Varnish: Making Your Site Bullet Proof - FIL2014

Hi, I’m Thijs

I’m @ThijsFeryn on Twitter

I’m an at Evangelist

I’m a at board member

What’s Varnish?

✓ Cache ✓ Reverse proxy ✓ Loadbalancer

HTTP accelerator

Why? ✓ Hide origin server ✓ SSL termination ✓ Load
balancing ✓ Caching ✓ Compression

✓ Hide origin server ✓ SSL termination ✓ Load balancing
✓ Caching ✓ Compression Why?

Protecting your backend server

Is it any good?

When the pressure is on

Kevin & Whitney

Cache-control Cache-‐Control “max-‐age=3600, s-‐ maxage=1000, public, must-‐revalidate”

Expires Expires "Wed, 1 Jan 2014 20:00:00 GMT"

ETag If-‐None-‐Match: "3e86-‐410-‐3596Obc" ETag: "3e86-‐410-‐3596Obc" Problems with browser cache

A bit of history

Varnish history ✓By Poul-Henning Kamp ✓For Verdens Gang AS ✓At
Redpill Linpro ✓Now Varnish software ✓2005: ideas @ Verdens Gang ✓2006 : development & v1 ✓2008: v2 ✓2011: v3 ✓2014: v4 (April 29th)

Install

curl http://repo.varnish-‐cache.org/debian/GPG-‐key.txt | sudo apt-‐ key add -‐ echo
"deb http://repo.varnish-‐cache.org/ubuntu/ trusty varnish-‐3.0" | sudo tee -‐a /etc/apt/sources.list sudo apt-‐get update sudo apt-‐get install varnish curl http://repo.varnish-‐cache.org/debian/GPG-‐key.txt | sudo apt-‐ key add -‐ echo "deb http://repo.varnish-‐cache.org/debian/ wheezy varnish-‐3.0" | sudo tee -‐a /etc/apt/sources.list sudo apt-‐get update sudo apt-‐get install varnish

Configure

DAEMON_OPTS="-‐a :80 \ -‐T localhost:6082 \ -‐f /etc/varnish/default.vcl
\ -‐S /etc/varnish/secret \ -‐s malloc,1G" In “/etc/default/varnish”

backend default { .host
= "127.0.0.1"; .port = "8080"; } In “/etc/varnish/default.vcl”

Backend ✓Other port ✓Other IP

Out of the box

Respects your HTTP cache headers

✓POST, DELETE & PUT ✓Cookies ✓Auth headers ✓Set-cookie headers ✓Cache
ttl <= 0 ✓“no-cache", “no-store", “private” in v4 Varnish wil not cache

About cookies

About cookies HTTP cookie request header via browser HTTP set-cookie
response header via webserver

The flow

Typical flow in v3 HIT ✓recv ✓lookup ✓hit ✓deliver MISS
✓recv ✓lookup ✓miss ✓fetch ✓deliver

Typical flow in v4 HIT ✓recv ✓hash ✓hit ✓deliver MISS
✓recv ✓hash ✓miss ✓backend_fetch ✓backend_response ✓deliver

Varnish Configuration Language

VCL ✓Domain specific language ✓„Curly braces” style ✓Describes request handling
& caching policies ✓Compiled to C and loaded as a shared object ✓Hooks ✓Syntax change in v4

VCL hooks v3 ✓vcl_init • ok ✓vcl_recv • lookup •
pipe • pass • error ✓vcl_pipe • pipe • error ✓vcl_hash • hash ✓vcl_hit • deliver • pass • error • restart ✓vcl_miss • fetch • pass • error ✓vcl_pass • error • pass ✓vcl_fetch • deliver • error • restart • hit_for_pass ✓vcl_deliver • deliver • restart ✓vcl_error • deliver • restart ✓vcl_fini • ok

VCL hooks v4 ✓vcl_init • ok ✓vcl_recv • hash •
pipe • pass • error • purge ✓vcl_pipe • pipe • error ✓vcl_hash • lookup ✓vcl_hit • deliver • fetch • pass • error • restart ✓vcl_miss • fetch • pass • error ✓vcl_pass • error • fetch ✓vcl_backend _response • deliver • error • restart • hit_for_pass ✓vcl_deliver • deliver • restart ✓vcl_backend _error • deliver • restart ✓vcl_synth • deliver • restart ✓vcl_fini • ok ✓vcl_purge • error • fetch

VCL objects ✓Req: client request ✓Bereq: Varnish backend request ✓Beresp:
backend server response ✓Resp: Varnish response ✓Obj: Varnish cache object

The default VCL in v3

sub vcl_recv {! if (req.restarts == 0) {! if (req.http.x-forwarded-for)
{! set req.http.X-Forwarded-For =! req.http.X-Forwarded-For + “, ” + client.ip;! } else {! set req.http.X-Forwarded-For = client.ip;! }! }! if (req.request != “GET” &&! req.request != “HEAD” &&! req.request != “PUT” &&! req.request != “POST” &&! req.request != “TRACE” &&! req.request != “OPTIONS” &&! req.request != “DELETE”) {! /* Non-RFC2616 or CONNECT which is weird. */! return (pipe);! }! if (req.request != “GET” && req.request != “HEAD”) {! /* We only deal with GET and HEAD by default */! return (pass);! }! if (req.http.Authorization || req.http.Cookie) {! /* Not cacheable by default */! return (pass);! }! return (lookup);! }

sub vcl_pipe {! # Note that only the first request
to the backend will have! # X-Forwarded-For set. If you use X-Forwarded-For and want to! # have it set for all requests, make sure to have:! # set bereq.http.connection = "close";! # here. It is not set by default as it might break some broken web # applications, like IIS with NTLM authentication.! return (pipe);! }! ! sub vcl_pass {! return (pass);! }! ! sub vcl_hash {! hash_data(req.url);! if (req.http.host) {! hash_data(req.http.host);! } else {! hash_data(server.ip);! }! return (hash);! }

sub vcl_hit {! return (deliver);! }! ! sub vcl_miss {!
return (fetch);! }! ! sub vcl_fetch {! if (beresp.ttl <= 0s ||! beresp.http.Set-Cookie ||! beresp.http.Vary == "*") {! ! ! /*! ! ! * Mark as "Hit-For-Pass" for the next 2 minutes! ! ! */! ! ! set beresp.ttl = 120 s;! ! ! return (hit_for_pass);! }! return (deliver);! }! ! sub vcl_deliver {! return (deliver);! }

sub vcl_error {! set obj.http.Content-Type = "text/html; charset=utf-8";! set obj.http.Retry-After
= "5";! synthetic {"! <?xml version="1.0" encoding="utf-8"?>! <!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN"! "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">! <html>! <head>! <title>"} + obj.status + " " + obj.response + {"</title>! </head>! <body>! <h1>Error "} + obj.status + " " + obj.response + {"</h1>! <p>"} + obj.response + {"</p>! <h3>Guru Meditation:</h3>! <p>XID: "} + req.xid + {"</p>! <hr>! <p>Varnish cache server</p>! </body>! </html>! "};! return (deliver);! }! ! sub vcl_init {! ! return (ok);! }! ! sub vcl_fini {! ! return (ok);! }

Monitoring & Logging

Varnishstat Continuously updated state of the server

4+05:26:25 Hitrate ratio:
10 100 254 Hitrate avg: 0.8486 0.7619 0.7285 ! 1760818 6.99 4.82 client_conn -‐ Client connections accepted 11088687 25.96 30.36 client_req -‐ Client requests received 8042715 11.98 22.02 cache_hit -‐ Cache hits 2609561 11.98 7.15 cache_miss -‐ Cache misses 47104 1.00 0.13 backend_conn -‐ Backend conn. success 610 0.00 0.00 backend_fail -‐ Backend conn. failures 2998265 12.98 8.21 backend_reuse -‐ Backend conn. reuses 12081 0.00 0.03 backend_toolate -‐ Backend conn. was closed 3010356 13.98 8.24 backend_recycle -‐ Backend conn. recycles 13 0.00 0.00 backend_retry -‐ Backend conn. retry 520 0.00 0.00 fetch_head -‐ Fetch head 2857965 11.98 7.83 fetch_length -‐ Fetch with Length 151309 2.00 0.41 fetch_chunked -‐ Fetch chunked 4404 0.00 0.01 fetch_close -‐ Fetch wanted close 676 0.00 0.00 fetch_failed -‐ Fetch failed 31164 0.00 0.09 fetch_304 -‐ Fetch no body (304) 220 . . n_sess_mem -‐ N struct sess_mem 53 . . n_sess -‐ N struct sess 29540 . . n_object -‐ N struct object 29561 . . n_objectcore -‐ N struct objectcore 5058 . . n_objecthead -‐ N struct objecthead 2613 . . n_waitinglist -‐ N struct waitinglist 3 . . n_vbc -‐ N struct vbc 22 . . n_wrk -‐ N worker threads 1789 0.00 0.00 n_wrk_create -‐ N worker threads created

Varnishstat in v4

Varnishlog In memory activity log

11 SessionOpen c 12.12.12.1 53727 :80
11 ReqStart c 12.12.12.1 53727 1401010767 11 RxRequest c GET 11 RxURL c / 11 RxProtocol c HTTP/1.1 11 RxHeader c Host: 12.12.12.6 11 RxHeader c User-‐Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.8; rv:17.0) Gecko/20100101 Firefox/17.0 11 RxHeader c Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/ *;q=0.8 11 RxHeader c Accept-‐Language: nl,en;q=0.7,fr-‐be;q=0.3 11 RxHeader c Accept-‐Encoding: gzip, deflate 11 RxHeader c Connection: keep-‐alive 11 VCL_call c recv lookup 11 VCL_call c hash 11 Hash c / 11 Hash c 12.12.12.6 11 VCL_return c hash 11 VCL_call c miss fetch 11 Backend c 13 default default 11 TTL c 1401010767 RFC 0 -‐1 -‐1 1357920021 0 1357920020 0 0 11 VCL_call c fetch 11 TTL c 1401010767 VCL 120 -‐1 -‐1 1357920021 -‐0 11 VCL_return c hit_for_pass 11 ObjProtocol c HTTP/1.1 11 ObjResponse c OK 11 ObjHeader c Date: Fri, 11 Jan 2013 16:00:20 GMT 11 ObjHeader c Server: Apache 11 ObjHeader c X-‐Powered-‐By: PHP/5.3.2-‐1ubuntu4.18 11 ObjHeader c Cache-‐Control: no-‐cache, no-‐store, max-‐age=0 Client

11 VCL_return c hit_for_pass
11 ObjProtocol c HTTP/1.1 11 ObjResponse c OK 11 ObjHeader c Date: Fri, 11 Jan 2013 16:00:20 GMT 11 ObjHeader c Server: Apache 11 ObjHeader c X-‐Powered-‐By: PHP/5.3.2-‐1ubuntu4.18 11 ObjHeader c Cache-‐Control: no-‐cache, no-‐store, max-‐age=0 11 ObjHeader c Vary: Accept-‐Encoding 11 ObjHeader c Content-‐Encoding: gzip 11 ObjHeader c Content-‐Length: 119 11 ObjHeader c Content-‐Type: text/html 11 Gzip c u F -‐ 119 336 80 80 887 11 VCL_call c deliver deliver 11 TxProtocol c HTTP/1.1 11 TxStatus c 200 11 TxResponse c OK 11 TxHeader c Server: Apache 11 TxHeader c X-‐Powered-‐By: PHP/5.3.2-‐1ubuntu4.18 11 TxHeader c Cache-‐Control: no-‐cache, no-‐store, max-‐age=0 11 TxHeader c Vary: Accept-‐Encoding 11 TxHeader c Content-‐Encoding: gzip 11 TxHeader c Content-‐Type: text/html 11 TxHeader c Content-‐Length: 119 11 TxHeader c Accept-‐Ranges: bytes 11 TxHeader c Date: Fri, 11 Jan 2013 16:00:20 GMT 11 TxHeader c X-‐Varnish: 1401010767 11 TxHeader c Age: 0 11 TxHeader c Via: 1.1 varnish 11 TxHeader c Connection: keep-‐alive 11 Length c 119 11 ReqEnd c 1401010767 1357920020.712090731 1357920020.727306366 0.000087738 Client

13 BackendClose -‐ default 13
BackendOpen b default 127.0.0.1 51597 127.0.0.1 8080 13 TxRequest b GET 13 TxURL b / 13 TxProtocol b HTTP/1.1 13 TxHeader b Host: 12.12.12.6 13 TxHeader b User-‐Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.8; rv:17.0) Gecko/20100101 Firefox/17.0 13 TxHeader b Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/ *;q=0.8 13 TxHeader b Accept-‐Language: nl,en;q=0.7,fr-‐be;q=0.3 13 TxHeader b X-‐Forwarded-‐For: 12.12.12.1 13 TxHeader b X-‐Varnish: 1401010767 13 TxHeader b Accept-‐Encoding: gzip 13 RxProtocol b HTTP/1.1 13 RxStatus b 200 13 RxResponse b OK 13 RxHeader b Date: Fri, 11 Jan 2013 16:00:20 GMT 13 RxHeader b Server: Apache 13 RxHeader b X-‐Powered-‐By: PHP/5.3.2-‐1ubuntu4.18 13 RxHeader b Cache-‐Control: no-‐cache, no-‐store, max-‐age=0 13 RxHeader b Vary: Accept-‐Encoding 13 RxHeader b Content-‐Encoding: gzip 13 RxHeader b Content-‐Length: 119 13 RxHeader b Content-‐Type: text/html 13 Fetch_Body b 4(length) cls 0 mklen 1 13 Length b 119 13 BackendReuse b default Backend

Varnishlog examples varnishlog -‐c -‐m"VCL_call:hit" | grep RxURL varnishlog -‐c
-‐m"VCL_call:miss" | grep RxURL varnishlog -‐a -‐w /tmp/varnish.log varnishlog -‐r /tmp/varnish.log varnishlog -‐i RxHeader -‐I Cookie

Varnishlog in v4

* << Request >> 17 -‐
Begin req 16 rxreq -‐ Timestamp Start: 1402575535.812994 0.000000 0.000000 -‐ Timestamp Req: 1402575535.812994 0.000000 0.000000 -‐ ReqStart 10.10.10.1 51762 -‐ ReqMethod GET -‐ ReqURL / -‐ ReqProtocol HTTP/1.1 -‐ ReqHeader Host: varnishv4.dev -‐ ReqHeader User-‐Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.9; rv:29.0) Gecko/20100101 Firefox/29.0 -‐ ReqHeader Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/ *;q=0.8 -‐ ReqHeader Accept-‐Language: en,nl;q=0.7,fr-‐be;q=0.3 -‐ ReqHeader Accept-‐Encoding: gzip, deflate -‐ ReqHeader Connection: keep-‐alive -‐ ReqHeader Cache-‐Control: max-‐age=0 -‐ ReqHeader X-‐Forwarded-‐For: 10.10.10.1 -‐ VCL_call RECV -‐ VCL_return hash -‐ ReqUnset Accept-‐Encoding: gzip, deflate -‐ ReqHeader Accept-‐Encoding: gzip -‐ VCL_call HASH -‐ VCL_return lookup -‐ Hit 2147516434 -‐ VCL_call HIT -‐ VCL_return deliver -‐ Link bereq 18 bgfetch -‐ Timestamp Fetch: 1402575535.813497 0.000503 0.000503 -‐ Timestamp Process: 1402575535.813508 0.000514 0.000011 Client

-‐ Hit
2147516434 -‐ VCL_call HIT -‐ VCL_return deliver -‐ Link bereq 18 bgfetch -‐ Timestamp Fetch: 1402575535.813497 0.000503 0.000503 -‐ Timestamp Process: 1402575535.813508 0.000514 0.000011 -‐ RespProtocol HTTP/1.1 -‐ RespStatus 200 -‐ RespResponse OK -‐ RespHeader Date: Thu, 12 Jun 2014 12:18:43 GMT -‐ RespHeader Server: Apache/2.2.22 (Debian) -‐ RespHeader X-‐Powered-‐By: PHP/5.4.4-‐14+deb7u10 -‐ RespHeader Cache-‐Control: public, max-‐age=5 -‐ RespHeader Vary: Accept-‐Encoding -‐ RespHeader Content-‐Encoding: gzip -‐ RespHeader Content-‐Type: text/html -‐ RespUnset Date: Thu, 12 Jun 2014 12:18:43 GMT -‐ RespHeader Date: Thu, 12 Jun 2014 12:18:55 GMT -‐ RespHeader X-‐Varnish: 17 32786 -‐ RespHeader Age: 12 -‐ RespHeader Via: 1.1 varnish (v4) -‐ VCL_call DELIVER -‐ VCL_return deliver -‐ RespHeader Content-‐Length: 64 -‐ Debug "RES_MODE 2" -‐ RespHeader Connection: keep-‐alive -‐ RespHeader Accept-‐Ranges: bytes -‐ Timestamp Resp: 1402575535.813804 0.000810 0.000296 -‐ Debug "XXX REF 2" -‐ ReqAcct 331 0 331 349 64 413 -‐ End Client

* << BeReq >> 18
-‐ Begin bereq 17 bgfetch -‐ Timestamp Start: 1402575535.813071 0.000000 0.000000 -‐ BereqMethod GET -‐ BereqURL / -‐ BereqProtocol HTTP/1.1 -‐ BereqHeader Host: varnishv4.dev -‐ BereqHeader User-‐Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.9; rv:29.0) Gecko/20100101 Firefox/29.0 -‐ BereqHeader Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/ *;q=0.8 -‐ BereqHeader Accept-‐Language: en,nl;q=0.7,fr-‐be;q=0.3 -‐ BereqHeader X-‐Forwarded-‐For: 10.10.10.1 -‐ BereqHeader Accept-‐Encoding: gzip -‐ BereqHeader X-‐Varnish: 18 -‐ VCL_call BACKEND_FETCH -‐ VCL_return fetch -‐ BackendClose 17 default(127.0.0.1,,8080) toolate -‐ BackendOpen 17 default(127.0.0.1,,8080) 127.0.0.1 41135 -‐ Backend 17 default default(127.0.0.1,,8080) -‐ Timestamp Bereq: 1402575535.813220 0.000149 0.000149 -‐ Timestamp Beresp: 1402575535.828116 0.015045 0.014896 -‐ BerespProtocol HTTP/1.1 -‐ BerespStatus 200 -‐ BerespResponse OK -‐ BerespHeader Date: Thu, 12 Jun 2014 12:18:55 GMT -‐ BerespHeader Server: Apache/2.2.22 (Debian) -‐ BerespHeader X-‐Powered-‐By: PHP/5.4.4-‐14+deb7u10 -‐ BerespHeader Cache-‐Control: public, max-‐age=5 -‐ BerespHeader Vary: Accept-‐Encoding Backend

-‐ BerespHeader Content-‐Encoding: gzip -‐
BerespHeader Content-‐Length: 64 -‐ BerespHeader Content-‐Type: text/html -‐ TTL RFC 5 -‐1 -‐1 1402575536 1402575536 1402575535 0 5 -‐ VCL_call BACKEND_RESPONSE -‐ VCL_return deliver -‐ Storage malloc s0 -‐ ObjProtocol HTTP/1.1 -‐ ObjStatus 200 -‐ ObjResponse OK -‐ ObjHeader Date: Thu, 12 Jun 2014 12:18:55 GMT -‐ ObjHeader Server: Apache/2.2.22 (Debian) -‐ ObjHeader X-‐Powered-‐By: PHP/5.4.4-‐14+deb7u10 -‐ ObjHeader Cache-‐Control: public, max-‐age=5 -‐ ObjHeader Vary: Accept-‐Encoding -‐ ObjHeader Content-‐Encoding: gzip -‐ ObjHeader Content-‐Type: text/html -‐ Fetch_Body 3 length stream -‐ Gzip u F -‐ 64 44 80 80 442 -‐ Timestamp BerespBody: 1402575535.828260 0.015189 0.000144 -‐ BackendReuse 17 default(127.0.0.1,,8080) -‐ Length 64 -‐ BereqAcct 316 0 316 250 64 314 -‐ End ! * << Session >> 16 -‐ Begin sess 0 HTTP/1 -‐ SessOpen 10.10.10.1 51762 :80 10.10.10.36 80 1402575535.812946 14 -‐ Link req 17 rxreq -‐ SessClose RX_TIMEOUT 5.021 -‐ End Backend

VSL Query Expressions in v4

VSL Query Expressions varnishlog -‐i ReqURL -‐q 'VCL_Call eq "HIT"'
varnishlog -‐i ReqURL -‐q 'VCL_Call eq "MISS"' varnishlog -‐i ReqURL -‐q 'RespStatus > 400 and RespStatus <= 404' varnishlog -‐i ReqURL -‐q 'Timestamp:Fetch[2] > 2.0'

Varnishtop Continuously updated list of incremental data

list length 20 ! 107.57 RxHeader
User-‐Agent: Mozilla/5.0 (Windows NT 6.1; W 101.96 RxHeader User-‐Agent: Mozilla/5.0 (Windows NT 6.1; W 82.49 RxHeader User-‐Agent: Mozilla/4.0 (compatible; MSIE 69.90 RxHeader User-‐Agent: Mozilla/5.0 (compatible; MSIE 64.04 RxHeader User-‐Agent: Mozilla/5.0 (Windows NT 6.1; W 43.74 RxHeader User-‐Agent: Mozilla/4.0 (compatible; MSIE 22.01 RxHeader User-‐Agent: Mozilla/5.0 (iPod; U; CPU iPho 21.43 RxHeader User-‐Agent: Mozilla/4.0 (compatible; MSIE 19.86 RxHeader User-‐Agent: Mozilla/5.0 (X11; Linux x86_64 15.47 RxHeader User-‐Agent: Mozilla/5.0 (Windows NT 6.1; W 12.96 RxHeader User-‐Agent: Mozilla/5.0 (Windows NT 6.1; W 4.87 RxHeader User-‐Agent: Mozilla/4.0 (compatible; MSIE 2.97 RxHeader User-‐Agent: Mozilla/5.0 (compatible; MSIE 2.75 RxHeader User-‐Agent: Mozilla/5.0 (Windows NT 6.1; W 2.56 RxHeader User-‐Agent: Mozilla/5.0 (Windows NT 6.1; r 0.97 RxHeader User-‐Agent: Mozilla/5.0 (Windows; U; Windo 0.86 RxHeader User-‐Agent: Mozilla/5.0 (iPhone; CPU iPhon 0.83 RxHeader User-‐Agent: Mozilla/5.0 (Windows; U; Windo 0.53 RxHeader User-‐Agent: Mozilla/5.0 (compatible; Googl 0.44 RxHeader User-‐Agent: Mozilla/4.0 (compatible;) !

Varnishtop examples varnishtop -‐i RxHeader -‐I \^User-‐Agent varnishtop -‐i RxRequest
varnishtop -‐i RxHeader -‐I \^Host varnishtop -‐i RxHeader -‐I Cookie

Varnishtop in v4

VSL Query Expressions varnishtop -‐i ReqURL -‐q 'VCL_Call eq "HIT"'
varnishtop -‐i ReqURL -‐q 'VCL_Call eq "MISS"' varnishtop -‐C -‐I "ReqHeader:^User-‐Agent" varnishtop -‐i RespStatus varnishtop -‐i ReqURL

Varnisncsa Turns requests into Apache style logs 10.10.10.1 -‐ -‐
[12/Jun/2014:14:50:33 +0000] "GET http://varnishv4.dev/ HTTP/1.1" 20 10.10.10.1 -‐ -‐ [12/Jun/2014:14:50:33 +0000] "GET http://varnishv4.dev/ HTTP/1.1" 20 10.10.10.1 -‐ -‐ [12/Jun/2014:14:50:33 +0000] "GET http://varnishv4.dev/ HTTP/1.1" 20 10.10.10.1 -‐ -‐ [12/Jun/2014:14:50:33 +0000] "GET http://varnishv4.dev/ HTTP/1.1" 20

Cache purging

sub vcl_recv {
if (req.request == "PURGE") { return (lookup); } } sub vcl_hit { if (req.request == "PURGE") { purge; error 200 "Purged"; } } sub vcl_miss { if (req.request == "PURGE") { error 404 "Not in cache"; } } Purge config

sub vcl_recv { if (req.method ==
"PURGE") { return(purge); } } Purge config in v4

sub vcl_recv {
if (req.request == "PURGE") { ban("req.http.host == " + req.http.host + " && req.url ~ " + req.url); error 200 "Banned"; } } sub vcl_recv { if (req.request == "PURGE") { ban("req.http.host == " + req.http.host + " && req.url == " + req.url); error 200 "Banned"; } } Ban config v3 Ban URL Ban URL pattern

sub vcl_recv {
if (req.method == "PURGE") { ban("req.http.host == " + req.http.host + " && req.url ~ " + req.url); return (synth(200, "Banned")); } } sub vcl_recv { if (req.method == "PURGE") { ban("req.http.host == " + req.http.host + " && req.url == " + req.url); return (synth(200, "Banned")); } } Ban config v4 Ban URL Ban URL pattern

Purge/ban execution curl -‐X PURGE http://varnish.dev/your-‐page $ varnishadm varnish>
varnish> ban req.url == "/" 200 Or via telnet

Purge security

Purge ACL in v3 acl purge { "10.12.3.5";
"my.host.tld"; "192.0.2.1"/24"; } ! sub vcl_recv { if (req.request == "PURGE") { if (!client.ip ~ purge) { error 405 "Not allowed."; } return(lookup); } }

Purge ACL in v4 acl purge { "10.12.3.5";
"my.host.tld"; "192.0.2.1/24"; } ! sub vcl_recv { if (req.method == "PURGE") { if (!client.ip ~ purge) { return(synth(405,"Not allowed")); } return(purge); } }

Loadbalancing

✓Distribute load across backends ✓Fallback in case of backend failure
Loadbalancing

✓Round-robin ✓Random ✓Client ✓Hash ✓Fallback ✓DNS Directors Group backends

probe healthcheck {! .url = "/status.php";! .interval = 60s;! .timeout
= 0.3 s;! .window = 8;! .threshold = 3;! .initial = 3;! .expected_response = 200;! }! ! backend default {! .host = "www.example.com";! .port = "http";! .probe = healthcheck;! } Health probes For failover

backend one { .host = “localhost”;
.port = “80”; } ! backend two { .host = “127.0.0.1”; .port = “81”; } ! director localhosts round-‐robin { { .backend = one;} { .backend = two;} { .backend = {   .host = “localhost”;   .port = “82”; } } } ! sub vcl_recv { set req.backend = localhosts; } Round robin

backend one { .host = “localhost”;
.port = “80”; } ! backend two { .host = “127.0.0.1”; .port = “81”; } ! director localhosts random { { .backend = one; .weight=4;} { .backend = two; .weight=6;} { .backend = {   .host = “localhost”;   .port = “82”; } } } ! sub vcl_recv { set req.backend = localhosts; } Random

Fallback director localhosts fallback { {
.backend = one;} { .backend = two;} } sub vcl_recv { set req.backend = localhosts; } Picks first healthy backend Order matters

director localhosts client { { .backend
= one; .weight=1; } { .backend = two; .weight=1; } } sub vcl_recv { set req.backend = localhosts; //Load balance by client IP, this is the default set client.identity = client.ip; } IP hash Uses client.identity

director localhosts hash { { .backend
= one; .weight=1; } { .backend = two; .weight=1; } } sub vcl_recv { set req.backend = localhosts; } URL hash Uses req.hash URL distribution Great for 2 levels of Varnish caching

2 levels Varnish Varnish Varnish Varnish Web Web Web Web
Web Client Popular data All data

What about loadbalancing in v4?

Directors have been moved to the vmod_directors

vcl 4.0; ! backend apache {
.host = "127.0.0.1"; .port = "8080"; } ! backend nginx { .host = "127.0.0.1"; .port = "8081"; } ! import directors; ! sub vcl_init { new vdir = directors.round_robin(); vdir.add_backend(apache); vdir.add_backend(nginx); } ! sub vcl_recv { set req.backend_hint = vdir.backend(); } Round robin in v4

.host = "127.0.0.1"; .port = "8080"; } ! backend nginx { .host = "127.0.0.1"; .port = "8081"; } ! import directors; ! sub vcl_init { new vdir = directors.random(); vdir.add_backend(apache,10); vdir.add_backend(nginx,5); } ! sub vcl_recv { set req.backend_hint = vdir.backend(); } Random in v4

… ! backend apache {
.host = "127.0.0.1"; .port = "8080"; .probe = healthcheck; } ! backend nginx { .host = "127.0.0.1"; .port = "8081"; .probe = healthcheck; } ! import directors; ! sub vcl_init { new vdir = directors.fallback(); vdir.add_backend(apache); vdir.add_backend(nginx); } ! sub vcl_recv { set req.backend_hint = vdir.backend(); } Fallback in v4

.host = "127.0.0.1"; .port = "8080"; } ! backend nginx { .host = "127.0.0.1"; .port = "8081"; } ! import directors; ! sub vcl_init { new vdir = directors.hash(); vdir.add_backend(apache,1.0); vdir.add_backend(nginx,1.0); } ! sub vcl_recv { set req.backend_hint = vdir.backend(client.identity); } IP hash in v4 No more client director. Use hash instead

.host = "127.0.0.1"; .port = "8080"; } ! backend nginx { .host = "127.0.0.1"; .port = "8081"; } ! import directors; ! sub vcl_init { new vdir = directors.hash(); vdir.add_backend(apache,1.0); vdir.add_backend(nginx,1.0); } ! sub vcl_recv { set req.backend_hint = vdir.backend(req.url); } URL hash in v4

The power of VCL

sub vcl_fetch { if(req.url ~ "^/bla")
{ set beresp.ttl = 10s; } else { set beresp.ttl = 3600s; } } Force TTL

sub vcl_backend_response { if(bereq.url ~ "^/bla")
{ set beresp.ttl = 10s; } else { set beresp.ttl = 3600s; } } Force TTL v4

sub vcl_recv { unset req.http.cookie;
} ! sub vcl_fetch { unset beresp.http.set-‐cookie; } Remove cookies

sub vcl_recv { unset req.http.cookie;
} ! sub vcl_backend_response { unset beresp.http.set-‐cookie; } Remove cookies in v4

sub vcl_recv { set req.http.Cookie = regsuball(req.http.Cookie, "__utm.=[^;]+(;
)?", ""); set req.http.Cookie = regsuball(req.http.Cookie, "utmctr=[^;]+(; )?", ""); set req.http.Cookie = regsuball(req.http.Cookie, "utmcmd.=[^;]+(; )?", ""); set req.http.Cookie = regsuball(req.http.Cookie, "utmccn.=[^;]+(; )?", ""); ! if (req.http.cookie ~ "^ *$") { unset req.http.cookie; } } Remove GA cookies

sub vcl_hash { if(req.http.Cookie ~ "lang"){
hash_data(regsuball(req.http.Cookie, "^. +;? ?lang=([a-‐zA-‐Z0-‐9]+)( |;| ;).*$","\1")); } } Hash a cookie

sub vcl_recv { if (req.url ~ "^[^?]*\.(bmp|bz2|css|doc| eot|flv|gif|gz|ico|jpeg|jpg|js|less|mp[34]|
pdf|png|rar|rtf|swf|tar|tgz|txt|wav|woff| xml|zip)(\?.*)?$") { unset req.http.Cookie; return (lookup); } } Cache static files

sub vcl_recv { if (req.url ~ "^[^?]*\.(bmp|bz2|css|doc| eot|flv|gif|gz|ico|jpeg|jpg|js|less|mp[34]|
pdf|png|rar|rtf|swf|tar|tgz|txt|wav|woff| xml|zip)(\?.*)?$") { unset req.http.Cookie; return (hash); } } Cache static files in v4

sub vcl_deliver { set resp.http.x-‐cache-‐hits =
obj.hits; if (obj.hits > 0) { set resp.http.x-‐cache = "hit"; } else { set resp.http.x-‐cache = "miss"; } } Add debug header

Edge Side Includes

header.php menu.php main.php footer.php TTL 5s No caching TTL 10s
TTL 2s

sub vcl_recv { set req.http.Surrogate-‐Capability="key=ESI/ 1.0"; }
sub vcl_fetch { if(beresp.http.Surrogate-‐Control~"ESI/1.0") { unset beresp.http.Surrogate-‐Control; set beresp.do_esi=true; } } Edge Side Includes

sub vcl_recv { set req.http.Surrogate-‐Capability="key=ESI/ 1.0"; }
sub vcl_backend_response { if(beresp.http.Surrogate-‐Control~"ESI/1.0") { unset beresp.http.Surrogate-‐Control; set beresp.do_esi=true; } } Edge Side Includes in v4

Varnish doesn’t support SSL

Terminate your SSL elsewhere

What about your projects?

Varnish: Making Your Site Bullet Proof - FIL2014

Varnish: Making Your Site Bullet Proof - FIL2014

More Decks by Thijs Feryn

Other Decks in Technology

Featured

Transcript