govind0229/Varnish + Hitch cache.md

## Varnish + Hitch cache.md

      
    Raw
  

              Varnish + Hitch cache.md
            
          
    How to Install Varnish + Hitch Cache for Apache on CentOS/RHEL8


Varnish Cache is a free open source, modern and high-performance web application accelerator. It is a fast reverse HTTP proxy that caches content to speed up your web server performance, by storing web content in server memory – in a cache. It is configured to run in front of an origin server such as Apache (HTTPD) webserver.


Step 1: Installing Apache Web Server.

	# dnf update
	# dnf install httpd
	# systemctl start httpd
	# systemctl enable httpd
	# systemctl status httpd
Add http in firewalled.

	# firewall-cmd --zone=public --permanent --add-service=http
	# firewall-cmd –reload
Step 2: Installing Varnish Cache 6.4

	# dnf module install varnish
    	# varnishd -V
Start Varnish service.

	# systemctl start varnish
	# systemctl enable varnish
	# systemctl status varnish
Step 3: Configuring Apache to Work with Varnish Cache.

    # vi /etc/httpd/conf.d/flexydial.conf
    <VirtualHost *:8089>
        Protocols h2 http/1.1
        ServerAdmin	localhsot@localhost.com
        Alias    /static/   /usr/local/src/project/static/
        Alias	/recordings/ /var/spool/project/default/

        WSGIDaemonProcess project python-path=/usr/local/src/project/ python-home=/usr/local/src/project/projectenv display-name=project-app processes=3 threads=85
        WSGIProcessGroup project
      WSGIScriptAlias / /usr/local/src/project/project/wsgi.py

        LogLevel warn
        CustomLog logs/proejct-access.log combined
        ErrorLog logs/project-error.log
    </VirtualHost>
Disable HTTPS for apache permanently.

    # vim /etc/httpd/conf.d/ssl.conf
	#Listen 443 https (Disabled https Listen port on httpd service)
	# httpd -t
	# systemctl restart httpd
Configuring Varnish for Apache.

	# systemctl edit --full varnish
If Centos < 7 version configuration file location is below:

	# vim /etc/sysconfig/vanish

Look for the ExecStart line, then change the value of the -a switch (which specifies the varnish listen to the address and port) from :6081 to :80 as indicated in the following screenshot.

Importantly, if you do not specify an address, varnishd will listen on all available IPv4 and IPv6 interfaces active on the server.

ExecStart=/usr/sbin/varnishd -a :80 -f /etc/varnish/default.vcl -s malloc,256m
 
Configuring Varnish Backend Servers using VCL.

	# vi /etc/varnish/default.vcl 

vcl 4.0;
import std;
# Default backend definition. Set this to point to your content server.
backend default {
    .host = "127.0.0.1";
    .port = "8089";
}
sub vcl_recv {
    if (std.port(server.ip) != 443) {
        set req.http.location = "https://" + req.http.host + req.url;
        return(synth(301));
    }
}
sub vcl_synth {
        if (resp.status == 301) {
                set resp.http.location = req.http.location;
                  set resp.status = 301;
                return (deliver);
        }
}
 
Save file and restart daemon and varnish service.

	# systemctl daemon-reload
	# systemctl restart varnish

	# ss -tpln ( To check service port running status )
Step 4: Install Hitch.


The Hitch is a free open source, libev-based, and scalable SSL/TLS proxy designed for Varnish Cache, It supports for TLS1.2 and TLS1.3 and legacy TLS 1.0/1.1, supports ALPN (Application-Layer Protocol Negotiation) and NPN (Next Protocol Negotiation) for HTTP/2, a PROXY protocol to signal client IP/port to a backend, UNIX domain socket connections to the origin, SNI (Server Name Indication), with and without wildcard certificates.

	# dnf install hitch openssl
Step 5: Configuring Varnish Cache for Hitch.

	# systemctl edit --full varnish
ExecStart=/usr/sbin/varnishd -a :80 -a 127.0.0.1:8443,proxy -f /etc/varnish/default.vcl -s malloc,256m
	# systemctl restart varnish
Step 6: Obtaining SSL/TLS Certificates.

	# cd /etc/pki/tls/
		
	# cat certs/localhost.crt private/localhost.key > hitch.pam
Step 7: Configuring and Starting Hitch.

	# vi /etc/hitch/hitch.conf
frontend = {
    host = "*"
    port = "443"
}
backend = "[127.0.0.1]:8443"  # 6086 is the default Varnish PROXY port.
workers = 4                   # number of CPU cores

daemon = on

# We strongly recommend you create a separate non-privileged hitch
# user and group
user = "hitch"
group = "hitch"

# Enable to let clients negotiate HTTP/2 with ALPN. (default off)
# alpn-protos = "h2, http/1.1"

# run Varnish as backend over PROXY; varnishd -a :80 -a localhost:6086,PROXY ..
write-proxy-v2 = on            # Write PROXY header

syslog = on
log-level = 1
# Add pem files to this directory
pem-file = "/etc/pki/tls/hitch.pam"

Save file and restart Hitch service.

	# systemctl enable --now hitch
	# systemctl status hitch
	# firewall-cmd --zone=public --permanent --add-service=https
	# firewall-cmd --reload
Step 8: Testing SSL/TLS Termination with Varnish Cache-Hitch Setup.


Once the index page of your web application has loaded, check the HTTPs headers to confirm that content is being served via Varnish Cache.


To do that, right-click on the loaded web page, select Inspect from the list of options to open the developer tools. Then click on the Network tab, and Reload the page, then select a request to view the HTTPs headers, as highlighted in the following screenshot
                          http://<Your Domain IP>/

                          or

                          https://<Your Domain IP>/


Note: If http service not running with 8089 port, need to add 8089 port for http service.

	# yum install -y setroubleshoot-server selinux-policy-devel
Check http ports.

	# semanage port -l | grep -w http_port_t 
To allow the httpd service to run on the 8089 tcp port (-a for add), type:

 	# semanage port -a -t http_port_t -p tcp 8089
Note1: Use the -d option instead of the -a option to remove a port from the list.

Alternatively, you can check the new status of the port (here 8089):

	# sepolicy network -p 8089
Thanks you !