoints are now resolved preemptively in vcl_backend_fetch using utils.resolve_backend(). The Host header is explicitly set based on the remote URL Host. This should not produce a noticeable change.

  • Improved cache policy for NPM traffic. All /-/ endpoints are now marked uncacheable. Manifests are now always marked as must-revalidate, meaning they are not cached, but coalesced and candidates for 304 revalidation and stale-if-error.

  • Added stricter checking for undefined configuration options. This should make it easier to catch typos in the YAML config.

  • The WWW-Authenticate response header is now transparently rewritten when it directs the client to a different domain than the effective base_url. The original URL is preserved and used when the client comes back to authenticate. This enables auth when the upstream registry is not directly accessible by the client.

  • For 202 Created responses, the Location header is also rewritten in the same fashion as WWW-Authenticate. This enables OCI uploads when the upstream registry is not directly accessible by the client.

Fixed

  • Fixed varnish-otel failing to find Varnish shared memory when workdir is not explicitly configured.

  • Fixed retrying requests when the load balancer has no remaining healthy and unused backends available.

  • Fixed a beresp.ttl + req.ttl interaction that resulted in objects marked as must-revalidate not being considered for 304 revalidation and stale-if-error.

  • Fixed an issue where OCI uploads would fail with a 404 because the registry returns different responses for HEAD and GET. HEAD requests from OCI clients are now proxied through without a lookup in cache.

  • Fixed IPv6 client IPs not being considered local for cache invalidation access.

Virtual Registry 0.6.3

Released: 2025-12-17

Varnish version: 6.0.16r8

Fixed

  • Loosen Varnish version license restrictions to ease installation from deb and rpm packages when a new version of varnish-plus is released. Each varnish-supervisor release targets a specific minimum version of Varnish, but it should be possible to use a newer version of varnish-plus than the minimum version.

Virtual Registry 0.6.1

Released: 2025-12-01

Varnish version: 6.0.16r7

Fixed

  • Fixed the version for the embedded Virtual Registry license.

Virtual Registry 0.6.2

Released: 2025-12-01

Varnish version: 6.0.16r7

Fixed

  • Fixed a syntax error in the VCL.

Virtual Registry 0.6.0

Released: 2025-11-27

Varnish version: 6.0.16r7

Added

  • Added support for persisted storage categories.
  • Added optional book_size to tune the size of persisted storage books.
  • Added default_ttl, default_grace, and default_keep options for Virtual Registries to override the global varnish.params with the same name. Like the global params, these only apply to responses that don’t have an explicit cache policy or Cache-Control header from the remote registry.

Changed

  • The configuration format for varnish.storage has changed. While this technically a breaking change, it’s a licensed feature that has not been put in production anywhere yet. We saw this as an opportunity to do some final polish on the config format without introducing a real breaking change.
  • When possible, requests for package manifests are now coalesced when multiple clients request the same manifest at the same time. This can reduce repeat requests to the remote registry while always keeping the manifests fresh.
  • Artifacts classified as “other” no longer share a cache namespace with artifacts classified with a specific package type. This resulted in inconsistent cache policies being applied to certain objects, giving them a longer than intended lifetime.
  • Registries now have separate cache namespaces. This eliminates potential issues with staging/production setups where repositories and packages have the same name but different manifests. Objects with an immutable cache policy still share a global namespace, so cross-registry Docker layer caching will continue tow work as normal.
  • Introduced Stale-If-Error for all cacheable objects, delivering stale objects in case the remote registry is unreachable or produces 5xx responses. Access control for private repositories is still maintained, relying on cached per-user, per-artifact authorization for access control.

Fixed

  • Metrics export now works properly without a license.
  • Several issues fixed in the varnish.storage subsystem. The MSE configuration should now be changed to reflect changes in the storage configuration in all cases.

Virtual Registry 0.5.0

Released: 2025-11-14

Varnish version: 6.0.16r6

Added

  • Improved cache policy for PyPi. *.whl, *.tar.gz, and *.zip objects are now cached indefinitely while */simple/* is explicitly treated as uncacheable.

Fixed

  • Files under /etc/varnish now has the correct varnish owner in Docker.
  • Cache invalidation yKeys for registry name and package type are now created properly.
  • Private repositories are no longer treated as public when the private repository caching feature is disabled. Private repository traffic is now passed through the proxy transparently. Does not apply to public OCI repositories, they maintain the previous behavior due to the Authorization header being required.
  • Improved cache policy for Maven. Most objects are now cached indefinitely while maven-metadata.xml is explicitly treated as uncacheable.

Virtual Registry 0.4.0

Released: 2025-11-04

Varnish version: 6.0.16r4

Added

  • Initial release.