varnish

Install Varnish Cache 6 for Apache/Nginx on CentOS 7

Step 1: Add EPEL repository

Some of the dependencies to be installed require EPEL repository setup. Just run the following command to add EPEL to your CentOS 7 system.

sudo yum install -y epel-release

The “-y” means no prompt is given before a package is downloaded and installed.

Step 2: Install Dependency packages

We need to install pygpgme & yum-utils if the repository is added via repo management tool.

sudo yum -y install pygpgme yum-utils

Step 3: Add Varnish Cache repository

In this step, we’re adding Varnish Cache repository for CentOS 7. Copy the commands below and paste them on the terminal. Use a user account with sudo access.

sudo tee /etc/yum.repos.d/varnish60lts.repo<<EOF
[varnish60lts]
name=varnishcache_varnish60lts
baseurl=https://packagecloud.io/varnishcache/varnish60lts/el/7/x86_64
repo_gpgcheck=1
gpgcheck=0
enabled=1
gpgkey=https://packagecloud.io/varnishcache/varnish60lts/gpgkey
sslverify=1
sslcacert=/etc/pki/tls/certs/ca-bundle.crt
metadata_expire=300
EOF

Step 4: Install Varnish 6 on CentOS 7

On a CentOS 7 system, updating Yum cache is optional. Let’s just update our local yum cache before installing the application. Here we’re limiting update to the added repository only.

$ sudo yum -q makecache -y --disablerepo='*' --enablerepo='varnish60lts'

Importing GPG key 0xA750EDCD:
 Userid     : "https://packagecloud.io/varnishcache/varnish60lts (https://packagecloud.io/docs#gpg_signing) support@packagecloud.io"
 Fingerprint: 48d8 1a24 cb04 56f5 d594 31d9 4cfc fd6b a750 edcd
 From       : https://packagecloud.io/varnishcache/varnish60lts/gpgkey

Then install Varnish 6 on CentOS 7 system.

$ sudo yum install varnish

Configure Varnish Cache for Nginx/Apache Web Server

We stated earlier that Varnish Cache is a caching HTTP reverse proxy which sits in front of a web server. The goal is to speed up web servers.

Install your favorite web server – This demo shows the installation of Nginx/Apache HTTPD server.

# Apache
$ sudo yum -y install httpd

# Nginx
$ sudo yum -y install nginx

1. Configure Nginx to Work With Varnish Cache

By default, Nginx listens on TCP port 80, you need to change Listen port to 8080. Varnish Cache will use port 80.

$ sudo vi /etc/nginx/nginx.conf
.....
server {
        listen       8080 default_server;
        ....
}

If using Virtual Hosting feature, edit the relevant configuration file, e.g.

$ sudo vi /etc/nginx/conf.d/mysite.conf

Then restart Nginx.

$ sudo systemctl restart nginx

Confirm your settings.

$ ss -tunelp | grep 8080
tcp    LISTEN     0      128       *:8080                  *:*                   users:(("nginx",pid=13073,fd=6),("nginx",pid=13072,fd=6),("nginx",pid=13071,fd=6)) ino:34626 sk:ffff8af4b7a9ec80 <->
tcp    LISTEN     0      128      :::8080                 :::*                   users:(("nginx",pid=13073,fd=7),("nginx",pid=13072,fd=7),("nginx",pid=13071,fd=7)) ino:34627 sk:ffff8af52e828840 v6only:1 <->

2. Configure Apache to Work With Varnish Cache

If you’re using Apache web server, set Listen port to 8080.

$ sudo vi /etc/httpd/conf/httpd.conf
...
Listen 8080

A single sed command can also be used.

sudo sed -i "s/Listen 80/Listen 8080/" /etc/httpd/conf/httpd.conf

Restart httpd service after the change.

sudo systemctl restart httpd

Configuring Varnish for Systemd

11. To deploy Varnish in front of HTTPD, you simply need to configure it to listen to client requests in the default HTTP port 80 as explained below.

Note that in Varnish Cache 6.0 and higher, you have to set the port varnish server listens on in the Varnish service file for systemd. First, open it for editing.

# systemctl edit --full  varnish

Look for the ExecStart line, then change the value of the -a switch (which specifies the varnish listen to the address and port) from :6081 to :80 as indicated in the following screenshot.

Importantly, if you do not specify an address, varnishd will listen on all available IPv4 and IPv6 interfaces active on the server.

ExecStart=/usr/sbin/varnishd -a :6081 -f /etc/varnish/default.vcl -s malloc,256m

[Unit]

Description=Varnish Cache, a high-performance HTTP accelerator

After=network-online.target

[Service]

Type=forking

KillMode=process

# Maximum number of open files (for ulimit -n)

LimitNOFILE=131072

# Locked shared memory - should suffice to lock the shared memory log

# (varnishd -l argument)

# Default log size is 80MB vsl + 1M vsm + header -> 82MB

# unit is bytes

LimitMEMLOCK=85983232

# Enable this to avoid "fork failed" on reload.

TasksMax=infinity

# Maximum size of the corefile.

LimitCORE=infinity

ExecStart=/usr/sbin/varnishd -a :80 -f /etc/varnish/default.vcl -s malloc,256m

ExecReload=/usr/sbin/varnishreload

[Install]

WantedBy=multi-user.target

Look for the ExecStart line, then change the value of the -a switch (which specifies the varnish listen to the address and port) from :6081 to :80 as indicated in the following screenshot.

Importantly, if you do not specify an address, varnishd will listen on all available IPv4 and IPv6 interfaces active on the server.

Configuring Varnish Backend Servers using VCL

12. Now, you need to configure the origin server, known in Varnish terminology as a backend. It is the server that understands HTTP, Varnish talks to, to fetch content – httpd in this case. It is configured in the main configuration file /etc/varnish/default.vcl.

# vi /etc/varnish/default.vcl 

There is a default backend configuration section called default. You may change “default” to server1 (or any name of your choice to meet your environment standards). By default, the host parameter points to the localhost, on assumption that the backend server is running on the localhost.

Then set the port to 8080 (the port you defined in Apache virtual host configuration file) as shown in the screenshot.

backend server1 {
    .host = "127.0.0.1";
    .port = "8080";
}

cat default.vcl 

#

# This is an example VCL file for Varnish.

#

# It does not do anything by default, delegating control to the

# builtin VCL. The builtin VCL is called when there is no explicit

# return statement.

#

# See the VCL chapters in the Users Guide at https://www.varnish-cache.org/docs/

# and https://www.varnish-cache.org/trac/wiki/VCLExamples for more examples.

# Marker to tell the VCL compiler that this VCL has been adapted to the

# new 4.0 format.

vcl 4.0;

# Default backend definition. Set this to point to your content server.

backend default {

    .host = "10.128.0.2";

    .port = "8080";

}

sub vcl_recv {

    # Happens before we check if we have this in cache already.

    #

    # Typically you clean up the request here, removing cookies you don't need,

    # rewriting the request, etc.

}

sub vcl_backend_response {

    # Happens after we have read the response headers from the backend.

    #

    # Here you clean the response headers, removing silly Set-Cookie headers

    set beresp.ttl = 10s;

    set beresp.grace = 1h;    # and other mistakes your backend does.

}

sub vcl_deliver {

    # Happens when we have all the pieces we need, and are about to send the

    # response to the client.

    #

    # You can do accounting or modifying the final object here.

}

If your backend server is running on a different host, for example, another server with address 10.42.1.10, then the host parameter should point to this IP address.

13. After making all the necessary changes concerning Varnish, reload the systemd manager configuration to reflect the new changes in the Varnish service file and also restart the Varnish service to apply the overall changes.

# systemctl daemon-reload
# systemctl restart varnish

At this point, Varnish and Apache should now be listening on port 80 and 8080 respectively. 

SSL Support with Nginx (Optional)

Varnish does not support SSL termination natively, so we will install Nginx for the sole purpose of handling HTTPS traffic. We will cover the steps to install and configure Nginx with a self-signed SSL certificate, and reverse proxy traffic from an HTTPS connection to Varnish over HTTP.

If you would like a more detailed explanation of setting up a self-signed SSL certificate with Nginx, refer to this link: SSL with Nginx for Ubuntu. If you want to try out a certificate from StartSSL, here is a tutorial that covers that.

Let’s install Nginx.

Install Nginx

On Varnish_VPS, let’s install Nginx with the following apt command:

sudo apt-get install nginx

After the installation is complete, you will notice that Nginx is not running. This is because it is configured to listen on port 80 by default, but Varnish is already using that port. This is fine because we want to listen on the default HTTPS port, port 443.

Let’s generate the SSL certificate that we will use.

Generate Self-signed SSL Certificate

On Varnish_VPS, create a directory where SSL certificate can be placed:

sudo mkdir /etc/nginx/ssl

Generate a self-signed, 2048-bit SSL key and certicate pair:

sudo openssl req -x509 -nodes -days 365 -newkey rsa:2048 -keyout /etc/nginx/ssl/nginx.key -out /etc/nginx/ssl/nginx.crt

Make sure that you set common name to match your domain name. This particular certificate will expire in a year.

Now that we have our certificate in place, let’s configure Nginx to use it.

Configure Nginx

Open the default Nginx server block configuration for editing:

sudo vi /etc/nginx/sites-enabled/default

vi /etc/nginx/conf.d/default.conf

Delete everything in the file and replace it with the following (and change the server_name to match your domain name):

server {
        listen 443 ssl;

        server_name example.com;
        ssl_certificate /etc/nginx/ssl/nginx.crt;
        ssl_certificate_key /etc/nginx/ssl/nginx.key;

        location / {
            proxy_pass http://127.0.0.1:80;
            proxy_set_header X-Real-IP  $remote_addr;
            proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
            proxy_set_header X-Forwarded-Proto https;
            proxy_set_header X-Forwarded-Port 443;
            proxy_set_header Host $host;
        }
}

Save and exit. The above configuration has a few important lines that we will explain in more detail:

• ssl_certificate: specifies SSL certificate location
• sslcertificatekey: specifies SSL key location
• listen 443 ssl: configures Nginx to listen on port 443
• server_name: specifies your server name, and should match the common name of your SSL certificate
• proxy_pass http://127.0.0.1:80;: redirects traffic to Varnish (which is running on port 80 of 127.0.0.1 (i.e. localhost)

The other proxy_set_header lines tell Nginx to forward information, such as the original user’s IP address, along with any user requests.

Now let’s start Nginx so our server can handle HTTPS requests.

sudo service nginx start

Now test it out with a web browser, by visiting your Varnish server by its public IP address, on port 443 (HTTPS) this time:

https://varnish_VPS_public_IP

Note: If you used a self-signed certificate, you will see a warning saying something like “The site’s security certificate is not trusted”. Since you know you just created the certificate, it is safe to proceed.

Again, you should see the same application page as before. The difference is that you are actually visiting the Nginx server, which handles the SSL encryption and forwards the unencrypted request to Varnish, which treats the request like it normally does.

Configure Backend Web Server

If your backend web server is binding to all of its network interfaces (i.e. public and private network interfaces), you will want to modify your web server configuration so it is only listening on its private interface. This is to prevent users from accessing your backend web server directly via its public IP address, which would bypass your Varnish Cache.

In Apache or Nginx, this would involve assigning the value of the listen directives to bind to the private IP address of your backend server.

NGINX Varnish SSL - too many redirects

You need to configure your SSL terminator as reverse proxy:

in your nginx ssl configuration, add this:

location / {
  proxy_pass  http://VARNISH-IP-ADDR-OR-HOSTNAME;
  proxy_set_header Host $host;
  proxy_set_header X-Real-IP $remote_addr;
  proxy_set_header X-Forwarded-For $remote_addr;
  proxy_set_header X-Forwarded-Proto https;
  proxy_set_header X-Nginx on;
  proxy_redirect     off;
}

Then, in your varnish vcl file

if ( req.http.X-Nginx != "on") {
      return (synth(750, ""));
}
...
sub vcl_synth {
  if (resp.status == 750) {
    set resp.status = 301;
    set resp.http.Location = "https://YOUR-SSL-FQDN" + req.url;
    return(deliver);
  }
}

Last: for wordpress, in wp-config.php add these lines:

define('FORCE_SSL_ADMIN', true);
$_SERVER['HTTPS']='on';

One more thing I had to do was to add proxy_set_header X-Forwarded-Protocol $scheme; to my default file in /etc/nginx/sites-enabled/default so it looks like this:

server {                                                      
        ...                                                    
        location / {                                          
                 ...
            proxy_set_header X-Forwarded-Protocol $scheme;
          }
  }

too many redirects rename htaccess

Basic WP #Basic WP

# BEGIN WordPress

RewriteEngine On
RewriteBase /
RewriteRule ^index\.php$ - [L]
RewriteCond %{REQUEST_FILENAME} !-f
RewriteCond %{REQUEST_FILENAME} !-d
RewriteRule . /index.php [L]

# END WordPress

sorry you are not allowed to access this page. 

insert in wp-config.php

after <?php

define('FORCE_SSL_ADMIN', true);
if (strpos($_SERVER['HTTP_X_FORWARDED_PROTO'], 'https') !== false)
    $_SERVER['HTTPS']='on';