Skip to content

Instantly share code, notes, and snippets.

@khangvm53
Last active March 24, 2023 04:31
Show Gist options
  • Save khangvm53/104f6b5c106a37292c1c98fc6cde74d7 to your computer and use it in GitHub Desktop.
Save khangvm53/104f6b5c106a37292c1c98fc6cde74d7 to your computer and use it in GitHub Desktop.
Install varnish with nginx in Centos 7

Install nginx, varnish

yum install varnish
yum install nginx

Config nginx listen on port 8081

server {
        listen 8081;
        server_name www.example.com;
        rewrite ^(.*) http://example.com$1 permanent;
        }
server {
        listen 8081 default_server;
        server_name example.com;
        ....................

}

Varnish

  • Stop nginx and varnish
  • Config varnish vi /etc/varnish/default.vcl (for wordpress)
#
# This is an example VCL file for Varnish.
#
# It does not do anything by default, delegating control to the
# builtin VCL. The builtin VCL is called when there is no explicit
# return statement.
#
# See the VCL chapters in the Users Guide at https://www.varnish-cache.org/docs/
# and http://varnish-cache.org/trac/wiki/VCLExamples for more examples.

# Update for work with Varnish 4


# Marker to tell the VCL compiler that this VCL has been adapted to the
# new 4.0 format.
vcl 4.0;

# Default backend definition. Set this to point to your content server.
backend default {
    .host = "127.0.0.1";
    .port = "8081";
    .connect_timeout = 600s;
    .first_byte_timeout = 600s;
    .between_bytes_timeout = 600s;
    .max_connections = 800;
}

# Only allow purging from specific IPs
acl purge {
    "localhost";
    "127.0.0.1";
}

# This function is used when a request is send by a HTTP client (Browser)
sub vcl_recv {
        # Normalize the header, remove the port (in case you're testing this on various TCP ports)
        set req.http.Host = regsub(req.http.Host, ":[0-9]+", "");

        # Allow purging from ACL
        if (req.method == "PURGE") {
                # If not allowed then a error 405 is returned
                if (!client.ip ~ purge) {
                        return(synth(405, "This IP is not allowed to send PURGE requests."));
                }
                # If allowed, do a cache_lookup -> vlc_hit() or vlc_miss()
                return (purge);
        }

        # Post requests will not be cached
        if (req.http.Authorization || req.method == "POST") {
                return (pass);
        }

        # --- Wordpress specific configuration

        # Did not cache the RSS feed
        if (req.url ~ "/feed") {
                return (pass);
        }

        # Blitz hack
        if (req.url ~ "/mu-.*") {
                return (pass);
        }


        # Did not cache the admin and login pages
        if (req.url ~ "/wp-(login|admin)") {
                return (pass);
        }

        # Unset Cookies except for WordPress admin and WooCommerce pages
        if (!(req.url ~ "(wp-login|wp-admin|wc-ajax|cart|my-account/*|checkout|addons|logout|lost-password|product/*)")) {
                unset req.http.cookie;
        }
        # Pass through the WooCommerce dynamic pages
        if (req.url ~ "^/(cart|my-account/*|checkout|wc-ajax|addons|logout|lost-password|product/*)") {
                return (pass);
        }
        # Pass through the WooCommerce add to cart
        if (req.url ~ "\?add-to-cart=" ) {
                return (pass);
        }

        # Remove the "has_js" cookie
        set req.http.Cookie = regsuball(req.http.Cookie, "has_js=[^;]+(; )?", "");

        # Remove any Google Analytics based cookies
        set req.http.Cookie = regsuball(req.http.Cookie, "__utm.=[^;]+(; )?", "");

        # Remove the Quant Capital cookies (added by some plugin, all __qca)
        set req.http.Cookie = regsuball(req.http.Cookie, "__qc.=[^;]+(; )?", "");

        # Remove the wp-settings-1 cookie
        set req.http.Cookie = regsuball(req.http.Cookie, "wp-settings-1=[^;]+(; )?", "");

        # Remove the wp-settings-time-1 cookie
        set req.http.Cookie = regsuball(req.http.Cookie, "wp-settings-time-1=[^;]+(; )?", "");

        # Remove the wp test cookie
        set req.http.Cookie = regsuball(req.http.Cookie, "wordpress_test_cookie=[^;]+(; )?", "");

        # Are there cookies left with only spaces or that are empty?
        if (req.http.cookie ~ "^ *$") {
                    unset req.http.cookie;
        }

        # Cache the following files extensions
        if (req.url ~ "\.(css|js|png|gif|jp(e)?g|swf|ico)") {
                unset req.http.cookie;
        }

        # Normalize Accept-Encoding header and compression
        # https://www.varnish-cache.org/docs/3.0/tutorial/vary.html
        if (req.http.Accept-Encoding) {
                # Do no compress compressed files...
                if (req.url ~ "\.(jpg|png|gif|gz|tgz|bz2|tbz|mp3|ogg)$") {
                                unset req.http.Accept-Encoding;
                } elsif (req.http.Accept-Encoding ~ "gzip") {
                        set req.http.Accept-Encoding = "gzip";
                } elsif (req.http.Accept-Encoding ~ "deflate") {
                        set req.http.Accept-Encoding = "deflate";
                } else {
                        unset req.http.Accept-Encoding;
                }
        }
        # Check the cookies for wordpress-specific items
        if (req.http.Cookie ~ "wordpress_" || req.http.Cookie ~ "comment_") {
                return (pass);
        }
        if (!req.http.cookie) {
                unset req.http.cookie;
        }

        # --- End of Wordpress specific configuration

        # Did not cache HTTP authentication and HTTP Cookie
        if (req.http.Authorization || req.http.Cookie) {
                # Not cacheable by default
                return (pass);
        }

        # Cache all others requests
        return (hash);
}

sub vcl_pipe {
        return (pipe);
}

sub vcl_pass {
        return (fetch);
}

# The data on which the hashing will take place
sub vcl_hash {
        hash_data(req.url);
        if (req.http.host) {
        hash_data(req.http.host);
        } else {
        hash_data(server.ip);
        }

        # If the client supports compression, keep that in a different cache
        if (req.http.Accept-Encoding) {
                hash_data(req.http.Accept-Encoding);
        }

        return (lookup);
}

# This function is used when a request is sent by our backend (Nginx server)
sub vcl_backend_response {
        # Remove some headers we never want to see
        unset beresp.http.Server;
        unset beresp.http.X-Powered-By;

        # For static content strip all backend cookies
        if (bereq.url ~ "\.(css|js|png|gif|jp(e?)g)|swf|ico") {
                unset beresp.http.cookie;
        }

        # Only allow cookies to be set if we're in admin area
        #if (beresp.http.Set-Cookie && bereq.url !~ "/wp-(login|admin)") {
        #       unset beresp.http.Set-Cookie;
        #}

        #Only allow cookies to be set if we're in admin area and WooCommerce pages
        # Unset Cookies except for WordPress admin and WooCommerce pages
        if ( (!(bereq.url ~ "(wp-login|wp-admin|login|cart|my-account/*|checkout|addons|logout|lost-password|product/*)")) || (bereq.method == "GET") ) {
                unset beresp.http.Set-Cookie;
        }


        # don't cache response to posted requests or those with basic auth
        if ( bereq.method == "POST" || bereq.http.Authorization ) {
                set beresp.uncacheable = true;
                set beresp.ttl = 120s;
                return (deliver);
        }

        # don't cache search results
        if ( bereq.url ~ "\?s=" ){
                set beresp.uncacheable = true;
                set beresp.ttl = 120s;
                return (deliver);
        }

        # only cache status ok
        if ( beresp.status != 200 ) {
                set beresp.uncacheable = true;
                set beresp.ttl = 120s;
                return (deliver);
        }

        # A TTL of 24h
        set beresp.ttl = 24h;
        # Define the default grace period to serve cached content
        set beresp.grace = 30s;

        return (deliver);
}

# The routine when we deliver the HTTP request to the user
# Last chance to modify headers that are sent to the client
sub vcl_deliver {
        if (obj.hits > 0) {
                set resp.http.X-Cache = "Hit";
        } else {
                set resp.http.x-Cache = "Miss";
        }

        # Remove some headers: PHP version
        unset resp.http.X-Powered-By;

        # Remove some headers: Apache version & OS
        unset resp.http.Server;

        # Remove some heanders: Varnish
        unset resp.http.Via;
        unset resp.http.X-Varnish;

        return (deliver);
}

sub vcl_init {
        return (ok);
}

sub vcl_fini {
        return (ok);
}


  • Config varnish vi /etc/varnish/varnish.params
# Varnish environment configuration description. This was derived from
# the old style sysconfig/defaults settings
# Set this to 1 to make systemd reload try to switch vcl without restart.
RELOAD_VCL=1

# Main configuration file. You probably want to change it.
VARNISH_VCL_CONF=/etc/varnish/default.vcl

# Default address and port to bind to. Blank address means all IPv4
# and IPv6 interfaces, otherwise specify a host name, an IPv4 dotted
# quad, or an IPv6 address in brackets.
VARNISH_LISTEN_ADDRESS=
VARNISH_LISTEN_PORT=80

# Admin interface listen address and port
VARNISH_ADMIN_LISTEN_ADDRESS=127.0.0.1
VARNISH_ADMIN_LISTEN_PORT=6082

# Shared secret file for admin interface
VARNISH_SECRET_FILE=/etc/varnish/secret

# Backend storage specification, see Storage Types in the varnishd(5)
# man page for details.
VARNISH_STORAGE="file,/var/lib/varnish/varnish_storage.bin,1G"

# Default TTL used when the backend does not specify one
VARNISH_TTL=120

# User and group for the varnishd worker processes
VARNISH_USER=varnish
VARNISH_GROUP=varnish

# Other options, see the man page varnishd(1)
#DAEMON_OPTS="-a :80 -p thread_pool_min=5 -p thread_pool_max=500 -p thread_pool_timeout=300"
DAEMON_OPTS="-a :80 \
             -T localhost:6082 \
             -f /etc/varnish/default.vcl \
             -S /etc/varnish/secret \
             -s malloc,256m"

check varnish cli: varnishstat

check varnish listening on port 80: netstat -tulpn (Notice: check varnish listening on port 80 TCP(ipv4) and TCP6(ipv6) )

# netstat -tulpn

Proto Recv-Q Send-Q Local Address           Foreign Address         State       PID/Program name
tcp        0      0 0.0.0.0:25              0.0.0.0:*               LISTEN      646/exim
tcp        0      0 127.0.0.1:6082          0.0.0.0:*               LISTEN      7895/varnishd
tcp        0      0 127.0.0.1:9000          0.0.0.0:*               LISTEN      8543/php-fpm: pool
tcp        0      0 0.0.0.0:3306            0.0.0.0:*               LISTEN      25150/mysqld
tcp        0      0 0.0.0.0:587             0.0.0.0:*               LISTEN      646/exim
tcp        0      0 0.0.0.0:80              0.0.0.0:*               LISTEN      7896/varnishd
tcp        0      0 0.0.0.0:8081            0.0.0.0:*               LISTEN      8135/nginx: master
tcp        0      0 0.0.0.0:465             0.0.0.0:*               LISTEN      646/exim
tcp        0      0 0.0.0.0:1235            0.0.0.0:*               LISTEN      8135/nginx: master
tcp        0      0 0.0.0.0:22              0.0.0.0:*               LISTEN      637/sshd
tcp6       0      0 :::25                   :::*                    LISTEN      646/exim
tcp6       0      0 ::1:6082                :::*                    LISTEN      7895/varnishd
tcp6       0      0 :::587                  :::*                    LISTEN      646/exim
tcp6       0      0 :::80                   :::*                    LISTEN      7896/varnishd
tcp6       0      0 :::465                  :::*                    LISTEN      646/exim
tcp6       0      0 :::21                   :::*                    LISTEN      5791/vsftpd
tcp6       0      0 :::22                   :::*                    LISTEN      637/sshd
udp        0      0 0.0.0.0:68              0.0.0.0:*                           9023/dhclient
udp        0      0 0.0.0.0:53346           0.0.0.0:*                           9023/dhclient
udp        0      0 0.0.0.0:57953           0.0.0.0:*                           361/avahi-daemon: r
udp        0      0 0.0.0.0:5353            0.0.0.0:*                           361/avahi-daemon: r
udp6       0      0 :::15871                :::*                                9023/dhclient

Restart service (stop nginx before start varnish. If nginx still running, it will keep port 80)

systemctl stop nginx
systemctl restart varnishd
systemctl restart varnishncsa
systemctl restart varnishlog   (By defualt Varnish log directory path is /var/log/varnish/)
systemctl restart nginx

Test Varnish

curl -I http://example.com
HTTP/1.1 200 OK
Date: Wed, 13 Apr 2016 10:58:25 GMT
Content-Type: text/html; charset=UTF-8
Vary: Accept-Encoding, Cookie
X-Pingback: http://example.com
Link: <http://example.com/>; rel=shortlink
Age: 57047
X-Cache: Hit
Connection: keep-alive

Install Vanisher

yum install rubygems
yum install ruby-devel
yum install zlib-devel
yum install libxml2-devel
yum install libxslt-devel
gem install nokogiri
gem install varnisher
gem install bundler

Purge cache

varnisher purge http://example.com/
or
varnishadm "ban req.http.host ~ example.com"
or
curl -X PURGE http://example.com/
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment