Common scenarios in VCL - Varnish Summit CPH 2016

Common
scenarios
in VCL
By Thijs Feryn

View Slide

Hi, I’m Thijs

View Slide

I’m
@ThijsFeryn
on Twitter

View Slide

I’m an
Evangelist
At

View Slide

I’m a
at
board member

View Slide

149 th
talk

View Slide

This is my first
time
in København

View Slide

Slow websites suck

View Slide

Varnish

View Slide

Better end-user experience

View Slide

Easy peasy
right?

View Slide

Not
really

View Slide

There are rules

View Slide

✓Only GET & HEAD
✓No authorization headers
✓No cookies
✓No set-cookies
✓Valid cache-control/expires
headers
When does Varnish
cache? Some rules …

View Slide

It’s all
about
state

View Slide

Lots of
developers
don’t follow
those rules

View Slide

Cookies
everywhere

View Slide

Cache-control quoi?

View Slide

Out of the box
These are the main reasons
why Varnish will not work

View Slide

Write VCL

View Slide

Varnish
Configuration
Language

View Slide

Programming
the
Varnish
behaviour

View Slide

Varnish flow

View Slide

View Slide

Hooks

View Slide

VCL
Recv
VCL
Hash
VCL
Miss
VCL
Hit
VCL
Backend
Response
VCL
Deliver
VCL
Purge
VCL
Error
VCL
Pipe
VCL
Pass
VCL
Synth
VCL
Backend
Error

View Slide

✓vcl_recv: receive request
✓vcl_hash: compose cache key
✓vcl_miss: not found in cache
✓vcl_hit: found in cache
✓vcl_pass: don’t store in cache
✓vcl_pipe: bypass cache
✓vcl_backend_fetch: connect to
backend
✓vcl_backend_response: response
from backend
✓vcl_backend_error: backend fetch
failed

View Slide

✓vcl_purge: after successful purge
✓vcl_synth: send synthetic output
✓vcl_deliver: return data to client
✓vcl_init: initialize VMODs
✓vcl_fini: discard VMODs

View Slide

vcl 4.0;
backend default {
.host = "127.0.0.1";
.port = "8080";
}
Minimal VCL

View Slide

vcl 4.0;
backend default {
.host = "127.0.0.1";
.port = "80";
.max_connections = 300;
.first_byte_timeout = 300s;
.connect_timeout = 5s;
.between_bytes_timeout = 2s;
}
More backend work

View Slide

vcl 4.0;
backend default {
.host = "127.0.0.1";
.port = "80";
.probe = {
.url = "/";
.interval = 5s;
.timeout = 1s;
.window = 5;
.threshold = 3;
}
}
Even more backend work

View Slide

vcl 4.0;
backend default {
.host = "127.0.0.1";
.port = "80";
.probe = {
.request =
"HEAD / HTTP/1.1"
"Host: localhost"
"Connection: close"
"User-Agent: Varnish Health Probe";
.interval = 5s;
.timeout = 1s;
.window = 5;
.threshold = 3;
}
}
Even more backend work

View Slide

Load balancing

View Slide

vcl 4.0;
import directors;
backend server1 {
.host = “1.2.3.4”;
.port = "80";
.probe = {
.request =
"HEAD / HTTP/1.1"
"Host: localhost"
"Connection: close"
.interval = 5s;
.timeout = 1s;
.window = 5;
.threshold = 3;
}
}
Loadbalancing: server 1

View Slide

backend server2 {
.host = “1.2.3.5”;
.port = "80";
.probe = {
.request =
"HEAD / HTTP/1.1"
"Host: localhost"
"Connection: close"
.interval = 5s;
.timeout = 1s;
.window = 5;
.threshold = 3;
}
}
Loadbalancing: server 2

View Slide

sub vcl_init {
new vdir = directors.round_robin();
vdir.add_backend(server1);
}
sub vcl_recv {
set req.backend_hint = vdir.backend();
}
Loadbalancing: round robin

View Slide

sub vcl_init {
new vdir = directors.random();
vdir.add_backend(server1,2);
vdir.add_backend(server2,3);
}
sub vcl_recv {
}
Loadbalancing: random

View Slide

sub vcl_init {
new vdir = directors.fallback();
}
sub vcl_recv {
}
Loadbalancing: fallback

View Slide

sub vcl_init {
new vdir = directors.hash();
}
sub vcl_recv {
set req.backend_hint = vdir.backend(req.url);
}
Loadbalancing: URL hash

View Slide

sub vcl_init {
new vdir = directors.hash();
}
sub vcl_recv {
set req.backend_hint = vdir.backend(client.identity);
}
Loadbalancing: IP hash

View Slide

sub vcl_recv {
if(req.url ~ “^/products”) {
set req.backend_hint = server1;
} else {
set req.backend_hint = server2;
}
}
Conditional loadbalacning

View Slide

Normalize

View Slide

vcl 4.0;
import std;
sub vcl_recv {
set req.http.Host = regsub(req.http.Host, ":[0-9]+", "");
set req.url = std.querysort(req.url);
if (req.url ~ "\#") {
set req.url = regsub(req.url, "\#.*$", "");
}
if (req.url ~ "\?$") {
set req.url = regsub(req.url, "\?$", "");
}
if (req.restarts == 0) {
if (req.http.Accept-Encoding) {
if (req.http.User-Agent ~ "MSIE 6") {
unset req.http.Accept-Encoding;
} elsif (req.http.Accept-Encoding ~ "gzip") {
set req.http.Accept-Encoding = "gzip";
} elsif (req.http.Accept-Encoding ~ "deflate") {
set req.http.Accept-Encoding = "deflate";
} else {
unset req.http.Accept-Encoding;
}
}
}
}
Normalize

View Slide

Static assets

View Slide

vcl 4.0;
sub vcl_recv {
if (req.url ~ "^[^?]*\.(7z|avi|bmp|bz2|css|csv|doc|docx|eot|flac|
flv|gif|gz|ico|jpeg|jpg|js|less|mka|mkv|mov|mp3|mp4|mpeg|mpg|odt|otf|
ogg|ogm|opus|pdf|png|ppt|pptx|rar|rtf|svg|svgz|swf|tar|tbz|tgz|ttf|
txt|txz|wav|webm|webp|woff|woff2|xls|xlsx|xml|xz|zip)(\?.*)?$") {
unset req.http.Cookie;
return (hash);
}
}
sub vcl_backend_response {
if (bereq.url ~ "^[^?]*\.(7z|avi|bmp|bz2|css|csv|doc|docx|eot|flac|
unset beresp.http.set-cookie;
}
if (bereq.url ~ "^[^?]*\.(7z|avi|bz2|flac|flv|gz|mka|mkv|mov|mp3|mp4|
mpeg|mpg|ogg|ogm|opus|rar|tar|tgz|tbz|txz|wav|webm|xz|zip)(\?.*)?$") {
unset beresp.http.set-cookie;
set beresp.do_stream = true;
set beresp.do_gzip = false;
}
}
Cache static assets

View Slide

Do you really
want to cache
static assets?

View Slide

Nginx or
Apache can
be fast
enough for
that

View Slide

vcl 4.0;
import std;
sub vcl_recv {
if (req.url ~ "^[^?]*\.(7z|avi|bmp|bz2|css|csv|doc|docx|eot|flac|
unset req.http.Cookie;
return (pass);
}
}
Don’t cache static assets

View Slide

URL whitelist/blacklist

View Slide

sub vcl_recv {
if (req.url ~ "^/status\.php$" ||
req.url ~ "^/update\.php$" ||
req.url ~ "^/admin$" ||
req.url ~ "^/admin/.*$" ||
req.url ~ "^/user$" ||
req.url ~ "^/user/.*$" ||
req.url ~ "^/flag/.*$" ||
req.url ~ "^.*/ajax/.*$" ||
req.url ~ "^.*/ahah/.*$") {
return (pass);
}
}
URL blacklist

View Slide

sub vcl_recv {
if (req.url ~ "^/products/?"
return (hash);
}
}
URL whitelist

View Slide

Those damn
cookies again!

View Slide

vcl 4.0;
sub vcl_recv {
set req.http.Cookie = regsuball(req.http.Cookie, "has_js=[^;]+(; )?", "");
set req.http.Cookie = regsuball(req.http.Cookie, "__utm.=[^;]+(; )?", "");
set req.http.Cookie = regsuball(req.http.Cookie, "_ga=[^;]+(; )?", "");
set req.http.Cookie = regsuball(req.http.Cookie, "_gat=[^;]+(; )?", "");
set req.http.Cookie = regsuball(req.http.Cookie, "utmctr=[^;]+(; )?", "");
set req.http.Cookie = regsuball(req.http.Cookie, "utmcmd.=[^;]+(; )?", "");
set req.http.Cookie = regsuball(req.http.Cookie, "utmccn.=[^;]+(; )?", "");
set req.http.Cookie = regsuball(req.http.Cookie, "__gads=[^;]+(; )?", "");
set req.http.Cookie = regsuball(req.http.Cookie, "__qc.=[^;]+(; )?", "");
set req.http.Cookie = regsuball(req.http.Cookie, "__atuv.=[^;]+(; )?", "");
set req.http.Cookie = regsuball(req.http.Cookie, "^;\s*", "");
if (req.http.cookie ~ "^\s*$") {
unset req.http.cookie;
}
}
Remove tracking cookies

View Slide

vcl 4.0;
sub vcl_recv {
if (req.http.Cookie) {
set req.http.Cookie = ";" + req.http.Cookie;
set req.http.Cookie = regsuball(req.http.Cookie, "; +", ";");
set req.http.Cookie = regsuball(req.http.Cookie, ";(PHPSESSID)=", "; \1=");
set req.http.Cookie = regsuball(req.http.Cookie, ";[^ ][^;]*", "");
set req.http.Cookie = regsuball(req.http.Cookie, "^[; ]+|[; ]+$", "");
}
}
}
Only keep session cookie

View Slide

sub vcl_recv {
if (req.http.Cookie) {
set req.http.Cookie = ";" + req.http.Cookie;
set req.http.Cookie = regsuball(req.http.Cookie, "; +", ";");
set req.http.Cookie = regsuball(req.http.Cookie, ";(language)=", "; \1=");
set req.http.Cookie = regsuball(req.http.Cookie, ";[^ ][^;]*", "");
set req.http.Cookie = regsuball(req.http.Cookie, "^[; ]+|[; ]+$", "");
return(pass);
}
return(hash);
}
}
sub vcl_hash {
hash_data(regsub( req.http.Cookie, "^.*language=([^;]*);*.*$", "\1" ));
}
Language cookie cache variation

View Slide

Alternative
language
cache
variation

View Slide

sub vcl_hash {
hash_data(req.http.Accept-Language);
}
Language cookie cache variation
Or just send a
“Vary:Accept-Language”
header

View Slide

sub vcl_hash {
hash_data(req.http.Cookie);
}
Hash all cookies

View Slide

Edge Side Includes

View Slide

sub vcl_recv {
set req.http.Surrogate-Capability = "key=ESI/1.0";
}
if (beresp.http.Surrogate-Control ~ "ESI/1.0") {
unset beresp.http.Surrogate-Control;
set beresp.do_esi = true;
}
}
Edge Side Includes

View Slide

header("Cache-Control: public,must-revalidate,s-maxage=10");
echo "Date in the ESI tag: ".date('Y-m-d H:i:s').'
';
header("Cache-Control: no-store");
header(“Surrogate-Control: content='ESI/1.0'");
echo ''.PHP_EOL;
echo "Date in the main page: ".date('Y-m-d H:i:s').'
';
Main page
ESI frame:
esi.php
Cached for
10 seconds
Not cached

View Slide

ESI_xmlerror No ESI processing, first char
not 'Expects HTML/
XML tags

View Slide

-p feature=+esi_disable_xml_check
Add as
startup option

View Slide

Control
Time
To
Live

View Slide

set beresp.ttl = 3h;
}
Control Time To Live

View Slide

if (beresp.ttl <= 0s || beresp.http.Set-Cookie ||
beresp.http.Vary == "*") {
set beresp.ttl = 120s;
set beresp.uncacheable = true;
return (deliver);
}
}
Control Time To Live

View Slide

Debugging

View Slide

sub vcl_deliver {
if (obj.hits > 0) {
set resp.http.X-Cache = "HIT";
} else {
set resp.http.X-Cache = "MISS";
}
}
Debugging

View Slide

Anonymize

View Slide

sub vcl_deliver {
unset resp.http.X-Powered-By;
unset resp.http.Server;
unset resp.http.X-Drupal-Cache;
unset resp.http.X-Varnish;
unset resp.http.Via;
unset resp.http.Link;
unset resp.http.X-Generator;
}
Anonymize

View Slide

Purging

View Slide

acl purge {
"localhost";
"127.0.0.1";
"::1";
}
sub vcl_recv {
if (req.method == "PURGE") {
if (!client.ip ~ purge) {
return (synth(405, “Not allowed.”));
}
return (purge);
}
}
Purging

View Slide

acl purge {
"localhost";
"127.0.0.1";
"::1";
}
set beresp.http.x-url = bereq.url;
set beresp.http.x-host = bereq.http.host;
}
sub vcl_deliver {
unset resp.http.x-url;
unset resp.http.x-host;
}
sub vcl_recv {
if (req.method == "PURGE") {
if (!client.ip ~ purge) {
return (synth(405, "Not allowed"));
}
if(req.http.x-purge-regex) {
ban("obj.http.x-host == " + req.http.host + " && obj.http.x-url ~ " +
req.http.x-purge-regex);
} else {
ban("obj.http.x-host == " + req.http.host + " && obj.http.x-url == " +
req.url);
}
return (synth(200, "Purged"));
}
}
Banning

View Slide

Banning
curl -XPURGE -H "x-purge-regex:/products"
"http://example.com"
curl -XPURGE "http://example.com/products"

View Slide

Grace mode

View Slide

set beresp.grace = 6h;
}
Grace mode

View Slide

Cheers, hope
this helps!

View Slide

View Slide

Common scenarios in VCL - Varnish Summit CPH 2016

Common scenarios in VCL - Varnish Summit CPH 2016

Thijs Feryn

More Decks by Thijs Feryn

Other Decks in Technology

Featured

Transcript