Apache and Varnish http/https - linux

I use apache2 and varnish on a debian server, but i have 2 websites one use port 80 and other 443 but i dont have idea for use this with varnish
How i can use port 80 and 443 with varnish ?
Thanks you
/etc/default/varnish
DAEMON_OPTS="-a :80 \
-T localhost:6082 \
-f /etc/varnish/default.vcl \
-S /etc/varnish/secret \
-s malloc,256m"
/etc/varnish/default.vcl
backend default {
.host = "127.0.0.1";
.port = "8080";
}
and apache2
NameVirtualHost 127.0.0.1:8080
Listen 127.0.0.1:8080
<VirtualHost 127.0.0.1:8080>

The "recommended" TLS termination companion to Varnish would be Hitch, which is from the same developers. It runs as an independent process and uses the HAProxy PROXY protocol to communicate with Varnish. What this entails Varnish-wise is listening on another port for the PROXY protocol.
Per the Varnish 4.1 documentation, you would listen on both the 6081 (or 80 as the case may be) as well as the internal port, such as 6086
varnishd -f /etc/varnish/default.vcl -a :6081 -a 127.0.0.1:6086,PROXY
You can use the std module to detect whether the origin request came over SSL by doing something like:
sub vcl_recv {
if (std.port(server.ip) == 443) {
set req.http.X-Proto = "https";
}
}

Related

Varnish on default port 6081

I would like to try a Varnish config where it listens on the default port 6081 and Apache stays on 80. The idea came from this blog about varnish.
An iptables redirect then sends all 80 traffic to 6081. Doing it this way enables me to continue using my web control panel without breaking it (the panel runs on 8080 itself and also breaks when Apache's listen is changed).
Right now I am on a clean install of the server with only Apache and Varnish installed, just to see if this works as is. I can get Varnish up and running with:
curl -I 192.168.0.1:6081
However it doesn't work on the IP alone even though the iptable rule is up and running. Following are my results and settings obviously using dummy ip 192.168.0.1
iptables -L -t nat
Chain PREROUTING (policy ACCEPT)
target prot opt source destination
REDIRECT tcp -- anywhere anywhere tcp dpt:http redir ports 6081
IP Table Rule -- (idea from here)
iptables -t nat -A PREROUTING -i eth0 -p tcp -m tcp --dport 80 -j REDIRECT --to-port 6081
Results of curl -I with port 6081
curl -I http://192.168.0.1:6081
HTTP/1.1 200 OK
Date: Wed, 06 Jun 2018 21:45:20 GMT
Server: Apache/2.4.25 (Debian)
Last-Modified: Wed, 06 Jun 2018 21:08:27 GMT
Vary: Accept-Encoding
Content-Type: text/html
X-Varnish: 2
Age: 0
Via: 1.1 varnish (Varnish/6.0)
ETag: W/"29cd-56dff9168052e-gzip"
Accept-Ranges: bytes
Connection: keep-alive
Results of curl -I with no port
curl -I http://192.168.0.1
HTTP/1.1 200 OK
Date: Wed, 06 Jun 2018 21:36:49 GMT
Server: Apache/2.4.25 (Debian)
Last-Modified: Wed, 06 Jun 2018 21:08:27 GMT
ETag: "29cd-56dff9168052e"
Accept-Ranges: bytes
Content-Length: 10701
Vary: Accept-Encoding
Content-Type: text/html
/etc/default/varnish
DAEMON_OPTS="-a :6081 \
-T localhost:6082 \
-f /etc/varnish/default.vcl \
-S /etc/varnish/secret \
-s malloc,256m
/etc/varnish/default.vcl
# Default backend definition. Set this to point to your content server.
backend default {
.host = "127.0.0.1";
.port = "80";
What am I missing? Apache is on 80, Varnish is on 6081, 80 traffic is redirected to 6081 where Varnish is listening.
I'm not sure I totally grasp the problem here. Why the redirect from 80 to 6081?
Be default, Varnish will be exposed under 6081, this is mainly not to collide with other existing services running under popular ports like 80.
Given your setup, I'd do it the other way around. I would start Varnish under port 80 and Apache under 6081 (or any other port for that matter - I'm assuming 8089 further down the line) and of course make sure that Apache is set as a correct backend for Varnish.
After all, it's the proxy that you'd like to have in front for taking the heat.
E.g.:
/etc/varnish/default.vcl
backend default {
.host = "127.0.0.1";
.port = "8089"; # I will assume Apache runs under 8089.
}
Therefore, something like this:
$ curl -is http://127.0.0.1/foo/bar
will first hit Varnish, which in turn will try to honour the request by asking its backend (the above defined Apache).
Having said this, you can disable the 80 to 6081 redirect.
why this way?
In my opinion you should use varnish on port 80 and two sites on apache , lets say :8080 and :8081.
APACHE>set up 2 vhosts
Site1> Play your panel on port 8080
Site2> Play your site on port 8081
Varnish>
Setup BackEnd1 for your panel
Setup BackEnd2 for your site
One at 8080 for your web-panel
and one on i.e. 8081 the actual site
Tell varnish for backend1 "panel" to pass everything to backend1 8080 (so varnish will just pass you to apache)
Tell varnish for backend2 "site" to cache whatever you like for 8081
So, with few words.
panel served from varnish and passing everything to Apache
site served from varnish and there you can apply your caching rules hits/misses etc. Remeber to change /etc/default/varnish and set it on port 80.
PS: Never applyed this to a combo of Varnish/Apache but done it on Varnish/nginx.
You should check if apache is capable to do this. I doubt he cant.....
Let me see if I can help sort this out. So you want to try Varnish in parallel with your web server only so you can try it out. If this is the case, its not a problem.
First, port 6081 is for the admin functionality of Varnish. There's tons that you can do remotely over this port.
Assuming your web server is on port 80, you can configure your Varnish server for :8080, you could set your /etc/varnish configuration up link this:
NFILES=131072
MEMLOCK=82000
RELOAD_VCL=1
VARNISH_VCL_CONF=/etc/varnish/mysite.vcl
VARNISH_LISTEN_PORT=8080
VARNISH_ADMIN_LISTEN_ADDRESS=127.0.0.1
VARNISH_ADMIN_LISTEN_PORT=6082
VARNISH_SECRET_FILE=/etc/varnish/secret
VARNISH_MIN_THREADS=100
VARNISH_MAX_THREADS=8000
VARNISH_THREAD_TIMEOUT=240
VARNISH_STORAGE_FILE=/var/lib/varnish/varnish_storage.bin
VARNISH_STORAGE_SIZE=12G
#VARNISH_STORAGE="file,${VARNISH_STORAGE_FILE},${VARNISH_STORAGE_SIZE}"
VARNISH_STORAGE="malloc,${VARNISH_STORAGE_SIZE}"
VARNISH_TTL=120
DAEMON_OPTS="-a ${VARNISH_LISTEN_ADDRESS}:${VARNISH_LISTEN_PORT} \
-f ${VARNISH_VCL_CONF} \
-T ${VARNISH_ADMIN_LISTEN_ADDRESS}:${VARNISH_ADMIN_LISTEN_PORT} \
-t ${VARNISH_TTL} \
-w ${VARNISH_MIN_THREADS},${VARNISH_MAX_THREADS},${VARNISH_THREAD_TIMEOUT} \
-u varnish -g varnish \
-S ${VARNISH_SECRET_FILE} \
-s ${VARNISH_STORAGE}"
Then, in your "mysite.vcl" configuration, you can link varnish to your web site:
backend webserver { # Define one backend
.host = "127.0.0.1"; # IP or Hostname of backend
.port = "80"; # Port for backend listener (Apache, NGINX, etc.)
Then just set up your IP Tables to accept traffic for both 8080 and 80 and you can test Varnish on :8080 and the web server on :80 independently. BTW, you should not expose the admin ports (6081, 6082, etc) to the outside.
If you decide to go with Varnish, you would put it in front of your web server. Set the varnish listen port to 80, and your web server to 8080 or any other port if they are on the same server. If they are different servers, you can leave your web server port at 80, just pull it out of the firewall so it cant be contacted directly from the outside world.
Best of luck!

Varnish +nginx + ISPConfig

Can't configure Varnish. Please, help!
(found here only german thread)
I've setted up Nginx 1.10 , Varnish 4.1.1, ISPconfig.
/etc/default/varnish
DAEMON_OPTS="-a :6081 \
-T localhost:6082 \
-f /etc/varnish/default.vcl \
-S /etc/varnish/secret \
-s malloc,512m"
​
/etc/varnish/default.vcl
backend default {
.host = "127.0.0.1";
.port = "81";
}
acl purge {
"localhost";
"127.0.0.1";
}​
Nginx virtual host /etc/nginx/sites-available/MyDomain.com.vhost
server {
listen *:81;
...​
and when I visite MyDomain.com it shows me content from my server IP adress
/var/www/html/index.html instead /var/www/MyDomain.com/web/index.html
What's wrong?
I don't know what to look first, how to debug ?
Your varnish listen on :6081 and forward all requests to 127.0.0.1:81.
Your nginx listen on *:81
You should request MyDomain.com on port 6081.
If you request MyDomain.com on port 80 you are redirected to the default nginx page.
If you want to make sure, I would suggest to run a varnishlog which will tell you what's passing through varnish in real time.

Using Varnish as a reverse proxy with mutiple vhosts

I have only one public ip address so use Varnish as a reverse proxy for multiple servers. Here is the configuration.
1st physical server Varnish/Apache - port 80, port 8080, ip address 10.0.0.40
2nd physical server 3 Drupal Vhosts - port 80, ip address 10.0.0.30
3rd physical server 2 Non Drupal Vhosts - port 80, ip address 10.0.0.31
In /etc/sysconfig/varnish,
DAEMON_OPTS="-a :80 \ -T localhost:6082 \ -f /etc/varnish/default.vcl \ -u varnish -g varnish \ -S /etc/varnish/secret \ -s file,/var/lib/varnish/varnish_storage.bin,1G"
In default vcl,
backend default { .host = "127.0.0.1"; .port = "8080"; }
Reverse proxy is working ok and I can see Varnish cache working by checking http header. However I am not sure above configuration is correct or optimal, especially only one backend definition on default vcl file. Any advice?
I suggest the following approach:
NGINX > VARNISH > APACHE
Nginx: to handle SSL termination easily and also you can use it to cache the static content. As far as I know that Nginx is better than Varnish in caching the static content also Varnish is not supposed to cache the static content.
Varnish: will receive requests from Nginx and pass it to Apache.
Apache: will act as a load balancer which will send the requests to the backend servers (Drupal/Non-drupal)
Check the following resources:
1- HTTPS Everywhere With Nginx, Varnish And Apache
2- Simple load balancing with Apache
If my answer is not clear enough let me know.

Installing Varnish as per the Varnish Book?

I have a vanilla Debian DigitalOcean machine and I'm trying to follow the 'developer' course in the Varnish Book. I've got to the first exercise, Installation.
I've installed Apache and got it running on port 8080 (if I go to http://my.ip.xxx.xxx:8080 I see the Apache2 Debian default page. I've also installed Varnish, so steps 1-3 are fine.
Now I'm trying to follow steps 4 and 5. I've edited /etc/default/varnish as follows:
DAEMON_OPTS="-a :80 \
-T localhost:1234 \
-f /etc/varnish/default.vcl \
-S /etc/varnish/secret \
-s malloc,256m"
And I've edited /etc/varnish/default.vcl as follows:
backend default {
.host = "localhost";
.port = "8080";
}
Then I've run service varnish start, which produces no errors.
But if I go to http://my.ip.xxx.xxx (i.e. with no port number) I just see nothing.
What am I doing wrong?
If I run netstat -ntlp as suggested in the book, I see Varnish on ports 6081 and 6082, and Apache on port 8080, but nothing on port 80.
Old question but had this problem myself. In my case I had to edit /lib/systemd/system/varnishncsa.service as SystemD was taking over the legacy InitD.
[Service]
ExecStart=/usr/sbin/varnishd -j unix,user=vcache -F -a :80 -T localhost:1234 -f /etc/varnish/abadcer.vcl -S /etc/varnish/secret -s malloc,256m
Then you commit the changes and restart Varnish
sudo systemctl daemon-reload
sudo service varnish restart

Basic Varnish Configuration

I'm in the baby step stages of setting up Varnish for the first time and I think I must have some fundamental misunderstanding. For the purpose of testing, I've left /etc/default/varnish in its default config:
DAEMON_OPTS="-a :6081 \
-T localhost:6082 \
-f /etc/varnish/default.vcl \
-S /etc/varnish/secret \
-s malloc,256m"
My /etc/varnish/default.vcl has this content (my Nginx virtual host is still listening on port 80 for now):
backend default {
.host = "127.0.0.1";
.port = "80";
}
My Nginx server block contains this:
listen 80;
For good measure, netstat shows listeners on those key ports:
tcp 0 0 0.0.0.0:80 0.0.0.0:* LISTEN
tcp 0 0 0.0.0.0:6081 0.0.0.0:* LISTEN
tcp 0 0 127.0.0.1:6082 0.0.0.0:* LISTEN
As I understand it from reading a lot of posts on the topic, I should be able to open my.site.com:6081 in a browser to have traffic routed through Varnish to Nginx and back. I'm not seeing that. I get a connection error instead. At this point, I'm not trying to do anything sophisticated; I just want to establish communication and retrieve content.
I have no doubt this is a me issue and not a Varnish issue, but I don't see where I've gone wrong. I can't see any key difference between my ultra-basic config and what I've found online. Where have I gone wrong?
Ubuntu 12.04
Varnish 3.0.2
Nginx 1.1.19
Any remedial assistance would be much appreciated.
Looks like network problem.
Do you have some kind of firewall protecting ports?
Could you connect to Varnish locally from the server with
curl -I -H 'Host:my.site.com' http://localhost:6081/
or
telnet 127.0.0.1 6081

Resources