nginx has proxycache support now. We could use it as a layer-0 in front of even varnish layer-1, with very very short TTLs just to suck up the worst DoS/surge spikes a bit. Should probably wait until we've upgraded to a post-1.6.x nginx version though, as the 1.7.x series had many related improvements and bugfixes.
|Declined||BBlack||T96851 Evaluate limited caching inside nginx|
|Resolved||BBlack||T96850 Test then switch to openssl 1.0.2 + nginx 1.9.2|
|Resolved||BBlack||T96847 Refactor varnish puppet config|
|Declined||BBlack||T119396 Create globally-unique varnish cache cluster port/instancename mappings|
|Resolved||BBlack||T119394 Convert misc cluster to 2-layer|
Actually this isn't worth thinking about at present, because (a) we'd lose analytics for the cache hits within nginx unless we did a bunch of work to get that flowing, and (b) we'd need to also move port 80 traffic through nginx, which we're not doing currently (but might someday eventually, after HTTPS-by-default-everywhere, maybe?).