@BBlack has given me some feedback on things the VM's VCL currently has which wouldn't be acceptable in production. Let's clean that up, as it will have to be done at some point anyway:
- ban and pipe shouldn't be used. Ban is inefficient and pipe bypasses DoS protection and header manipulation. These should never happen as a result of end-user traffic.
- As much logic as possible should be removed from the VCL and moved to the app layer. For instance the whole URL translation, it should be possible to add a new handler to thumbor to understand our existing URL scheme. Similarly, it might be possible to set the xkey header in the Thumbor response, as well as change the purge URL scheme to take the xkey directly instead of doing any translating. Bottom line is, we should try to move as much logic as we can out of the VCL.