Configure varnish cache in front of any website

01Feb

Configure varnish cache in front of any website

You need to get a dedicated server, VPS or a droplet on the digital ocean to setup varnish server.
Now i would be explaining the life cycle of each request.
The request will come on 443 which would be nginx in our case or 80 which would be varnish server.
Port 443 nginx will forward the request to varnish server on port 80, if the cache is available it will send back request to 443 otherwise follow the below step.
varnish will then send a request to apache server which is on port 8888.
 
Once you get the server login the panel via putty.
Change Password

passwd

Check for new updates

yum check-update

Update your server

yum update

Install commonly used programs

yum install -y links htop nano

Install the EPEL repository

sudo yum install epel-release

Change the security settings

nano /etc/selinux/config

change the line below

SELINUX=enforcing

to this line

SELINUX=disabled

Restart the server for the changes to take effect

sudo reboot

Stop the firewall

service firewalld stop

Install Nginx

yum install -y nginx

Take backup of original Nginx config file

mv /etc/nginx/nginx.conf /etc/nginx/nginx-old.conf

Place the new config changes

nano /etc/nginx/nginx.conf

 

# For more information on configuration, see:
 
#   * Official English Documentation: http://nginx.org/en/docs/
 
#   * Official Russian Documentation: http://nginx.org/ru/docs/
 
user nginx;
 
worker_processes 12;
 
error_log /var/log/nginx/error.log;
 
pid /run/nginx.pid;
 
# Load dynamic modules. See /usr/share/nginx/README.dynamic.
 
include /usr/share/nginx/modules/*.conf;
 
events {
 
    worker_connections 8096;
 
    multi_accept        on;
 
    use                 epoll;
 
}
 
http {
 
    log_format  main  '$remote_addr - $remote_user [$time_local] "$request" '
 
                      '$status $body_bytes_sent "$http_referer" '
 
                      '"$http_user_agent" "$http_x_forwarded_for"';
 
    access_log  /var/log/nginx/access.log  main;
 
    sendfile            on;
 
    tcp_nopush          on;
 
    tcp_nodelay         on;
 
    keepalive_timeout   20;
 
    types_hash_max_size 2048;
 
    client_max_body_size 256M;
 
    include             /etc/nginx/mime.types;
 
    default_type        application/octet-stream;
 
    # Load modular configuration files from the /etc/nginx/conf.d directory.
 
    # See http://nginx.org/en/docs/ngx_core_module.html#include
 
    # for more information.
 
    include /etc/nginx/conf.d/*.conf;
 
    server {
 
    proxy_pass_header Server;
 
        listen       81 default_server;
 
        #listen       [::]:81 default_server;
 
        server_name  _;
 
        root         /usr/share/nginx/html;
 
        # Load configuration files for the default server block.
 
        include /etc/nginx/default.d/*.conf;
 
        location / {
 
        }
 
        error_page 404 /404.html;
 
            location = /40x.html {
 
        }
 
        error_page 500 502 503 504 /50x.html;
 
            location = /50x.html {
 
        }
 
    }
 
include /etc/nginx/snippets/ssl-params.conf;
 
include /etc/nginx/sites-enabled/*;
 
# Settings for a TLS enabled server.
 
#
 
#    server {
 
#        listen       443 ssl http2 default_server;
 
#        listen       [::]:443 ssl http2 default_server;
 
#        server_name  _;
 
#        root         /usr/share/nginx/html;
 
#
 
#        ssl_certificate "/etc/pki/nginx/server.crt";
 
#        ssl_certificate_key "/etc/pki/nginx/private/server.key";
 
#        ssl_session_cache shared:SSL:1m;
 
#        ssl_session_timeout  10m;
 
#        ssl_ciphers HIGH:!aNULL:!MD5;
 
#        ssl_prefer_server_ciphers on;
 
#
 
#        # Load configuration files for the default server block.
 
#        include /etc/nginx/default.d/*.conf;
 
#
 
#        location / {
 
#        }
 
#
 
#        error_page 404 /404.html;
 
#            location = /40x.html {
 
#        }
 
#
 
#        error_page 500 502 503 504 /50x.html;
 
#            location = /50x.html {
 
#        }
 
#    }
 
}

 
Generate DH parameters, 2048 bit long safe prime.

openssl dhparam -rand - 2048 | sudo tee /etc/nginx/dhparams.pem

 
If you already have a certificate on the previous server, create SSL directory

mkdir /var/ssl/
 
mkdir /var/ssl/domain.com/

If you have an existing certificate, Copy ca.cert file

nano /var/ssl/domain.com/ca.crt

If you have an existing certificate, Copy priv.key file

nano /var/ssl/domain.com/priv.key

Install certbot which is used by LetsEncrypt.

yum install certbot

Create a new SSL certificate from below commands or ignore if you have copied the certificate.
OPTION 1:

certbot certonly --standalone --preferred-challenges http --http-01-port 888 -d domain.com -d www.domain.com --post-hook="service nginx restart"

OPTION 2:

certbot -d domain.com
 
Location: /etc/letsencrypt/live/domain.com/fullchain.pem

OPRION3:
Create Les Encrypt certifacte manully. you would have to upload a file to verify the domain on “/.well-known/acme-challenge”

certbot -d domain.com --manual certonly

 
Create folder /etc/nginx/sites-enabled

mkdir /etc/nginx/sites-enabled

Create vhost for proxy with name “domain.conf”

nano /etc/nginx/sites-enabled/domain.conf
 
server {
 
        listen 443 ssl;
 
        server_name domain.com;
 
    #ssl_certificate /var/ssl/domain.com/ca.crt;
 
        #ssl_certificate_key /var/ssl/domain.com/priv.key;
 
    ssl_certificate /etc/letsencrypt/live/domain.com/fullchain.pem;
 
        ssl_certificate_key /etc/letsencrypt/live/domain.com/privkey.pem;
 
        location / {
 
            proxy_pass http://127.0.0.1:80;
 
            proxy_set_header X-Real-IP  $remote_addr;
 
            proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
 
            proxy_set_header X-Forwarded-Proto https;
 
            proxy_set_header X-Forwarded-Port 443;
 
            proxy_set_header Host $host;
 
        proxy_pass_header Server;
 
        }
 
}

 
create folder /etc/nginx/snippets

mkdir /etc/nginx/snippets

create file inside /etc/nginx/snippets/ssl-params.conf

nano /etc/nginx/snippets/ssl-params.conf
 
# from https://cipherli.st/
 
# and https://raymii.org/s/tutorials/Strong_SSL_Security_On_nginx.html
 
ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
 
ssl_prefer_server_ciphers on;
 
ssl_ciphers "EECDH+AESGCM:EDH+AESGCM:AES256+EECDH:AES256+EDH";
 
ssl_ecdh_curve secp384r1;
 
ssl_session_cache shared:SSL:10m;
 
ssl_session_tickets off;
 
ssl_stapling on;
 
ssl_stapling_verify on;
 
resolver 8.8.8.8 8.8.4.4 valid=300s;
 
resolver_timeout 5s;
 
# Disable preloading HSTS for now.  You can use the commented out header line that includes
 
# the "preload" directive if you understand the implications.
 
#add_header Strict-Transport-Security "max-age=63072000; includeSubdomains; preload";
 
add_header Strict-Transport-Security "max-age=63072000; includeSubdomains";
 
add_header X-Frame-Options DENY;
 
add_header X-Content-Type-Options nosniff;
 
ssl_dhparam /etc/nginx/dhparams.pem;

 
Restart the nginx server

service nginx restart

 
Renew LetsEncrypt certificate

/usr/bin/certbot renew --renew-hook "/usr/sbin/nginx reload" >> /var/log/le-renew.log

You can also place this command in cronjobs.

crontab -e
 
30 2 * * * /usr/bin/certbot renew --renew-hook "/usr/sbin/nginx reload" >> /var/log/le-renew.log
 
service crond restart

 
Now install varnish

yum install pygpgme yum-utils
 
nano /etc/yum.repos.d/varnish.repo

Place this code inside this file

[varnishcache_varnish5]
 
name=varnishcache_varnish5
 
baseurl=https://packagecloud.io/varnishcache/varnish5/el/7/$basearch
 
repo_gpgcheck=1
 
gpgcheck=0
 
enabled=1
 
gpgkey=https://packagecloud.io/varnishcache/varnish5/gpgkey
 
sslverify=1
 
sslcacert=/etc/pki/tls/certs/ca-bundle.crt
 
metadata_expire=300
 
[varnishcache_varnish5-source]
 
name=varnishcache_varnish5-source
 
baseurl=https://packagecloud.io/varnishcache/varnish5/el/7/SRPMS
 
repo_gpgcheck=1
 
gpgcheck=0
 
enabled=1
 
gpgkey=https://packagecloud.io/varnishcache/varnish5/gpgkey
 
sslverify=1
 
sslcacert=/etc/pki/tls/certs/ca-bundle.crt
 
metadata_expire=300

 

yum -q makecache -y --disablerepo='*' --enablerepo='varnishcache_varnish5'
 
yum install -y varnish

 
Edit file /etc/varnish/varnish.params and make changes below

nano /etc/varnish/varnish.params
 
Change: VARNISH_LISTEN_PORT=6081 to VARNISH_LISTEN_PORT=80

Replace the configuration in /etc/varnish/default.vcl

mv /etc/varnish/default.vcl /etc/varnish/default-old.vcl
 
nano /etc/varnish/default.vcl
 
vcl 4.0;
 
# Based on: https://github.com/mattiasgeniar/varnish-4.0-configuration-templates/blob/master/default.vcl
 
#import xkey;
 
import std;
 
#include "/etc/varnish/acmetool.vcl";
 
#include "/etc/varnish/streaming.vcl";
 
include "/etc/varnish/certbot.vcl";
 
# Define one backend
 
backend default
 
{
 
    .host = "111.111.111.111;   # IP or Hostname of backend
 
    .port = "80";           # Port Apache or whatever is listening
 
}
 
backend admin
 
{
 
    .host = "111.111.111.111";      # IP or Hostname of backend
 
    .port = "80";               # Port Apache or whatever is listening
 
    .first_byte_timeout     = 600s;     # How long to wait before we receive a first byte from our backend?
 
    .connect_timeout        = 600s;     # How long to wait for a backend connection?
 
    .between_bytes_timeout  = 600s;     # How long to wait between bytes received from our backend?
 
}
 
/*
 
backend local_system_code
 
{
 
    .host = "111.111.111.111";      # IP or Hostname of backend
 
    .port = "8888";                 # Port Apache or whatever is listening
 
    .first_byte_timeout     = 600s;     # How long to wait before we receive a first byte from our backend?
 
    .connect_timeout        = 600s;     # How long to wait for a backend connection?
 
    .between_bytes_timeout  = 600s;     # How long to wait between bytes received from our backend?
 
}
 
*/
 
acl purge
 
{
 
    # ACL we'll use later to allow purges
 
    "localhost";
 
    "209.126.111.251";
 
    "127.0.0.1";
 
    "::1";
 
    #"Client Specific IPs here";
 
}
 
sub vcl_recv
 
{
 
    ## Send admin requests to different backend with extended timeouts
 
    if (req.url ~ "^/admin") {
 
        set req.backend_hint = admin;
 
    }
 
        /*
 
    if (req.http.host ~ "example.com")
 
    {
 
        set req.backend_hint = local_system_code;
 
    }
 
    */
 
    ## To exclude domains from varnish
 
    /*
 
    if (req.http.host ~ "^(?i)staging.domain.com") {
 
        return (pass);
 
    }
 
    */
 
    ## Redirect to https
 
    if ((client.ip != "127.0.0.1" && std.port(server.ip) == 80) && (req.http.host ~ "^(?i)(www\.)?domain.com")) {
 
        if (req.method != "PURGE")
 
        {
 
            set req.http.x-redir = "https://" + req.http.host + req.url;
 
                return (synth(850, ""));
 
        }
 
    }
 
    ## Redirect assets to CDN
 
    /*
 
    if ( req.http.host == "domain.com" || req.http.host == "www.domain.com" || req.http.host == "cdn.domain.com")
 
    {
 
        if ( req.url ~ "\.(gif|ico|jpg|jpeg|png)$" && req.http.host != "cdn.domain.com" ) {
 
            set req.http.x-redir = "https://cdn.domain.com" + req.url;
 
            return (synth(750, ""));
 
        }
 
        if ( req.url !~ "\.(gif|ico|jpg|jpeg|png)$" && req.http.host == "cdn.domain.com" ) {
 
            set req.http.x-redir = "https://www.domain.com" + req.url;
 
            return (synth(760, ""));
 
        }
 
    }
 
    */
 
    ## Redirect specific traffic to another url
 
    /*
 
    if (req.http.host ~ "^(?i)m.domain.com")
 
    {
 
        return (synth(750, ""));
 
    }
 
    */
 
    ## Allow htaccess password
 
    if (req.http.Authorization || req.http.Authenticate)
 
    {
 
        return (pass);
 
    }
 
    ##PASSING REAL IP TO BACKEND
 
    if (req.restarts == 0)
 
    {
 
        if (req.http.X-Forwarded-For)
 
        {
 
            set req.http.X-Forwarded-For = req.http.X-Forwarded-For + ", " + client.ip;
 
        }
 
        else
 
        {
 
            set req.http.X-Forwarded-For = client.ip;
 
        }
 
    }
 
    ## Called at the beginning of a request, after the complete request has been received and parsed.
 
    ## Its purpose is to decide whether or not to serve the request, how to do it, and, if applicable,
 
    ## which backend to use.
 
    ## also used to modify the request
 
    ## Remove the proxy header (see https://httpoxy.org/#mitigate-varnish)
 
    unset req.http.proxy;
 
    ## Allow purging
 
    /*
 
    ## XKey logic
 
    if ( req.http.host == "domain.com" || req.http.host == "www.domain.com")
 
    {
 
        if (req.method == "PURGE")
 
        {
 
            # If not allowed then a error 405 is returned
 
            if (!client.ip ~ purge)
 
            {
 
                return(synth(405, "This IP is not allowed to send PURGE requests."));
 
            }
 
            set req.http.n-gone = xkey.softpurge("10000");
 
            return(synth(200, "BAN added - Invalidated "+req.http.n-gone+" objects"));
 
        }
 
    }
 
    */
 
    ## Override purging where mass urls need to be purged
 
    if (req.method == "BAN")
 
    {
 
        # If not allowed then a error 405 is returned
 
        if (!client.ip ~ purge)
 
        {
 
            return(synth(405, "This IP is not allowed to send PURGE requests."));
 
        }
 
        return (hash);
 
    }
 
    if (req.method == "PURGE")
 
    {
 
        # If not allowed then a error 405 is returned
 
        if (!client.ip ~ purge)
 
        {
 
            return(synth(405, "This IP is not allowed to send PURGE requests."));
 
        }
 
        #return (purge);
 
        ban("req.http.host ~ " + req.http.host + " && req.url ~ " + req.url);
 
    }
 
    if (req.url ~ "wp-login|admin|git_deployment|show=preview|checkout")
 
    {
 
        return (pass);
 
    }
 
    if(req.http.Cookie ~ "wordpress_logged_in_" )
 
    {
 
        return (pass);
 
    }
 
    # Post requests will not be cached
 
    if (req.http.Authorization || req.method == "POST")
 
    {
 
        return (pass);
 
    }
 
    ## Unset all cookies so that Varnish can serve cached content
 
    unset req.http.cookie;
 
}
 
## Handle the HTTP request coming from our backend
 
sub vcl_backend_response
 
{
 
    /*
 
    if (bereq.http.Host ~ "^(?i)(www\.)?domain.com" ||bereq.http.Host == "^(?i)www.domain.com" )
 
    {
 
        set beresp.http.xkey = "10000";
 
    }
 
    */
 
    /*
 
    if (beresp.status >= 500 && beresp.status <= 599)
 
    {
 
        return (abandon);
 
    }
 
    */
 
    ## Do not cache error pages & 404 pages
 
    if (beresp.status == 403 || beresp.status == 404 || beresp.status >= 500)
 
    {
 
        set beresp.ttl = 0s;
 
        return (deliver);
 
    }
 
    ## Called after the response headers has been successfully retrieved from the backend.
 
    ## Enable cache for all static files
 
    ## The same argument as the static caches from above: monitor your cache size, if you get data nuked out of it, consider giving up the static file cache.
 
    ## Before you blindly enable this, have a read here: https://ma.ttias.be/stop-caching-static-files/
 
    if (bereq.url ~ "^[^?]*\.(7z|avi|bmp|bz2|css|csv|doc|docx|eot|flac|flv|gif|gz|ico|jpeg|jpg|js|less|mka|mkv|mov|mp3|mp4|mpeg|mpg|odt|otf|ogg|ogm|opus|pdf|png|ppt|pptx|rar|rtf|svg|svgz|swf|tar|tbz|tgz|ttf|txt|txz|wav|webm|webp|woff|woff2|xls|xlsx|xml|xz|zip)(\?.*)?$")
 
    {
 
        unset beresp.http.set-cookie;
 
    }
 
    ## Large static files are delivered directly to the end-user without waiting for Varnish to fully read the file first.
 
    ## Varnish 4 fully supports Streaming, so use streaming here to avoid locking.
 
    if (bereq.url ~ "^[^?]*\.(7z|avi|bz2|flac|flv|gz|mka|mkv|mov|mp3|mp4|mpeg|mpg|ogg|ogm|opus|rar|tar|tgz|tbz|txz|wav|webm|xz|zip)(\?.*)?$")
 
    {
 
        unset beresp.http.set-cookie;
 
        set beresp.do_stream = true;
 
        ## Check memory usage it'll grow in fetch_chunksize blocks (128k by default)
 
        ## if the backend doesn't send a Content-Length header, so only enable it for big objects
 
    }
 
    /*
 
    ## Don't cache 50x & 403 responses
 
    ## 404 added for testing - remove before live
 
    if (beresp.status == 500 || beresp.status == 502 || beresp.status == 503 || beresp.status == 504 || beresp.status == 403)
 
    {
 
        return (abandon);
 
    }
 
    */
 
    ## Allow stale content, in case the backend goes down.
 
    ## make Varnish keep all objects for 6 hours beyond their TTL
 
    # A TTL of 2h
 
    set beresp.ttl = 24h;
 
    set beresp.grace = 24h;
 
    return (deliver);
 
}
 
## The routine when we deliver the HTTP request to the user
 
## Last chance to modify headers that are sent to the client
 
sub vcl_deliver {
 
    #turn on if you want disable login bar on wordpress.
 
    /*
 
    if (req.url !~ "admin|wp-login")
 
    {
 
        unset resp.http.set-cookie;
 
        unset resp.http.cookie;
 
    }
 
    */
 
    ## Called before a cached object is delivered to the client.
 
    if (obj.hits > 0)
 
    {
 
        ## Add debug header to see if it's a HIT/MISS and the number of hits, disable when not needed
 
        set resp.http.X-Cache = "HIT - " + obj.hits;
 
    }
 
    else
 
    {
 
        set resp.http.X-Cache = "";
 
    }
 
    ## Remove some headers: PHP version
 
    unset resp.http.X-Powered-By;
 
    ## Remove some headers: Apache version & OS
 
    unset resp.http.Server;
 
    unset resp.http.X-Drupal-Cache;
 
    unset resp.http.X-Varnish;
 
    unset resp.http.Via;
 
    unset resp.http.Link;
 
    unset resp.http.X-Generator;
 
    return (deliver);
 
}
 
sub vcl_synth {
 
    if (resp.status == 503 && req.http.sie-enabled)
 
    {
 
        unset req.http.sie-enabled;
 
        return (restart);
 
    }
 
    ## Redirector for CDN
 
    /*
 
    if (resp.status == 750)
 
    {
 
        set resp.http.Location = req.http.x-redir;
 
        set resp.status = 302;
 
        return (deliver);
 
    }
 
    if (resp.status == 760)
 
    {
 
        set resp.http.Location = req.http.x-redir;
 
        set resp.status = 302;
 
        return (deliver);
 
    }
 
    */
 
    ## The actual redirector for HTTPS
 
    if (resp.status == 850)
 
    {
 
        // Redirect to HTTPS with 301 status.
 
        set resp.status = 301;
 
        set resp.http.Location = req.http.x-redir;
 
        return(deliver);
 
    }
 
    if (resp.status == 503)
 
    {
 
        synthetic(std.fileread("/etc/varnish/error_docs/503.html"));
 
        return(deliver);
 
    }
 
    if (resp.status == 403)
 
    {
 
        synthetic(std.fileread("/etc/varnish/error_docs/403.html"));
 
        return(deliver);
 
    }
 
}
 
sub vcl_hit {
 
    if (obj.ttl < 0s && obj.ttl + obj.grace > 0s)
 
    {
 
        if (req.restarts == 0)
 
        {
 
            set req.http.sie-enabled = true;
 
            return (restart);
 
        }
 
        else
 
        {
 
            set req.http.sie-abandon = true;
 
            return (deliver);
 
        }
 
    }
 
    if (obj.ttl >= 0s)
 
    {
 
        return (deliver);
 
    }
 
    return (restart);
 
    /*
 
    if (req.method == "PURGE")
 
    {
 
        softpurge.softpurge();
 
        return (synth(200, "Successful softpurge"));
 
    }
 
    if (req.method == "BAN")
 
    {
 
        softpurge.softpurge();
 
        return (synth(200, "Successful softpurge"));
 
    }
 
    */
 
}
 
sub vcl_miss
 
{
 
    /*
 
    if (req.method == "PURGE")
 
    {
 
        softpurge.softpurge();
 
        return (synth(200, "Successful softpurge"));
 
    }
 
    if (req.method == "BAN")
 
    {
 
        softpurge.softpurge();
 
        return (synth(200, "Successful softpurge"));
 
    }
 
    */
 
}
 
# In the event of an error, show friendlier messages.
 
sub vcl_backend_error
 
{
 
    set beresp.http.Content-Type = "text/html; charset=utf-8";
 
    set beresp.http.Retry-After = "5";
 
    synthetic( {"
 
<?xml version="1.0" encoding="utf-8"?>
 
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN"
 
 "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
 
<html>
 
    <head>
 
        <script>error_name="503 - Backend fetch failed";event_action="503 - Backend fetch failed";event_label="503 - Backend fetch failed";event_value="503";content_displaed_on_page="503 Varnish Error !";document.title=window.location.hostname + " - " + error_name;(function(i, s, o, g, r, a, m){i['GoogleAnalyticsObject']=r;i[r]=i[r] || function(){(i[r].q=i[r].q || []).push(arguments)}, i[r].l=1 * new Date();a=s.createElement(o),m=s.getElementsByTagName(o)[0];a.async=1;a.src=g;m.parentNode.insertBefore(a, m)})(window, document, 'script', '//www.google-analytics.com/analytics.js', 'ga');ga('create', 'UA-111111111111', 'auto');ga('require', 'displayfeatures');ga('require', 'linkid', 'linkid.js');ga('send', 'pageview');ga('set', 'nonInteraction', true);ga('send', 'event',{eventCategory: window.location.hostname, eventAction: event_action, eventLabel: event_label, eventValue: event_value});var dimensionValue=event_value;ga('set', 'dimension1', dimensionValue);var dimensionValue=window.location.hostname;ga('set', 'dimension2', dimensionValue);ga('send', 'exception',{'exDescription': error_name,'exFatal': true});</script>
 
        <link href='' rel='stylesheet'><style>*:before, *:after{-webkit-box-sizing: border-box;-moz-box-sizing: b   order-box;box-sizing: border-box;}body{font-family: 'Open Sans', 'Helvetica Neue', Helvetica, Arial, sans-serif;color: #394263;font-size: 13px;background-color: #FFF;}#error-container{padding: 120px 20px;position: relative;}#error-container .error-options{position: absolute;top: 20px;left: 20px;}#error-container h1{font-size: 96px;color: #431111;margin-bottom: 40px;}#error-container h2{color: #11103D;font-size: 24px;margin-bottom: 40px;margin-top: 80px;line-height: 1.4;}#error-container form{padding: 20px;border-radius: 3px;background: #fff;background: url(../img/template/ie8_opacity_light_10.png) repeat;background: rgba(255, 255, 255, .1);}#error-container .form-control{border-color: #fff;}.clearfix:before, .clearfix:after, .container:before, .container:after, .container-fluid:before, .container-fluid:after, .row:before, .row:after, .form-horizontal .form-group:before, .form-horizontal .form-group:after, .btn-toolbar:before, .btn-toolbar:after, .btn-group-vertical>.btn-group:before, .btn-group-vertical>.btn-group:after, .nav:before, .nav:after, .navbar:before, .navbar:after, .navbar-header:before, .navbar-header:after, .navbar-collapse:before, .navbar-collapse:after, .pager:before, .pager:after, .panel-body:before, .panel-body:after, .modal-footer:before, .modal-footer:after{content: ' ';display: table;}.col-sm-offset-2{margin-left: 16.66666667%}.col-sm-8{width: 66.66666667%}@media (min-width:768px){.col-sm-1, .col-sm-2, .col-sm-3, .col-sm-4, .col-sm-5, .col-sm-6, .col-sm-7, .col-sm-8, .col-sm-9, .col-sm-10, .col-sm-11, .col-sm-12{float: left;}.col-xs-1, .col-sm-1, .col-md-1, .col-lg-1, .col-xs-2, .col-sm-2, .col-md-2, .col-lg-2, .col-xs-3, .col-sm-3, .col-md-3, .col-lg-3, .col-xs-4, .col-sm-4, .col-md-4, .col-lg-4, .col-xs-5, .col-sm-5, .col-md-5, .col-lg-5, .col-xs-6, .col-sm-6, .col-md-6, .col-lg-6, .col-xs-7, .col-sm-7, .col-md-7, .col-lg-7, .col-xs-8, .col-sm-8, .col-md-8, .col-lg-8, .col-xs-9, .col-sm-9, .col-md-9, .col-lg-9, .col-xs-10, .col-sm-10, .col-md-10, .col-lg-10, .col-xs-11, .col-sm-11, .col-md-11, .col-lg-11, .col-xs-12, .col-sm-12, .col-md-12, .col-lg-12{position: relative;min-height: 1px;padding-left: 15px;padding-right: 15px;}.text-center{text-align: center;}*{-webkit-box-sizing: border-box;-moz-box-sizing: border-box;box-sizing: border-box;}.animation-tossing{animation-name: tossing;-webkit-animation-name: tossing;animation-duration: 2.5s;-webkit-animation-duration: 2.5s;animation-iteration-count: infinite;-webkit-animation-iteration-count: infinite;}@keyframes tossing{0%{transform: rotate(-4deg);}50%{transform: rotate(4deg);}100%{transform: rotate(-4deg);}}@-webkit-keyframes tossing{0%{-webkit-transform: rotate(-4deg);}50%{-webkit-transform: rotate(4deg);}100%{-webkit-transform: rotate(-4deg);}}.h1, .h2, .h3, .h4, .h5, .h6, h1, h2, h3, h4, h5, h6{font-family: 'Open Sans', 'Helvetica Neue', Helvetica, Arial, sans-serif;font-weight: 300;}a{//text-decoration: none;color: #2554B4;pointer: pointer;}.text-danger, .text-danger:hover, a.text-danger, a.text-danger:focus, a.text-danger:hover{color: #e74c3c;}/*@font-face{font-family: 'FontAwesome';src: url('../fonts/fontawesome-webfont.eot?v=4.1.0');src: url('../fonts/fontawesome-webfont.eot?#iefix&v=4.1.0') format('embedded-opentype'), url('../fonts/fontawesome-webfont.woff?v=4.1.0') format('woff'), url('../fonts/fontawesome-webfont.ttf?v=4.1.0') format('truetype'), url('../fonts/fontawesome-webfont.svg?v=4.1.0#fontawesomeregular') format('svg');font-weight: normal;font-style: normal;}*/.fa-gear:before, .fa-cog:before{content: '\f013'}.fa{display: inline-block;font-family: FontAwesome;font-style: normal;font-weight: normal;line-height: 1;-webkit-font-smoothing: antialiased;-moz-osx-font-smoothing: grayscale;}.fa-spin{-webkit-animation: spin 2s infinite linear;-moz-animation: spin 2s infinite linear;-o-animation: spin 2s infinite linear;animation: spin 2s infinite linear;}@-moz-keyframes spin{0%{-moz-transform: rotate(0deg);}100%{-moz-transform: rotate(359deg);}}@-webkit-keyframes spin{0%{-webkit-transform: rotate(0deg);}100%{-webkit-transform: rotate(359deg);}}@-o-keyframes spin{0%{-o-transform: rotate(0deg);}100%{-o-transform: rotate(359deg);}}@keyframes spin{0%{-webkit-transform: rotate(0deg);transform: rotate(0deg);}100%{-webkit-transform: rotate(359deg);transform: rotate(359deg);}</style></head>
 
    <body>
 
        <div id='error-container'><div class='row'><div class='col-sm-8 col-sm-offset-2 text-center'><h1 class=''><i class=''></i><script>document.write(content_displaed_on_page);</script></h1><h2 class='h3'>Don't worry, we'll be back.<br>Click <a href='javascript:document.location.reload(true);'>here</a> to reload the page</h2></div></div>
 
    </body>
 
</html>
 
<!-- Comment out default error html block
 
<html>
 
    <head>
 
        <title>"} + beresp.status + " " + beresp.reason + {"</title>
 
    </head>
 
    <body>
 
        <h1>Error "} + beresp.status + " " + beresp.reason + {"</h1>
 
        <p>"} + beresp.reason + {"</p>
 
        <h3>Guru Meditation:</h3>
 
        <p>XID: "} + bereq.xid + {"</p>
 
        <hr>
 
        <p>Varnish cache server</p>
 
    </body>
 
</html>
 
-->
 
"} );
 
    return (deliver);
 
}
 
sub vcl_fini {
 
    ## Called when VCL is discarded only after all requests have exited the VCL.
 
    ## Typically used to clean up VMODs.
 
    return (ok);
 
}

 
Now you need to specify your main server ip.

nano /etc/varnish/default.vcl

Example line

.host = "111.111.111.111";

 
Edit ports in /etc/httpd/conf/httpd.conf and all vhosts to a port different from 80

nano /etc/httpd/conf/httpd.conf

 
Make sure you add the new port in /etc/varnish/default.vcl in the backend definition.

backend default {
 
    .host = "127.0.0.1";
 
    .port = "8080";
 
}

to

# Default backend definition. Set this to point to your content server.
 
backend default {
 
    .host = "111.111.111.111"; // your server ip
 
    .port = "80";
 
}

 

nano /etc/varnish/varnish.params

You can change varnish cache from RAM to disk
find the line below

VARNISH_STORAGE="malloc,256M"

Replace it with this line

VARNISH_STORAGE="file,/var/lib/varnish/varnish_storage.bin,1G"

change 1G to space you want to allocate
create a new file in /etc/varnish/certbot.vcl

nano /etc/varnish/certbot.vcl
 
# Forward challenge-requests to acmetool, which will listen to port 402
 
# when issuing lets encrypt requests
 
backend certbot {
 
  .host = "127.0.0.1";
 
  .port = "888";
 
}
 
sub vcl_recv {
 
  if (req.url ~ "^/.well-known/acme-challenge/") {
 
    set req.backend_hint = certbot;
 
return(pass);
 
  }
 
}

 
restart varnish

service varnish restart

 
Notes for Varnish: If you add a new domain, do the following:
Find the following block, replicate and insert below existing

if ( req.http.host == "domain.com" || req.http.host == "www.domain.com")
 
{
 
if (req.method == "PURGE") {
 
           # If not allowed then a error 405 is returned
 
        if (!client.ip ~ purge) {
 
            return(synth(405, "This IP is not allowed to send PURGE requests."));
 
        }
 
        set req.http.n-gone = xkey.softpurge("10000");
 
        return(synth(200, "BAN added - Invalidated "+req.http.n-gone+" objects"));
 
    }
 
}

 
 
 
 

Share this post