How to configure Varnish cache on SSL.

Varnish is a HTTP reverse Proxy or HTTP accelerator. It is used to increase performance of the web application and reduce the time it takes to serve content to a user. The main technique it uses is caching responses from a web or application server in memory, so future requests for the same content can be served without having to retrieve it from the web server.

Actually Varnish stand between user request and Apache. When request come varnish check for caching if caching available for the request it server from varnish but if caching not available for that request then request goes to Apache and return to varnish and serve to the user. Varnish keeps the cache for this request so for the next time response served from varnish and it reduce the time to response of any request.

Varnish cache server.

How will be achieve this:

Actually we will keep Nginx server before varnish. So when request comes from HTTPS it will fall on Nginx, Nginx will call varnish if cache available to varnish it server from there. If there is no cache available to varnish request goes to Apache and process fall back.

Now the Varnish cache system will look like :

Got it but how to do this ?

There are some commands you need to run and some configuration (UBUNTU):

Install Varnish

 

sudo apt-get update
sudo apt-get install varnish

By default varnish runs on port 6081.

Configure Varnish

First, we will configure Varnish to use our LAMP.

The configuration file of vanish is located at /etc/varnish/default.vcl. Let’s edit it now:

sudo vi /etc/varnish/default.vcl

We need to change belwo lines:

backend default {
    .host = "127.0.0.1";
    .port = "8080";
}

And change the values of host and port match your LAMP server private IP address and listening port, respectively. Note that we are assuming that your web application is listening on its private IP address and port 80. If this is not the case, modify the configuration to match your needs:

backend default {
    .host = "LAMP_VPS_private_IP";
    .port = "80";
}

Like Apache, Varnish has also “grace mode” that, when enabled, instructs Varnish to serve a cached copy of requested pages if your web server backend goes down and becomes unavailable. Let’s enable that now.

sub vcl_backend_response {
    set beresp.ttl = 10s;
    set beresp.grace = 1h;
}

Save and exit the default.vcl file.

We will want to set Varnish to listen on the default HTTP port (80), so your users will be able to access your site without adding an unusual port number to your URL. This can be set in the /etc/default/varnish file. Let’s edit it now:

sudo vi /etc/default/varnish

We will various commented line. Find the following DAEMON_OPTS line (it should be uncommented already):

DAEMON_OPTS="-a :6081 \

The -a option is used to assign the address and port that Varnish will listen for requests on. Let’s change it to listen to the default HTTP port, port 80. After your modification, it should look like this:

DAEMON_OPTS="-a :80 \

Save and exit.

Now restart Varnish to put the changes into effect:

sudo service varnish restart

Now test it out with a web browser, by visiting your Varnish server by its public IP address, on port 80 (HTTP) this time:

Install Nginx

sudo apt-get install nginx

After installing Nginx, you will notice that it is not running. This is because it is configured to listen on port 80 by default, but Varnish is already using that port. This is fine because we want to listen on the default HTTPS port, port 443.

Let’s generate the SSL certificate that we will use.

Generate Self-signed SSL Certificate

On Varnish_VPS, create a directory where SSL certificate can be placed:

sudo mkdir /etc/nginx/ssl

Generate a self-signed, 2048-bit SSL key and certicate pair:

sudo openssl req -x509 -nodes -days 365 -newkey rsa:2048 -keyout /etc/nginx/ssl/nginx.key -out /etc/nginx/ssl/nginx.crt

Make sure that you set common name to match your domain name. This particular certificate will expire in a year.

Configure Nginx

Open the default Nginx server block configuration for editing:

sudo vi /etc/nginx/sites-enabled/default

Delete everything in the file and replace it with the following (and change the server_name to match your domain name):

server {
        listen 443 ssl;

        server_name example.com;
        ssl_certificate /etc/nginx/ssl/nginx.crt;
        ssl_certificate_key /etc/nginx/ssl/nginx.key;

        location / {
            proxy_pass http://127.0.0.1:80;
            proxy_set_header X-Real-IP  $remote_addr;
            proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
            proxy_set_header X-Forwarded-Proto https;
            proxy_set_header X-Forwarded-Port 443;
            proxy_set_header Host $host;
        }
}

Save and exit. The above configuration explained below in more detail:

  • ssl_certificate: specifies SSL certificate location
  • sslcertificatekey: specifies SSL key location
  • listen 443 ssl: configures Nginx to listen on port 443
  • server_name: specifies your server name, and should match the common name of your SSL certificate
  • proxy_pass http://127.0.0.1:80;: redirects traffic to Varnish (which is running on port 80 of 127.0.0.1 (i.e. localhost)

Now re-start the Nginx

sudo service nginx start

1 Comments

  1. I enjoy what you guys tend to be up too. This type of clever work and exposure!
    Keep up the excellent works guys I’ve added you guys
    to blogroll.

    Reply

Leave a Comment.