Varnish in-depth training - Symfony Live Berlin 2017

By Thijs Feryn
Varnish in -depth
training

View Slide

Slow websites suck

View Slide

Web performance is
an essential part of
the user experience

View Slide

Slow ~ Down

View Slide

Saturated
market

View Slide

View Slide

Heavy load

View Slide

Mo money
Mo servers

View Slide

Identify slowest parts

View Slide

View Slide

Reduce the
impact of the
code on the
server

View Slide

Not just raw speed

View Slide

Scale

View Slide

Refactor slow code
Write fast code

View Slide

Optimize database

View Slide

Improve the API call

View Slide

Optimize runtime

View Slide

After a while you
hit the limits

View Slide

Cache

View Slide

Don’t
recompute
if the data
hasn’t
changed

View Slide

3 x 2 = ?

View Slide

What can you cache?
Byte code
Database output External services
Files from disk
Pages

View Slide

Caching is not a
compensation for
poor code

View Slide

Caching is an
essential
architectural
strategy

View Slide

Pages

View Slide

Normally
User Server

View Slide

With Varnish
User Varnish Server

View Slide

View Slide

Hi, I’m Thijs

View Slide

I’m
@ThijsFeryn
on Twitter

View Slide

I’m an
Evangelist
At

View Slide

I’m a
at
board member

View Slide

View Slide

Let's dive right in!

View Slide

Varnish

View Slide

Cache?

View Slide

Loadbalancer?

View Slide

Proxy?

View Slide

Web
application
firewall?

View Slide

HTTP
accelerator

View Slide

Regular proxy
User Proxy Server
Office

View Slide

With reverse
proxy
User Proxy Server
Datacenter

View Slide

Bit of history

View Slide

View Slide

Varnish Moral
License
http://phk.freebsd.dk/VML/

View Slide

View Slide

Main project
“sponsors”

View Slide

How does it work?

View Slide

varnishd
VCL file
Compiled & linked as
shared object
Client
HTTP
Backend
HTTP
Memory
Logs
Writes verbose
“transaction” logs to
memory
varnishlog
varnishtop
Read memory logs,
displays information
varnishncsa
varnishadm
Allow basic
management tasks
Custom
protocol

View Slide

Install & configure

View Slide

https://packagecloud.io/varnishcache/varnish5
https://packagecloud.io/varnishcache/varnish41

View Slide

$ curl -s https://packagecloud.io/install/repositories/
varnishcache/varnish5/script.deb.sh | sudo bash
$ apt-get install varnish
Debian & Ubuntu

View Slide

$ apt-cache policy varnish
varnish:
Installed: 5.2.0-1~stretch
Candidate: 5.2.0-1~stretch
Version table:
*** 5.2.0-1~stretch 500
500 https://packagecloud.io/varnishcache/varnish5/debian stretch/main
amd64 Packages
100 /var/lib/dpkg/status
5.1.3-1~stretch 500
amd64 Packages
5.1.2-1~stretch 500
amd64 Packages
5.0.0-7+deb9u1 500
500 http://deb.debian.org/debian stretch/main amd64 Packages
500 http://security.debian.org stretch/updates/main amd64 Packages

View Slide

$ apt-get install varnish=5.2.0-1~stretch

View Slide

$ curl -s https://packagecloud.io/install/repositories/
varnishcache/varnish5/script.rpm.sh | sudo bash
$ yum install varnish
RHEL & CentOS

View Slide

Config
file

View Slide

View Slide

SysV Systemd
Ubuntu/Debian /etc/default/varnish /etc/systemd/system/varnish.service
RHEL/CentOS /etc/sysconfig/varnish /etc/varnish/varnish.params

View Slide

cp /lib/systemd/system/varnish.service \
/etc/systemd/system/
Copy defaults file
Ubuntu &
Debian with
systemd

View Slide

Startup options

View Slide

[Unit]
Description=Varnish Cache, a high-performance HTTP accelerator
[Service]
Type=forking
# Maximum number of open files (for ulimit -n)
LimitNOFILE=131072
# Locked shared memory - should suffice to lock the shared memory log
# (varnishd -l argument)
# Default log size is 80MB vsl + 1M vsm + header -> 82MB
# unit is bytes
LimitMEMLOCK=85983232
# On systemd >= 228 enable this to avoid "fork failed" on reload.
#TasksMax=infinity
# Maximum size of the corefile.
LimitCORE=infinity
# Set WARMUP_TIME to force a delay in reload-vcl between vcl.load and vcl.use
# This is useful when backend probe definitions need some time before declaring
# configured backends healthy, to avoid routing traffic to a non-healthy backend.
#WARMUP_TIME=0
ExecStart=/usr/sbin/varnishd -a :80 -T localhost:6082 -f /etc/varnish/default.vcl -S /etc/varnish/
secret -s malloc,256m
ExecReload=/usr/share/varnish/reload-vcl
[Install]
WantedBy=multi-user.target
Debian
Stretch with
systemd

View Slide

$ vim /etc/systemd/system/varnish.service
$ systemctl daemon-reload
$ service varnish reload
Reload with systemd

View Slide

DAEMON_OPTS="-a :80 \
-T localhost:6082 \
-f /etc/varnish/default.vcl \
-S /etc/varnish/secret \
-s malloc,256m"
Ubuntu
Trusty without
systemd

View Slide

vim /etc/default/varnish
service varnish reload
Reload with sysv

View Slide

-a: binding address & port
-T: admin binding
-f: VCL file
-S: secret file
-s: storage
-j: jailing
-l: shared memory log size
-t: default TTL
-p: runtime parameters
Options

View Slide

DAEMON_OPTS="-j unix,user=www-data \
-a main=0000:80 \
-a proxy=0.0.0.0:81,PROXY \
-T localhost:6082 \
-l 100m,10m \
-t 60 \
-p feature=+esi_disable_xml_check \
-p connect_timeout=20s \
-p first_byte_timeout=100s \
-p between_bytes_timeout=5s \
-s malloc,3g"

View Slide

The backend

View Slide

80

View Slide

Point of
entry? Bind
to 80
Otherwise
6081

View Slide

8080
HTTP-ALT

View Slide

Listen 8080
Apache

ports.conf
vhost

View Slide

listen 8080;
Nginx
vhost

View Slide

✓In VCL file
✓In config file using "-b"
Link backend to Varnish

View Slide

-a main=0.0.0.0:80 \
-a proxy=0.0.0.0:81,PROXY \
-T localhost:6082 \
-b 127.0.0.1:8080 \
-s malloc,3g"
Can't
have -f
In config file

View Slide

vcl 4.0; 
 
backend default { 
.host = "127.0.0.1"; 
.port = "8080"; 
}
In VCL file
Minimal
VCL

View Slide

Typical setups

View Slide

All-in-one
User
Varnish (80)
Nginx (8080)

View Slide

Dedicated Varnish
User Varnish (80)
Nginx (80)

View Slide

Multiple webservers
User
Varnish (80)
Nginx (8080)
Varnish (80)
Nginx (8080)
KeepAliveD

View Slide

Multiple webservers & dedicated Varnish
User
Varnish
(80)
KeepAliveD
Varnish
(80)
Nginx
(80)
Nginx
(80)

View Slide

Loadbalancing
User
Varnish
(80)
KeepAliveD
Varnish
(80)
Nginx
(80)
Nginx
(80)

View Slide

HAProxy loadbalancers
User
HAProxy (80)
Varnish (6081)
KeepAliveD
HAProxy (80)
Varnish (6081)
Nginx (80)
Nginx (80)

View Slide

Share the cache

View Slide

Share the cache
User
Nginx (80)
Nginx (80)
1
2
3
4
5
6
HAProxy (80)
Varnish ( 6080 & 6081)
HAProxy (80)
Varnish ( 6080 & 6081)

View Slide

Share the cache 2
User
HAProxy (80)
Varnish ( 6080 & 6081)
Nginx (80)
Nginx (80)
1
5
3
4
2
6
HAProxy (80)
Varnish ( 6080 & 6081)

View Slide

vcl 4.0;
import std;
backend nginx {
.host = "nginx";
.port = "80";
}
backend nginx2 {
.host = "nginx2";
.port = "80";
}
backend varnish {
.host = "varnish";
.port = "6080";
}
backend varnish2 {
.host = "varnish2";
.port = "6080";
}
sub vcl_recv {
if(server.hostname == "varnish") {
if(std.port(server.ip) == 6080) {
set req.backend_hint = nginx;
set req.http.x-esi = "yes";
} else {
set req.backend_hint = varnish2;
set req.http.x-esi = "no";
}
} else {
set req.backend_hint = nginx2;
} else {
set req.backend_hint = varnish;
}
}
}
sub vcl_backend_response {
if (bereq.http.x-esi == "yes" && beresp.http.Surrogate-Control ~ "ESI/1.0") {
unset beresp.http.Surrogate-Control;
set beresp.do_esi = true;
}
}

View Slide

sub vcl_recv {
if(server.hostname == "varnish") {
set req.backend_hint = nginx;
} else {
set req.backend_hint = varnish2;
}
} else {
set req.backend_hint = nginx2;
} else {
set req.backend_hint = varnish;
}
}
}

View Slide

What about TLS/SSL?

View Slide

✓HAProxy
✓Nginx
✓Pound
✓Hitch
Terminate TLS/SSL

View Slide

HAProxy
172.18.0.3
Varnish
172.18.0.8
Nginx
Public
HTTP & HTTPS
HTTP
HTTP
Certificates go here

View Slide

How do you know if it
was HTTP or HTTPS?

View Slide

X-Forwarded-Proto: https
X-Forwarded-Proto: http

View Slide

if (strpos($_SERVER['HTTP_X_FORWARDED_PROTO'], 'https') !== false)
$_SERVER['HTTPS']='on';

View Slide

View Slide

SetEnvIf X-Forwarded-Proto "https" HTTPS=on
Header append Vary: X-Forwarded-Proto

RewriteEngine on
RewriteCond %{HTTPS} !=on
RewriteCond %{HTTP:X-Forwarded-Proto} !https [NC]
RewriteRule ^ https://%{HTTP_HOST}%{REQUEST_URI}
[L,R=301]

View Slide

Demo setup

View Slide

https://github.com/ThijsFeryn/
varnishtraining

View Slide

$ docker-compose up
$ docker-compose down
$ docker-compose up -d
$ docker-compose logs
$ docker-compose logs -f
$ docker-compose logs varnish
$ docker-compose logs -f varnish

View Slide

HAProxy (80 & 81)
Varnish
(6080, 6081, 6082, 6083)
Nginx (80)
PHP-FPM (9000)
Varnish 2
(6080, 6081, 6082, 6083)
Nginx 2 (80)
PHP-FPM 2 (9000)
MySQL (3306)
Redis (6379)
Demo setup

View Slide

✓sflive-varnish2: 172.18.0.10
✓sflive-varnish: 172.18.0.8
✓sflive-nginx2: 172.18.0.6
✓sflive-nginx: 172.18.0.2
✓sflive-php2: 172.18.0.5
✓sflive-php: 172.18.0.4
✓sflive-haproxy: 172.18.0.3
✓sflive-redis: 172.18.0.7
✓sflive-mysql: 172.18.0.9
Demo setup IPs

View Slide

View Slide

FROM debian:stretch as builder
WORKDIR /usr/lib/varnish/vmods/
RUN apt-get update \
&& apt-get install -y curl \
&& curl -s https://packagecloud.io/install/repositories/varnishcache/varnish5/
script.deb.sh | bash \
&& apt-get install -y unzip automake varnish=5.2.0-1~stretch varnish-
dev=5.2.0-1~stretch build-essential libtool docutils-common libmhash-dev --allow-
unauthenticated \
&& curl -O https://download.varnish-software.com/varnish-modules/varnish-
modules-0.12.1.tar.gz \
&& tar xvzf varnish-modules-0.12.1.tar.gz \
&& (cd varnish-modules-0.12.1 && ./configure && make && make install) \
&& curl -O -L https://github.com/gquintard/libvmod-accept/archive/master.zip \
&& unzip master.zip \
&& (cd libvmod-accept-master && ./autogen.sh && ./configure && make && make
install) \
&& curl -O -L https://github.com/varnish/libvmod-digest/archive/master.zip \
&& (cd libvmod-digest-master && ./autogen.sh && ./configure && make && make
install)
FROM debian:stretch
WORKDIR /etc/varnish
EXPOSE 6080
EXPOSE 6081
EXPOSE 6082
EXPOSE 6083
ENV SIZE 100m
ENV SECRET E29F6DE6-3803-449E-8A01-AA537A8715B1
ARG BACKEND=nginx

View Slide

install) \
&& curl -O -L https://github.com/varnish/libvmod-digest/archive/master.zip \
&& (cd libvmod-digest-master && ./autogen.sh && ./configure && make && make
install)
FROM debian:stretch
WORKDIR /etc/varnish
EXPOSE 6080
EXPOSE 6081
EXPOSE 6082
EXPOSE 6083
ENV SIZE 100m
ENV SECRET E29F6DE6-3803-449E-8A01-AA537A8715B1
ARG BACKEND=nginx
RUN apt-get update \
&& apt-get install -y curl \
&& curl -s https://packagecloud.io/install/repositories/varnishcache/varnish5/
script.deb.sh | bash \
&& apt-get install -y varnish=5.2.0-1~stretch libmhash-dev --no-install-recommends
--allow-unauthenticated \
&& rm -rf /var/lib/apt/lists/* \
&& /bin/bash -c ' echo "$SECRET" > /etc/varnish/secret' \
&& rm -rf /usr/lib/varnish/vmods/libvmod_*.so
COPY --from=builder /usr/lib/varnish/vmods/libvmod_*.so /usr/lib/varnish/vmods/
CMD ["/bin/bash","-c","/usr/sbin/varnishd -j unix,user=varnish -s malloc,$SIZE -F -a
internal=0.0.0.0:6080 -a main=0.0.0.0:6081 -a proxy=0.0.0.0:6083,PROXY -T 0.0.0.0:6082
-f /etc/varnish/default.vcl -S /etc/varnish/secret -p feature=+esi_disable_xml_check -
p vsl_mask=+Hash"]

View Slide

What’s the real IP?
172.18.0.1 ?

View Slide

HAProxy
172.18.0.3
Varnish
172.18.0.8
Nginx
Public
172.18.0.1

View Slide

X-Forwarded-For

View Slide

Nginx
Public
172.18.0.1
Client IP: 172.18.0.1
X-Forwarded-For:

View Slide

Varnish
172.18.0.8
Nginx
Public
172.18.0.1
Client IP: 172.18.0.8
X-Forwarded-For: 172.18.0.1

View Slide

HAProxy
172.18.0.3
Varnish
172.18.0.8
Nginx
Public
172.18.0.1
Client IP: 172.18.0.8

View Slide

PROXY Protocol

View Slide

Add original IP as
TCP preamble

View Slide

-a :80 \
-a :81,PROXY \
-T localhost:6082 \
-l 100m,10m \
-t 60 \
-s malloc,3g"

View Slide

Varnish automatically sets
X-Forwarded-For to the
original IP using PROXY
protocol

View Slide

HAProxy
172.18.0.3
Varnish
172.18.0.8
Nginx
Public
172.18.0.1
Client IP: 172.18.0.8

View Slide

View Slide

There are rules

View Slide

✓Idempotence
✓State
✓Expiration
✓Conditional requests
✓Cache variations
Varnish speaks HTTP

View Slide

Idempotence
Execute
multiple
times
Result
doesn't
change

View Slide

✓ GET
✓ HEAD
- POST
- PUT
- DELETE
- PATCH
Idempotence
Result
changes
Result
doesn't
change
Don't
cache

View Slide

State

View Slide

State
~
user specific
data
Cookies
Auth
headers

View Slide

About cookies

View Slide

✓ Request header
✓ Sent by client (~browser)
✓ Sent on every request
✓ Describes state
✓ Is not cached
✓ 3rd party tracking cookies vs own
cookies
About cookies
Cookie: key=value;key2=value2

View Slide

✓ Response header
✓ Sent by backend server
✓ Only when backend is called
✓ Changes state
✓ Is not cached
✓ Blacklisted for 120s (by default)
About cookies
Set-Cookie: key=another_value

View Slide

Time
To
Live

View Slide

✓ 120s by default
✓ Respects HTTP cache-control header
✓ Respects expires header
✓ Override in VCL file
Time to live

View Slide

1.VCL
2.s-maxage
3.max-age
4.expires
5.Default value 120s
TTL Order

View Slide

Use TTL not to cache
Cache-Control: max-age=0
Cache-Control: s-maxage=0
Cache-Control: private
Cache-Control: no-cache
Cache-Control: no-store
Expires: Fri, 1 Jan 1971 00:00:00 GMT

View Slide

Combine values
Cache-Control: public, max-
age=1000, s-maxage=3600

View Slide

Age
Age: 10
How old is the
cached object?

View Slide

Real cache duration
max-age - Age
s-maxage - Age

View Slide

Don’t set the Age
header yourself!

View Slide

Conditional
requests

View Slide

Only fetch
payload that has
changed

View Slide

Otherwise:
HTTP/1.1 304 Not Modified

View Slide

In both directions
User Varnish Server
304 Not Modified 304 Not Modified

View Slide

✓ Conserve bandwidth
✓ Reduce load on the backend when
revalidating
Conditional requests

View Slide

HTTP/1.1 200 OK
Host: localhost
Etag: 7c9d70604c6061da9bb9377d3f00eb27
Content-type: text/html; charset=UTF-8
Hello world output
GET /if_none_match.php HTTP/1.1
Host: localhost
User-Agent: curl/7.48.0

View Slide

Host: localhost
Etag: 7c9d70604c6061da9bb9377d3f00eb27
Host: localhost
If-None-Match:
7c9d70604c6061da9bb9377d3f00eb27

View Slide

HTTP/1.1 200 OK
Host: localhost
Last-Modified: Fri, 22 Jul 2016 10:11:16 GMT
Content-type: text/html; charset=UTF-8
Hello world output
Host: localhost

View Slide

Host: localhost
Last-Modified: Fri, 22 Jul 2016 10:11:16 GMT
Host: localhost
If-Last-Modified: Fri, 22 Jul 2016 10:11:16
GMT

View Slide

Store etag or
modification date

View Slide

Validate early on

View Slide

Exit quickly

View Slide

Varnish can revalidate
aynchronously

View Slide

And serve stale data while
that happens

View Slide

Grace mode

View Slide

Effective TTL = TTL + grace

View Slide

Cache-Control: public, max-age=100, s-maxage=3600,
stale-while-revalidate=7200
Stale-While-Revalidate
Set grace mode

View Slide

Variations

View Slide

Cache is
not the
same for
everyone

View Slide

✓ URL
✓ Hostname
✓ IP if hostname is not set
✓ Vary header
Basic variations

View Slide

Vary header
Vary: Accept-Encoding
Vary: Accept-Language
Vary: Cookie
Watch out!

View Slide

The flow

View Slide

View Slide

Varnish
Configuration
Language

View Slide

DSL compiled
and linked as
shared object

View Slide

/etc/varnish/default.vcl

View Slide

Hooks
&
subroutines

View Slide

VCL
Recv
VCL
Hash
VCL
Miss
VCL
Hit
VCL
Backend
Response
VCL
Deliver
VCL
Purge
VCL
Error
VCL
Pipe
VCL
Pass
VCL
Synth
VCL
Backend
Error

View Slide

✓vcl_recv: receive request
✓vcl_hash: compose cache key
✓vcl_miss: not found in cache
✓vcl_hit: found in cache
✓vcl_pass: don’t store in cache
✓vcl_pipe: bypass cache
✓vcl_backend_fetch: connect to
backend
✓vcl_backend_response: response from
backend
✓vcl_backend_error: backend fetch
failed

View Slide

✓vcl_purge: after successful purge
✓vcl_synth: send synthetic output
✓vcl_deliver: return data to client
✓vcl_init: initialize VMODs
✓vcl_fini: discard VMODs
✓vcl_fail: stop execution

View Slide

Actions

View Slide

✓ hash: lookup in cache
✓ pass: don't cache
✓ synth: synthetic HTML output
✓ pipe: bypass cache
✓ purge: remove from cache
VCL_RECV

View Slide

✓ pipe: bypass cache
VCL_PIPE

View Slide

✓ fetch: fetch data from
backend, don't cache
✓ restart: restart transaction
VCL_PASS

View Slide

✓ deliver: send cached object
✓ miss: synchronous refresh
despite hit
✓ pass: fetch data from
backend despite hit, don't
cache
VCL_HIT

View Slide

✓ fetch: fetch data from
backend
✓ pass: fetch data from
backend, don't cache
VCL_MISS

View Slide

✓ lookup: look for cached
object by using hash key
VCL_HASH

View Slide

VCL_PURGE

View Slide

✓ deliver: deliver object to
client
VCL_DELIVER

View Slide

✓ deliver: deliver synthetic
output to client
VCL_SYNTH

View Slide

✓ fetch: fetch object from
backend
✓ abandon: abandon request
and send HTTP 503 error
VCL_BACKEND_FETCH

View Slide

✓ deliver: send fetched data to
client
✓ abandon: abandon request
and send HTTP 503 error
✓ retry: retry backend request
VCL_BACKEND_RESPONSE

View Slide

✓ deliver: send fetched data to
client
✓ retry: retry backend request
VCL_BACKEND_ERROR

View Slide

Typical flows

View Slide

✓ vcl_recv: hash
✓ vcl_hash: lookup
✓ vcl_miss: fetch
✓ vcl_backend_request: fetch
✓ vcl_backend_response: deliver
✓ vcl_deliver: deliver
MISS

View Slide

✓ vcl_recv: hash
✓ vcl_hash: lookup
✓ vcl_hit: deliver
HIT

View Slide

✓ vcl_recv: pass
✓ vcl_pass: fetch
✓ vcl_backend_request: fetch
✓ vcl_backend_response: deliver
PASS

View Slide

Objects

View Slide

✓ req: incoming request object
✓ req_top: top level esi request
✓ bereq: request object to send to
backend
✓ beresp: backend response
✓ resp: response to send back to
client
✓ obj: cached object
✓ client: client information
✓ server: server information
✓ local: local TCP information
✓ remote: remote TCP information
✓ storage: storage information
VCL Objects

View Slide

Variables

View Slide

✓ req.url
✓ req.http.host
✓ req.http.user-agent
✓ req.backend_hint
✓ req.method
✓ …
req variables

View Slide

✓ bereq.backend
✓ bereq.http.user-agent
✓ bereq.method
✓ bereq.url
✓ …
bereq variables

View Slide

✓ beresp.age
✓ beresp.backend.ip
✓ beresp.backend.name
✓ beresp.do_esi
✓ beresp.grace
✓ beresp.keep
✓ beresp.http.set-cookie
✓ beresp.ttl
✓ beresp.status
✓ beresp.uncacheable
beresp variables

View Slide

✓ client.ip
✓ client.identity
client variables
local variables
✓ local.ip
remote variables
✓ remote.ip

View Slide

✓ obj.age
✓ obj.grace
✓ obj.hits
✓ obj.http.cache-control
✓ obj.reason
✓ obj.status
✓ obj.ttl
object variables

View Slide

✓ resp.http.user-agent
✓ resp.is_streaming
✓ resp.reason
✓ resp.status
resp variables

View Slide

✓ storage..free_space
✓ storage..used_space
✓ storage..happy
storage variables

View Slide

Default
behaviour

View Slide

vcl 4.0;
sub vcl_recv {
if (req.method == "PRI") {
return (synth(405));
}
if (req.method != "GET" &&
req.method != "HEAD" &&
req.method != "PUT" &&
req.method != "POST" &&
req.method != "TRACE" &&
req.method != "OPTIONS" &&
req.method != “PATCH" &&
req.method != "DELETE") {
return (pipe);
}
if (req.method != "GET" && req.method != "HEAD") {
return (pass);
}
if (req.http.Authorization || req.http.Cookie) {
return (pass);
}
return (hash);
}
Idempotence
State
Action
Receive
request

View Slide

sub vcl_hash {
hash_data(req.url);
if (req.http.host) {
hash_data(req.http.host);
} else {
hash_data(server.ip);
}
return (lookup);
}
Lookup in
cache
Variations
Action

View Slide

sub vcl_purge {
return (synth(200, "Purged"));
}
sub vcl_hit {
if (obj.ttl >= 0s) {
return (deliver);
}
if (obj.ttl + obj.grace > 0s) {
return (deliver);
}
return (miss);
}
sub vcl_miss {
return (fetch);
}
sub vcl_deliver {
return (deliver);
}
Remove
from cache
Found in
cache
Not found in
cache
Return
HTTP response to
client

View Slide

sub vcl_synth {
set resp.http.Content-Type = "text/html; charset=utf-8";
set resp.http.Retry-After = "5";
synthetic( {"

"} + resp.status + " " + resp.reason + {"

Error "} + resp.status + " " + resp.reason + {"
"} + resp.reason + {"
Guru Meditation:
XID: "} + req.xid + {"

Varnish cache server

"} );
return (deliver);
}
Send
custom HTML

View Slide

sub vcl_backend_fetch {
return (fetch);
}
if (bereq.uncacheable) {
return (deliver);
} else if (beresp.ttl <= 0s ||
beresp.http.Set-Cookie ||
beresp.http.Surrogate-control ~ "no-store" ||
(!beresp.http.Surrogate-Control &&
beresp.http.Cache-Control ~ "no-cache|no-store|private") ||
beresp.http.Vary == "*") {
set beresp.ttl = 120s;
set beresp.uncacheable = true;
}
return (deliver);
}
Send
backend
request
Receive
backend
response
TTL
State
Receive
backend
response

View Slide

sub vcl_backend_error {
set beresp.http.Content-Type = "text/html; charset=utf-8";
set beresp.http.Retry-After = "5";
synthetic( {"

"} + beresp.status + " " + beresp.reason + {"

Error "} + beresp.status + " " + beresp.reason + {"
"} + beresp.reason + {"
Guru Meditation:
XID: "} + bereq.xid + {"

Varnish cache server

"} );
return (deliver);
}
Send
custom HTML on
backend error

View Slide

Minimal VCL

View Slide

vcl 4.0;
backend default {
.host = "127.0.0.1";
.port = "8080";
}
Minimal VCL

View Slide

vcl 4.0;
backend default {
.host = "127.0.0.1";
.port = "80";
.max_connections = 300;
.first_byte_timeout = 300s;
.connect_timeout = 5s;
.between_bytes_timeout = 2s;
}
More backend work

View Slide

vcl 4.0;
backend default {
.host = "127.0.0.1";
.port = "80";
.probe = {
.url = "/";
.interval = 5s;
.timeout = 1s;
.window = 5;
.threshold = 3;
}
}
Even more backend work

View Slide

vcl 4.0;
backend default {
.host = "127.0.0.1";
.port = "80";
.probe = {
.request =
"HEAD / HTTP/1.1"
"Host: localhost"
"Connection: close"
"User-Agent: Varnish Health Probe";
.interval = 5s;
.timeout = 1s;
.window = 5;
.threshold = 3;
}
}
Even more backend work

View Slide

VMOD

View Slide

Varnish modules

View Slide

Written in C

View Slide

Exposes new VCL
objects

View Slide

Added functionality

View Slide

vcl 4.0;
import directors;
import std;
import cookie;
sub vcl_init {
new vdir = directors.round_robin();
vdir.add_backend(…);
vdir.add_backend(…);
}
VMOD

View Slide

vmod_std

View Slide

sub vcl_recv {
if(std.file_exists("/etc/varnish/file.txt")) {
return(synth(200,std.fileread("/etc/varnish/file.txt")));
} else {
return(synth(200,"File does not exist"));
}
}
std.fileread

View Slide

sub vcl_recv {
return(synth(200,"FOO: " + std.getenv("FOO")));
}
std.getenv

View Slide

vcl 4.0;
import std;
backend default {
.host = "nginx";
.port = "80";
.probe = {
.url = "/";
.interval = 1s;
.timeout = 1s;
.window = 5;
.threshold = 3;
}
}
sub vcl_recv {
if(std.healthy(req.backend_hint)) {
return(synth(200,"Backend is healthy"));
} else {
return(synth(200,"Backend is unhealthy"));
}
}
std.healthy

View Slide

sub vcl_recv {
std.timestamp("Before std.log");
std.log("This should appear in the Shared Memory Log");
std.timestamp("After std.log");
std.syslog(9,"This should appear in the Syslog");
std.timestamp("After std.syslog");
return(synth(200,"OK"));
}
Logging

View Slide

sub vcl_recv {
return(synth(200,"Client port: " + std.port(client.ip) + ", server
port: " + std.port(server.ip)));
}
std.port

View Slide

sub vcl_recv {
return(synth(200,"Unsorted: " + regsub(req.url,"\?(.+)$","\1") + ",
sorted: " + regsub(std.querysort(req.url),"\?(.+)$","\1")));
}
std.querysort

View Slide

sub vcl_recv {
return(synth(200,std.real2integer(std.random(1,10),0)));
}
std.random & std.real2integer

View Slide

sub vcl_recv {
return(synth(200,std.toupper("yes") + " " + std.tolower("YES")));
}
std.toupper & std.tolower

View Slide

https://varnish-cache.org/docs/5.2/
reference/vmod_std.generated.html

View Slide

Load balancing

View Slide

vcl 4.0;
import directors;
backend server1 {
.host = “1.2.3.4”;
.port = "80";
.probe = {
.request =
"HEAD / HTTP/1.1"
"Host: localhost"
"Connection: close"
.interval = 5s;
.timeout = 1s;
.window = 5;
.threshold = 3;
}
}
Loadbalancing: server 1

View Slide

backend server2 {
.host = “1.2.3.5”;
.port = "80";
.probe = {
.request =
"HEAD / HTTP/1.1"
"Host: localhost"
"Connection: close"
.interval = 5s;
.timeout = 1s;
.window = 5;
.threshold = 3;
}
}
Loadbalancing: server 2

View Slide

sub vcl_init {
new vdir = directors.round_robin();
vdir.add_backend(server1);
}
sub vcl_recv {
set req.backend_hint = vdir.backend();
}
Loadbalancing: round robin

View Slide

sub vcl_init {
new vdir = directors.random();
vdir.add_backend(server1,2);
vdir.add_backend(server2,3);
}
sub vcl_recv {
}
Loadbalancing: random

View Slide

sub vcl_init {
new vdir = directors.fallback();
}
sub vcl_recv {
}
Loadbalancing: fallback

View Slide

sub vcl_init {
new vdir = directors.hash();
}
sub vcl_recv {
set req.backend_hint = vdir.backend(req.url);
}
Loadbalancing: URL hash

View Slide

sub vcl_init {
new vdir = directors.hash();
}
sub vcl_recv {
set req.backend_hint = vdir.backend(client.identity);
}
Loadbalancing: IP hash

View Slide

sub vcl_recv {
if(req.url ~ “^/products”) {
set req.backend_hint = server1;
} else {
set req.backend_hint = server2;
}
}
Conditional loadbalancing

View Slide

Install other
VMODs

View Slide

apt-get install -y varnish varnish-dev build-essential
curl -O https://download.varnish-software.com/varnish-
modules/varnish-modules-0.12.1.tar.gz
tar xvzf varnish-modules-0.12.1.tar.gz
cd varnish-modules-0.12.1
./configure
make
make install
Install official VMODs

View Slide

apt-get install -y varnish varnish-modules
Install basic VMODs
If you install Varnish
5.0.0 via Debian repo

View Slide

vmod_cookie

View Slide

vcl 4.0;
sub vcl_recv {
if (req.http.Cookie) {
set req.http.Cookie = ";" + req.http.Cookie;
set req.http.Cookie = regsuball(req.http.Cookie, "; +", ";");
set req.http.Cookie = regsuball(req.http.Cookie, ";(PHPSESSID)=", "; \1=");
set req.http.Cookie = regsuball(req.http.Cookie, ";[^ ][^;]*", "");
set req.http.Cookie = regsuball(req.http.Cookie, "^[; ]+|[; ]+$", "");
if (req.http.cookie ~ "^\s*$") {
unset req.http.cookie;
}
}
}
Without vmod_cookie

View Slide

vcl 4.0;
import cookie;
sub vcl_recv {
if (req.http.cookie) {
cookie.parse(req.http.cookie);
cookie.filter_except("PHPSESSID");
set req.http.cookie = cookie.get_string();
}
}
}
With vmod_cookie

View Slide

vcl 4.0;
import cookie;
sub vcl_recv {
if(cookie.isset("PHPSESSID")) {
return(synth(200,"PHPSESSID is set and contains the following value: " +
cookie.get("PHPSESSID") + ""));
}
}
Other vmod_cookie examples

View Slide

vcl 4.0;
import cookie;
sub vcl_recv {
if(cookie.isset(“PHPSESSID") && req.url ~ "^/products/[0-9]+$") {
cookie.delete("PHPSESSID");
}
}
Other vmod_cookie examples

View Slide

https://github.com/varnish/varnish-
modules/blob/master/docs/
vmod_cookie.rst

View Slide

vmod_accept

View Slide

https://github.com/gquintard/libvmod-accept

View Slide

vcl 4.0;
import accept;
backend default {
.host = "nginx";
.port = "80";
}
sub vcl_init {
new rule = accept.rule("en");
rule.add("nl");
}
sub vcl_recv {
set req.http.x-old-accept-language= req.http.Accept-Language;
set req.http.Accept-Language = rule.filter(req.http.Accept-Language);
return(synth(200,"Raw Accept-Language: "+req.http.x-old-accept-
language+"Filtered Accept-Language: "+req.http.Accept-Language+"
ul>"));
}
vmod_accept

View Slide

• Raw Accept-Language: nl,en-US;q=0.8,en;q=0.6
• Filtered Accept-Language: nl
vmod_accept output

View Slide

vcl 4.0;
import accept;
backend default {
.host = "nginx";
.port = "80";
}
sub vcl_init {
new language = accept.rule("en");
language.add("nl");
new encoding = accept.rule("deflate");
language.add("gzip");
new contenttype = accept.rule("text/plain");
contenttype.add("text/html");
contenttype.add("application/json");
}
sub vcl_recv {
set req.http.Accept-Language = language.filter(req.http.Accept-Language);
set req.http.Accept-Encoding = encoding.filter(req.http.Accept-Encoding);
set req.http.Accept = contenttype.filter(req.http.Accept);
}
vmod_accept

View Slide

Why is this useful?

View Slide

Accept-Language: nl,en-US;q=0.8,en;q=0.6
Too many
variations
Impacts hit
rate
Why is vmod_accept useful?
Accept-Language: nl
Less variations

View Slide

More VMODs
coming up later

View Slide

In an ideal world

View Slide

HTTP best practices
>
custom VCL

View Slide

Reality
sucks

View Slide

View Slide

Don’t trust the end-user

View Slide

Cache-control ?

View Slide

Legacy

View Slide

Write VCL

View Slide

Normalize

View Slide

vcl 4.0;
import accept;
import std;
backend default {
.host = "nginx";
.port = "80";
}
sub vcl_init {
new language = accept.rule("en");
language.add("nl");
new encoding = accept.rule("");
language.add("deflate");
language.add("gzip");
new contenttype = accept.rule("text/plain");
contenttype.add("text/html");
contenttype.add("application/json");
}
sub vcl_recv {
set req.http.Accept-Language = language.filter(req.http.Accept-Language);
set req.http.Accept-Encoding = encoding.filter(req.http.Accept-Encoding);
set req.http.Accept = contenttype.filter(req.http.Accept);
if (req.http.User-Agent ~ "MSIE 6" || req.http.Accept-Encoding ~ "^\s*$") {
unset req.http.Accept-Encoding;
}
set req.http.Host = regsub(req.http.Host, ":[0-9]+", "");
set req.url = std.querysort(req.url);
Normalize

View Slide

if (req.url ~ "(\?|&)(utm_source|utm_medium|utm_campaign|utm_content|gclid|cx|ie|cof|siteurl)=") {
set req.url = regsuball(req.url, "&(utm_source|utm_medium|utm_campaign|utm_content|gclid|cx|ie|cof|
siteurl)=([A-z0-9_\-\.%25]+)", "");
set req.url = regsuball(req.url, "\?(utm_source|utm_medium|utm_campaign|utm_content|gclid|cx|ie|cof|
siteurl)=([A-z0-9_\-\.%25]+)", "?");
set req.url = regsub(req.url, "\?&", "?");
set req.url = regsub(req.url, "\?$", "");
}
if (req.url ~ "\#") {
set req.url = regsub(req.url, "\#.*$", "");
}
if (req.url ~ "\?$") {
set req.url = regsub(req.url, "\?$", "");
}
}
Normalize

View Slide

Static assets

View Slide

vcl 4.0;
sub vcl_recv {
if (req.url ~ "^[^?]*\.(7z|avi|bmp|bz2|css|csv|doc|docx|eot|flac|flv|
gif|gz|ico|jpeg|jpg|js|less|mka|mkv|mov|mp3|mp4|mpeg|mpg|odt|otf|ogg|
ogm|opus|pdf|png|ppt|pptx|rar|rtf|svg|svgz|swf|tar|tbz|tgz|ttf|txt|txz|
wav|webm|webp|woff|woff2|xls|xlsx|xml|xz|zip)(\?.*)?$") {
unset req.http.Cookie;
return (hash);
}
}
if (bereq.url ~ "^[^?]*\.(7z|avi|bmp|bz2|css|csv|doc|docx|eot|flac|
flv|gif|gz|ico|jpeg|jpg|js|less|mka|mkv|mov|mp3|mp4|mpeg|mpg|odt|otf|
ogg|ogm|opus|pdf|png|ppt|pptx|rar|rtf|svg|svgz|swf|tar|tbz|tgz|ttf|txt|
txz|wav|webm|webp|woff|woff2|xls|xlsx|xml|xz|zip)(\?.*)?$") {
unset beresp.http.set-cookie;
}
if (bereq.url ~ "^[^?]*\.(7z|avi|bz2|flac|flv|gz|mka|mkv|mov|mp3|mp4|
mpeg|mpg|ogg|ogm|opus|rar|tar|tgz|tbz|txz|wav|webm|xz|zip)(\?.*)?$") {
unset beresp.http.set-cookie;
set beresp.do_stream = true;
set beresp.do_gzip = false;
}
}
Cache static assets

View Slide

Do you really
want to cache
static assets?

View Slide

Nginx or
Apache can
be fast
enough for
that

View Slide

vcl 4.0;
import std;
sub vcl_recv {
if (req.url ~ "^[^?]*\.(7z|avi|bmp|bz2|css|csv|doc|docx|eot|flac|flv|
gif|gz|ico|jpeg|jpg|js|less|mka|mkv|mov|mp3|mp4|mpeg|mpg|odt|otf|ogg|
ogm|opus|pdf|png|ppt|pptx|rar|rtf|svg|svgz|swf|tar|tbz|tgz|ttf|txt|txz|
wav|webm|webp|woff|woff2|xls|xlsx|xml|xz|zip)(\?.*)?$") {
return (pass);
}
}
Don’t cache static assets

View Slide

URL whitelist/blacklist

View Slide

sub vcl_recv {
if (req.url ~ "^/status\.php$" ||
req.url ~ "^/update\.php$" ||
req.url ~ "^/admin$" ||
req.url ~ "^/admin/.*$" ||
req.url ~ "^/user$" ||
req.url ~ "^/user/.*$" ||
req.url ~ "^/flag/.*$" ||
req.url ~ "^.*/ajax/.*$" ||
req.url ~ "^.*/ahah/.*$") {
return (pass);
}
}
URL blacklist

View Slide

sub vcl_recv {
if (req.url ~ "^/products/?"
return (hash);
}
}
URL whitelist

View Slide

Those damn
cookies again!

View Slide

vcl 4.0;
sub vcl_recv {
set req.http.Cookie = regsuball(req.http.Cookie, "has_js=[^;]+(; )?", "");
set req.http.Cookie = regsuball(req.http.Cookie, "__utm.=[^;]+(; )?", "");
set req.http.Cookie = regsuball(req.http.Cookie, "_ga=[^;]+(; )?", "");
set req.http.Cookie = regsuball(req.http.Cookie, "_gat=[^;]+(; )?", "");
set req.http.Cookie = regsuball(req.http.Cookie, "utmctr=[^;]+(; )?", "");
set req.http.Cookie = regsuball(req.http.Cookie, "utmcmd.=[^;]+(; )?", "");
set req.http.Cookie = regsuball(req.http.Cookie, "utmccn.=[^;]+(; )?", "");
set req.http.Cookie = regsuball(req.http.Cookie, "__gads=[^;]+(; )?", "");
set req.http.Cookie = regsuball(req.http.Cookie, "__qc.=[^;]+(; )?", "");
set req.http.Cookie = regsuball(req.http.Cookie, "__atuv.=[^;]+(; )?", "");
set req.http.Cookie = regsuball(req.http.Cookie, "^;\s*", "");
}
}
Remove tracking cookies

View Slide

vcl 4.0;
sub vcl_recv {
set req.http.Cookie = regsuball(req.http.Cookie, ";(PHPSESSID)=", "; \1=");
}
}
}
Only keep session cookie

View Slide

vcl 4.0;
sub vcl_recv {
cookie.filter_except("PHPSESSID");
}
}
}
The VMOD way

View Slide

sub vcl_recv {
set req.http.Cookie = regsuball(req.http.Cookie, ";(language)=", "; \1=");
return(pass);
}
return(hash);
}
}
sub vcl_hash {
hash_data(regsub( req.http.Cookie, "^.*language=([^;]*);*.*$", "\1" ));
}
Language cookie cache variation

View Slide

vcl 4.0;
import cookie;
backend default {
.host = "nginx";
.port = "80";
}
sub vcl_recv {
cookie.filter_except("language");
}
return(hash);
}
}
sub vcl_hash {
hash_data(cookie.get("language"));
}
The VMOD way

View Slide

Alternative
language
cache
variation

View Slide

sub vcl_hash {
hash_data(req.http.Accept-Language);
}
Language cookie cache variation
Or just send a
“Vary:Accept-Language”
header

View Slide

sub vcl_recv {
return(hash);
}
Cache, even with cookies

View Slide

sub vcl_hash {
hash_data(req.http.Cookie);
}
Hash all cookies

View Slide

Block caching

View Slide

View Slide

Code
renders
single HTTP
response

View Slide

Lowest
denominator:
no cache

View Slide

Edge Side Includes
✓Placeholder
✓Parsed by Varnish
✓Output is a composition of blocks
✓State per block
✓TTL per block

View Slide

sub vcl_recv {
set req.http.Surrogate-Capability = "key=ESI/1.0";
}
if (beresp.http.Surrogate-Control ~ "ESI/1.0") {
}
}
Edge Side Includes

View Slide

header("Cache-Control: public,must-revalidate,s-maxage=10");
echo "Date in the ESI tag: ".date('Y-m-d H:i:s').'
';
header("Cache-Control: no-store");
header(“Surrogate-Control: content='ESI/1.0'");
echo ''.PHP_EOL;
echo "Date in the main page: ".date('Y-m-d H:i:s').'
';
Main page
ESI frame:
esi.php
Cached for
10 seconds
Not cached

View Slide

ESI_xmlerror No ESI processing, first char not 'feature esi_disable_xml_check)
Expects HTML/
XML tags

View Slide

-p feature=+esi_disable_xml_check
Add as
startup option

View Slide

req_top
Get
information about
parent request in an
ESI call

View Slide

vcl 4.0;
backend default {
.host = "nginx";
.port = "80";
}
sub vcl_recv {
if (req.esi_level > 0) {
set req.http.x-parent-url = req_top.url;
}
}
if (beresp.http.Surrogate-Control ~ "ESI/1.0") {
}
}
Get parent URL

View Slide

ESI
vs
AJAX

View Slide

✓ Server-side
✓ Standardized
✓ Processed on the
“edge”, no in the
browser
✓ Generally faster
Edge-Side Includes
- Sequential
- One fails, all fail
- Limited
implementation in
Varnish

View Slide

✓ Client-side
✓ Common knowledge
✓ Parallel processing
✓ Graceful
degradation
AJAX
- Processed by the
browser
- Extra roundtrips
- Somewhat slower

View Slide

Choose wisely

View Slide

Assemble at the view layer

View Slide

{{ render_esi(controller('AppBundle:News:latest', { 'maxPerPage': 5 })) }}
{{ render_esi(url('latest_news', { 'maxPerPage': 5 })) }}
In your Twig
templates
Silex or
Symfony
Falls back to
internal subrequests
on failure
Does ESI

View Slide

{{ render_hinclude(controller('AppBundle:News:latest', { 'maxPerPage': 5 })) }}
{{ render_hinclude(url(‘latest_news', { 'maxPerPage': 5 })) }}
In your Twig
templates
Silex or
Symfony
Requires hinclude.js
Does AJAX

View Slide

ESI vs HInclude

Extra
parameters

View Slide

Silex example

View Slide

use Symfony\Component\HttpFoundation\Response;
require_once dirname(__DIR__).'/vendor/autoload.php';
$app = new Silex\Application();
$app['debug'] = true;
$app->register(new Silex\Provider\TwigServiceProvider(), [
'twig.path' => dirname(__DIR__).'/views'
]);
$app->register(new Silex\Provider\HttpCacheServiceProvider());
$app->register(new Silex\Provider\HttpFragmentServiceProvider());
$app->get('/', function() use($app) {
$response = new Response($app['twig']->render('index.twig'));
$response->setSharedMaxAge(10);
return $response;
});
$app->get('/header', function() use($app) {
$response = new Response($app['twig']->render('header.twig'));
$response->setPrivate();
return $response;
})->bind('header');
$app->get('/footer', function() use($app) {
$response = new Response($app['twig']->render('footer.twig'));
$response->setSharedMaxAge(3);
return $response;
})->bind('footer');
$app->run();

View Slide

{{ render_esi(url('header')) }}
Main content

Date and time
{{ "now"|date("m/d/Y H:i:s") }}

{{ render_hinclude(url('footer')) }}
 script> </body> </html> index.twig 

View Slide

Header

Date and time

header.twig

View Slide

Footer

Date and time

footer.twig

View Slide

Control
Time
To
Live

View Slide

set beresp.ttl = 3h;
}
Control Time To Live

View Slide

if (beresp.ttl <= 0s || beresp.http.Set-Cookie ||
beresp.http.Vary == "*") {
set beresp.ttl = 120s;
set beresp.uncacheable = true;
return (deliver);
}
}
Control Time To Live

View Slide

Debugging

View Slide

sub vcl_deliver {
if (obj.hits > 0) {
set resp.http.X-Cache = "HIT";
} else {
set resp.http.X-Cache = "MISS";
}
}
Debugging

View Slide

Anonymize

View Slide

sub vcl_deliver {
unset resp.http.X-Powered-By;
unset resp.http.Server;
unset resp.http.X-Drupal-Cache;
unset resp.http.X-Varnish;
unset resp.http.Via;
unset resp.http.Link;
unset resp.http.X-Generator;
}
Anonymize

View Slide

Breaking news isn't breaking

View Slide

Purging

View Slide

acl purgers {
"localhost";
"127.0.0.1";
"::1";
}
sub vcl_recv {
if (req.method == "PURGE") {
if (client.ip !~ purgers) {
return (synth(405, "Method not allowed"));
}
return (purge);
}
}
Purging

View Slide

Purging
curl -XPURGE "http://example.com/products"
Immediately
remove from
memory

View Slide

header('Cache-control: no-cache');
$curl = curl_init('http://localhost/');
curl_setopt_array($curl,[
CURLOPT_RETURNTRANSFER => true,
CURLOPT_CUSTOMREQUEST => 'PURGE'
]);
echo curl_exec($curl).PHP_EOL;
Purging

View Slide

header('Cache-control: no-cache');
require 'guzzle.phar';
$client = new GuzzleHttp\Client(['base_uri' => 'http://localhost:6081/']);
$response = $client->request('PURGE', '/');
if($response->getStatusCode() == 200) {
echo "PURGED".PHP_EOL;
} else {
echo $response->getBody();
}
Purging

View Slide

acl purge {
"localhost";
"127.0.0.1";
"::1";
}
sub vcl_recv {
}
if(req.http.x-purge-regex) {
ban("req.http.host == " + req.http.host + " && req.url ~ " + req.http.x-purge-regex);
} else {
ban("req.http.host == " + req.http.host + " && req.url == " + req.url);
}
}
}
Banning

View Slide

Banning
curl -XPURGE "http://example.com/products"
curl -XPURGE -H "x-purge-regex:/products" "http://example.com"
Add to ban list, remove
on next request
Remove patterns via
“X-PURGE-REGEX”

View Slide

Lurker-friendly bans

View Slide

Ban lurker
Object
User
Varnish
Server
Sends HTTP
response
Response
stored in
object
Sends BAN to
Varnish
Ban lurker
thread
Ban list
Reads
ban list
Removes
object
ban req.http.host == localhost && req.url ~ /products

View Slide

Ban lurker
ban req.http.host == localhost && req.url ~ /products
Lurker can’t match
request info
Lurker can only
match what’s in the
object
Next visitor
triggers cache
remove

View Slide

acl purge {
"localhost";
"127.0.0.1";
"::1";
}
sub vcl_recv {
}
if(req.http.x-purge-regex) {
ban("obj.http.x-host == " + req.http.host + " && obj.http.x-url ~ " + req.http.x-purge-regex);
} else {
ban("obj.http.host == " + req.http.host + " && obj.http.x-url == " + req.url);
}
}
}
set beresp.http.x-url = bereq.url;
set beresp.http.x-host = bereq.http.host;
}
sub vcl_deliver {
unset resp.http.x-url;
unset resp.http.x-host;
}
Store request info
in response object

View Slide

ban obj.http.x-host == localhost && obj.http.x-url ~ /products
Lurker can match
response info
Ban lurker
removes item from
cache async

View Slide

varnish> param.show ban_lurker_age
200
ban_lurker_age
Value is: 60.000 [seconds] (default)
Minimum is: 0.000
The ban lurker will ignore bans until they are this old. When
a ban is added, the active traffic will be tested against it as
part of object lookup. Because many applications issue bans in
bursts, this parameter holds the ban-lurker off until the rush
is over.
This should be set to the approximate time which a ban-burst
takes.

View Slide

Banning
through
Varnishadm

View Slide

varnishadm> ban obj.http.x-host == localhost && obj.http.x-url ~ /products
Varnishadm banning

View Slide

Banning
through
socket

View Slide

Varnishadm is a
binary on top of
the socket

View Slide

Varnishadm uses
the secret file to
authenticate
automatically

View Slide

$ telnet varnish 6082
Connected to localhost.
Escape character is '^]'.
107 59
cohvooigdtqvkpwewhdxkqiwkfkpwsly
Authentication required.
auth 5a9c5722f31cc3c92f0e4616571624df7bddde2f8e42aaffe795dc80fb8c91dd
200 240
-----------------------------
Varnish Cache CLI 1.0
-----------------------------
Linux,4.9.49-moby,x86_64,-junix,-smalloc,-smalloc,-hcritbit
varnish-5.2.0 revision 4c4875cbf
Type 'help' for command list.
Type 'quit' to close CLI session.
200 0

View Slide

$challenge = $argv[1];
$secret = trim(fgets(STDIN));
$pack = $challenge . "\x0A" . $secret . "\x0A" . $challenge . "\x0A";
$key = hash('sha256', $pack);
echo $key.PHP_EOL;
Use secret & process challenge
5a9c5722f31cc3c92f0e4616571624df7bddde2f8e42aaffe795dc80fb8c91dd
E29F6DE6-3803-449E-8A01-AA537A8715B1

View Slide

$ telnet varnish 6082
Connected to localhost.
Escape character is '^]'.
107 59
Authentication required.
auth 5a9c5722f31cc3c92f0e4616571624df7bddde2f8e42aaffe795dc80fb8c91dd
200 240
-----------------------------
-----------------------------
200 0

View Slide

Secure your access the the admin socket

View Slide

-a :80 \
-a :81,PROXY \
-T localhost:6082 \
-l 100m,10m \
-t 60 \
-s malloc,3g"

View Slide

Admin socket does
more than banning

View Slide

-----------------------------
-----------------------------
help
200 613
auth
backend.list [-p] []
backend.set_health [auto|healthy|sick]
ban [&& ...]
ban.list
banner
help []
panic.clear [-z]
panic.show
param.set
param.show [-l] []
ping []
quit
start
status
stop
storage.list
vcl.discard
vcl.inline [auto|cold|warm]
vcl.label
vcl.list
vcl.load [auto|cold|warm]
vcl.show [-v]
vcl.state [auto|cold|warm]
vcl.use

View Slide

Refresh content

View Slide

vcl 4.0;
acl refreshers {
"172.18.0.0"/24;
"localhost";
}
backend default {
.host = "nginx";
.port = "80";
}
sub vcl_recv {
if (req.method == "REFRESH") {
if (client.ip !~ refreshers) {
}
set req.method = "GET";
set req.hash_always_miss = true;
}
}
Refresh content
Perform miss,
fetch content,
overwrite object

View Slide

Refresh content
curl -XREFRESH "http://example.com/products"

View Slide

Tag-base invalidation

View Slide

vmod_xkey

View Slide

vcl 4.0;
import xkey;
acl purgers {
"172.18.0.0"/24;
}
backend default {
.host = "nginx";
.port = "80";
}
sub vcl_recv {
return (synth(405, "Method now allowed"));
}
set req.http.n-gone = xkey.purge(req.http.key);
return (synth(200, "Invalidated "+req.http.n-gone+" objects for key "+ req.http.key));
}
if (req.method == "SOFTPURGE") {
}
set req.http.n-gone = xkey.softpurge(req.http.key);
return (synth(200, "Invalidated "+req.http.n-gone+" objects via softpurge for key "+
req.http.key));
}
}

View Slide

header('Cache-control: public, s-maxage=100');
header("xkey: a");
header("xkey: b",false);
echo date('Y-m-d H:i:s').'
'.PHP_EOL;
Add “xkey” headers
Register tags

View Slide

Invalidate tags
curl -XPURGE -H"key: b" "http://example.com/"
PURGE / HTTP/1.1
Host: localhost
Accept: */*
key:b

View Slide

Header-based
invalidation

View Slide

Header-based
invalidation
If-Modified-Since: Tue, 14 Jun 2016 11:49:18 GMT
Last-Modified: Tue, 14 Jun 2016 11:49:32 GMT
HTTP 200: OK HTTP 304: Not modified

View Slide

Header-based
invalidation
If-None-Match: 57601698ae1e2
Etag: 57601698ae1e2
HTTP 200: OK HTTP 304: Not modified

View Slide

Grace mode

View Slide

beresp.grace
Keep servering
stale object while
fetching data from
backend
Avoid
excessive request
queueing

View Slide

set beresp.grace = 2h;
}
Grace

View Slide

Cache-Control: public, max-age=100, s-maxage=3600,
stale-while-revalidate=7200
Stale-While-Revalidate

View Slide

set beresp.grace = 6h;
}
Grace mode
Monitoring & logging

View Slide

Varnishstat
Realtime
statistics

View Slide

View Slide

usage: varnishstat [-1lV] [-f field] [-t seconds|] [-n varnish_name] [-N filename]
-1 # Print the statistics to stdout.
-f field # Field inclusion glob
# If it starts with '^' it is used as an exclusion list.
-l # Lists the available fields to use with the -f option.
-n varnish_name # The varnishd instance to get logs from.
-N filename # Filename of a stale VSM instance.
-t seconds| # Timeout before returning error on initial VSM connection.
-V # Display the version number and exit.
-x # Print statistics to stdout as XML.
-j # Print statistics to stdout as JSON.
Varnishstat usage

View Slide

~# varnishstat -f MAIN.cache_hit -1
MAIN.cache_hit 13049135 5.39 Cache hits
Varnishstat usage
~# varnishstat -f MAIN.cache_hit -j -1
{
"timestamp": "2016-06-14T16:10:32",
"MAIN.cache_hit": {
"description": "Cache hits",
"type": "MAIN", "flag": "c", "format": "i",
"value": 13050992
}
}

View Slide

Varnishstat usage
~# varnishstat -f MAIN.n_object -f MAIN.n_lru_nuked -j
{
"timestamp": "2016-06-14T16:14:49",
"MAIN.n_object": {
"description": "object structs made",
"type": "MAIN", "flag": "g", "format": "i",
"value": 46295
},
"MAIN.n_lru_nuked": {
"description": "Number of LRU nuked objects",
"type": "MAIN", "flag": "g", "format": "i",
"value": 0
}
}

View Slide

varnishstat -f MAIN.cache*

View Slide

✓ Session
✓ Client
✓ Uptime
✓ Hit/miss
✓ Backend
✓ Fetch
✓ Threading
✓ Cache
objects
✓ Memory
✓ Invalidation
Varnishstat counters

View Slide

VSL

View Slide

Varnish
Shared memory
Logging

View Slide

✓ In-memory logs
✓ Generated by varnishd
✓ 81 MB by default
✓ Customize with “-l” setting
✓ Varnishlog command
✓ Varnishtop command
VSL

View Slide

* << Request >> 10973258
- Begin req 10973257 rxreq
- Timestamp Start: 1501507281.942533 0.000000 0.000000
- Timestamp Req: 1501507281.942533 0.000000 0.000000
- ReqStart 127.0.0.1 59753
- ReqMethod GET
- ReqURL /
- ReqProtocol HTTP/1.1
- ReqHeader Host: feryn.eu

View Slide

Transactions

View Slide

✓ Items of work
✓ Identified by VXID
✓ 2 kinds:
✓ Sessions
✓ Requests
Transactions

View Slide

✓ Identifies TCP
connection
✓ Contains multiple
requests
Transactions
✓ Client request
✓ Backend request
✓ ESI subrequest
Session Request

View Slide

View Slide

✓ VXID (default)
✓ Session
✓ Request
✓ Raw
Transactions grouping

View Slide

Example
composition that will
be monitored

View Slide

varnishlog -i Begin,ReqUrl,Link,BereqURL

View Slide

* << BeReq >> 98318
- Begin bereq 98317 fetch
- BereqURL /
* << BeReq >> 98320
- BereqURL /header
* << Request >> 98319
- Begin req 98317 esi
- ReqURL /header
- Link bereq 98320 fetch
* << BeReq >> 98322
- BereqURL /nav
* << Request >> 98321
- ReqURL /nav
* << Request >> 98317
- ReqURL /
- Link req 98319 esi
* << BeReq >> 98324
- BereqURL /footer
* << Request >> 98323
- ReqURL /footer
* << Session >> 98316
- Begin sess 0 HTTP/1
- Link req 98317 rxreq

View Slide

varnishlog -i Begin,ReqUrl,Link,BereqURL -g session

View Slide

* << Session >> 14
** << Request >> 65539
-- Begin req 14 rxreq
-- ReqURL /
-- Link bereq 65540 fetch
-- Link req 65541 esi
-- Link req 65543 esi
** << Request >> 65545
-- Begin req 14 rxreq
-- ReqURL /footer
-- Link bereq 65546 fetch
*** << BeReq >> 65540
--- Begin bereq 65539 fetch
--- BereqURL /
*** << Request >> 65541
--- Begin req 65539 esi
--- ReqURL /header
--- Link bereq 65542 fetch
*** << Request >> 65543
--- Begin req 65539 esi
--- ReqURL /nav
--- Link bereq 65544 fetch
*** << BeReq >> 65546
--- Begin bereq 65545 fetch
--- BereqURL /footer
**** << BeReq >> 65542
---- Begin bereq 65541 fetch
---- BereqURL /header
**** << BeReq >> 65544
---- Begin bereq 65543 fetch
---- BereqURL /nav

View Slide

View Slide

Tags

View Slide

Request tags

View Slide

✓ ReqMethod
✓ ReqUrl
✓ ReqProtocol
✓ ReqHeader
Request tags

View Slide

- ReqStart 127.0.0.1 56312
- ReqMethod GET
- ReqURL /
- ReqHeader Host: localhost
- ReqHeader Connection: keep-alive
- ReqHeader Upgrade-Insecure-Requests: 1
- ReqHeader User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X
10_12_5) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/
59.0.3071.115 Safari/537.36
- ReqHeader Accept: text/html,application/xhtml+xml,application/
xml;q=0.9,image/webp,image/apng,*/*;q=0.8
- ReqHeader Accept-Encoding: gzip, deflate, br
- ReqHeader Accept-Language: nl,en-US;q=0.8,en;q=0.6
- ReqHeader X-Forwarded-For: 127.0.0.1

View Slide

Response tags

View Slide

✓ RespProtocol
✓ RespStatus
✓ RespReason
✓ RespHeader
Response tags

View Slide

- RespProtocol HTTP/1.1
- RespStatus 200
- RespReason OK
- RespHeader Host: localhost
- RespHeader Cache-Control: public, s-maxage=500
- RespHeader Date: Tue, 01 Aug 2017 08:56:44 GMT
- RespHeader ETag: "c5afddc587599a72d467caca23e980bf"
- RespHeader Vary: Accept-Language
- RespHeader Content-Length: 3098
- RespHeader Content-Type: text/html; charset=UTF-8
- RespHeader X-Varnish: 32770
- RespHeader Age: 10

View Slide

Backend tags

View Slide

- BackendOpen 19 boot.default 127.0.0.1 8080 127.0.0.1 62552
- BackendClose 19 boot.default

View Slide

Backend request tags

View Slide

✓ BereqMethod
✓ BereqUrl
✓ BereqProtocol
✓ BereqHeader
Backend request tags

View Slide

Backend response
tags

View Slide

✓ BerespProtocol
✓ BerespStatus
✓ BerespReason
✓ BerespHeader
Backens response tags

View Slide

Object tags

View Slide

✓ ObjProtocol
✓ ObjStatus
✓ ObjReason
✓ ObjHeader
Object tags

View Slide

VCL tags

View Slide

✓ VCL_Call
✓ VCL_Return
✓ VCL_Error
✓ VCL_Log
✓ VCL_Acl
VCL tags

View Slide

* << Request >> 5
- ReqURL /
- VCL_call RECV
- VCL_return hash
- VCL_call HASH
- VCL_return lookup
- VCL_call MISS
- VCL_return fetch
- VCL_call DELIVER
- VCL_return deliver
** << BeReq >> 6
-- BereqURL /
-- VCL_call BACKEND_FETCH
-- VCL_return fetch
-- VCL_call BACKEND_RESPONSE
-- VCL_return deliver

View Slide

* << Request >> 6
- ReqURL /
- VCL_call RECV
- ReqURL /
- VCL_return hash
- VCL_call HASH
- VCL_return lookup
- VCL_call HIT
- VCL_call DELIVER

View Slide

* << Request >> 32789
- ReqURL /header
- ExpBan 98355 banned lookup
ExpBan tag

View Slide

* << Request >> 98369
- ReqURL /footer
- Hit 65597
Hit tag
varnishlog -i "ReqUrl,Hit"

View Slide

** << Request >> 6
-- ReqURL /footer
-- HitPass 3
HitPass tag

View Slide

TTL tag

View Slide

-- TTL VCL 120 10 0 1501597242
✓ TTL decided by the VCL
✓ 120 seconds cached
✓ 10 seconds grace time
✓ 0 seconds keep time
✓ Reference time: 1501597242 
(2017-08-01 14:20:42)

View Slide

-- RFC 500 10 -1 1501598872 1501598872 1501598872 0 500
✓ 500 seconds TTL (via headers)
✓ 10 seconds grace
✓ No keep value
✓ 2017-08-01 14:47:52 date, age & reference time
✓ Cache-control headers sets 500 second TTL

View Slide

-- RFC 500 10 -1 1501598872 1501598869 1501598872 0 500
✓ Don’t screw with the age header
✓ Only 497 second effective TTL
✓ Custom Age header (3 seconds off)

View Slide

Begin tag

View Slide


View Slide

Link tag

View Slide


View Slide

Timestamp tag

View Slide

* << Request >> 65539
- Timestamp Start: 1501601912.758662 0.000000 0.000000
- Timestamp Req: 1501601912.758662 0.000000 0.000000
- Timestamp Fetch: 1501601912.806733 0.048071 0.048071
- Timestamp Process: 1501601912.806750 0.048088 0.000017
- Timestamp Resp: 1501601912.806787 0.048125 0.000037
** << BeReq >> 65540
-- Timestamp Start: 1501601912.758753 0.000000 0.000000
-- Timestamp Bereq: 1501601912.758952 0.000199 0.000199
-- Timestamp Beresp: 1501601912.806677 0.047924 0.047725
-- Timestamp BerespBody: 1501601912.806749 0.047996 0.000072

View Slide

Filtering output

View Slide

✓ -i: include tags
✓ -I: include tags by regex
✓ -x: exclude tags
✓ -X: exclude by regex
Filtering output

View Slide

Include tags

View Slide

varnishlog -i ReqUrl,VCL_call,VCL_return -g session
varnishlog -i "ReqUrl,VCL_*" -g session

View Slide

* << Session >> 252394
** << Request >> 252395
-- ReqURL /
-- VCL_call RECV
-- VCL_return hash
-- VCL_call HASH
-- VCL_return lookup
-- VCL_call HIT
-- VCL_call DELIVER
*** << Request >> 252397
--- ReqURL /header
--- VCL_call RECV
--- VCL_return hash
--- VCL_call HASH
--- VCL_return lookup
--- VCL_call HIT
--- VCL_return deliver
--- VCL_call DELIVER
*** << Request >> 252399
--- ReqURL /nav
--- VCL_call RECV
--- VCL_return hash
--- VCL_call HASH
--- VCL_return lookup
--- VCL_call HIT
--- VCL_call DELIVER
*** << BeReq >> 252396
--- VCL_call BACKEND_FETCH
--- VCL_return fetch
--- VCL_call BACKEND_RESPONSE
**** << BeReq >> 252398
---- VCL_call BACKEND_FETCH
---- VCL_return fetch
---- VCL_call BACKEND_RESPONSE
---- VCL_return deliver
**** << BeReq >> 252400
---- VCL_call BACKEND_FETCH
---- VCL_return fetch
---- VCL_call BACKEND_RESPONSE
---- VCL_return deliver

View Slide

Exclude tags

View Slide

varnishlog -i "Req*" -x ReqHeader,ReqUnset

View Slide

* << Request >> 314125
- ReqStart 127.0.0.1 64585
- ReqMethod GET
- ReqURL /
- ReqAcct 476 0 476 311 0 311
* << Request >> 314126
- ReqStart 127.0.0.1 64585
- ReqMethod GET
- ReqURL /footer
- ReqAcct 370 0 370 309 0 309

View Slide

Include tags by regex

View Slide

varnishlog -I "reqheader:Accept-Language" -i requrl

View Slide

* << Request >> 374378
- ReqURL /
* << Request >> 374379
- ReqURL /footer

View Slide

Exclude tags by regex

View Slide

* << Request >> 374384
- ReqURL /footer
- RespHeader X-Powered-By: PHP/7.0.15
- RespHeader Date: Wed, 02 Aug 2017 11:27:21 GMT
- RespHeader ETag: "d47ac09f5351f8f4c97c99ef5b3d2ecd"
- RespHeader X-Varnish: 374384 15367
- RespHeader Via: 1.1 varnish-v4
- RespHeader Connection: keep-alive

View Slide

varnishlog -i RespHeader,ReqUrl -X "RespHeader:(x|X)-"

View Slide

* << Request >> 374384
- ReqURL /footer
- RespHeader Date: Wed, 02 Aug 2017 11:27:21 GMT
- RespHeader ETag: "d47ac09f5351f8f4c97c99ef5b3d2ecd"

View Slide

All-in-one

View Slide

varnishlog -i "RespHeader,Req*" -X "RespHeader:(x|X)-" -I
"timestamp:Resp" -x reqprotocol,reqacct -g request

View Slide

* << Request >> 59383
- ReqStart 127.0.0.1 53195
- ReqMethod GET
- ReqURL /
- ReqHeader Connection: keep-alive
- ReqHeader Cache-Control: max-age=0
- ReqHeader Upgrade-Insecure-Requests:
1
- ReqHeader User-Agent: Mozilla/5.0
(Macintosh; Intel Mac OS X 10_12_5)
AppleWebKit/537.36 (KHTML, like Gecko)
Chrome/59.0.3071.115 Safari/537.36
- ReqHeader Accept: text/
html,application/
xhtml+xml,application/xml;q=0.9,image/
webp,image/apng,*/*;q=0.8
- ReqHeader Accept-Encoding: gzip,
deflate, br
- ReqHeader Accept-Language: nl,en-
US;q=0.8,en;q=0.6
- ReqHeader If-None-Match:
W/"27f341f8e459dd35f1087c55351cacda"
- ReqUnset Accept-Language: nl,en-
US;q=0.8,en;q=0.6
- ReqHeader accept-language: nl
- ReqHeader Surrogate-Capability:
key=ESI/1.0
- ReqUnset Accept-Encoding: gzip,
deflate, br
- ReqHeader Accept-Encoding: gzip
- RespHeader Cache-Control: public, s-
maxage=500
- RespHeader Date: Wed, 02 Aug 2017
11:46:49 GMT
- RespHeader ETag:
"27f341f8e459dd35f1087c55351cacda"
- RespHeader Content-Type: text/html;
charset=UTF-8
- RespHeader ETag:
W/"27f341f8e459dd35f1087c55351cacda"
- Timestamp Resp: 1501674561.472358
0.000068 0.000020

View Slide

✓ All response headers
✓ All tags that start with “Req”
✓ Exclude “x-“ response headers
✓ Include “response time” timestamp
✓ Exclude request protocol log lines,
and the request accountancy log
lines
All-in-one

View Slide

VSL queries

View Slide

Filtering fields from
all transactions
Filtering transactions

View Slide

{level}taglist:record-prefix[field]

View Slide

ReqUrl eq ‘/‘

View Slide

Timestamp:Resp[2] > 1.0

View Slide

{2}Timestamp:Resp[2] > 1.0

View Slide

varnishlog -i VCL_call,VCL_return -g request -q "ReqURL eq '/'"

View Slide

* << Request >> 374400
- VCL_call RECV
- VCL_return hash
- VCL_call HASH
- VCL_return lookup
- VCL_call HIT
- VCL_call DELIVER

View Slide

varnishlog -i ReqUrl -q "VCL_call eq 'MISS' or VCL_call eq 'PASS'"
varnishlog -i ReqUrl -I "Timestamp:Resp" -q "Timestamp:Resp[2] > 1.0"

View Slide

Varnish in-depth training - Symfony Live Berlin 2017

Varnish in-depth training - Symfony Live Berlin 2017

Thijs Feryn

More Decks by Thijs Feryn

Other Decks in Technology

Featured

Transcript