It looks like from the code, that since a 403 is not a whitelisted status, the Cache-Control header is ignored:
switch (http_GetStatus(hp)) {
default:
expp->ttl = -1.;
https://github.com/varnishcache/varnish-cache/blob/4.0/bin/varnishd/cache/cache_rfc2616.c#L112-L114
This is the best I could come up with:
sub vcl_backend_response {
if (beresp.status == 403) {
set beresp.http.X-Status = beresp.status;
set beresp.status = 200;
}
}
sub vcl_deliver {
if (resp.http.X-Status) {
set resp.status = std.integer(resp.http.X-Status, 403);
unset resp.http.X-Status;
}
}
While this properly sets and unsets the status, every request is a cache MISS.
See #2018
A 403 response is not cached by default in varnish.
"You can cache other status codes than the ones listed above, but you have to set the beresp.ttl to a positive value in vcl_backend_response. "
See http://book.varnish-software.com/4.0/chapters/VCL_Basics.html#the-initial-value-of-beresp-ttl