Putting Varnish In Front Of Apache On Ubuntu/Debian Rumi, March 22, 2012 Varnish is an open source "web accelerator" which you can use to speed up your website. It can cache certain static elements, such as images or javascript but you can also use it for other purposes such as Loadbalancing or some additional security. In this tutorial we will focus on the latter one. In this mode, Varnish will stop incomplete HTTP requests from reaching your Apache webserver. This tutorial is built on Ubuntu, but will probably also work on Debian. First of all, make sure you are running Apache2 and have it configured. Installing Varnish This is rather easy, since it is in the Ubuntu repository. However, you might want to use the Varnish repository to make sure you have a more recent version. To add this one, execute this: sudo curl http://repo.varnish-cache.org/debian/GPG-key.txt | apt-key add – sudo echo "deb http://repo.varnish-cache.org/debian/ $(lsb_release -s -c) varnish-2.1" >> /etc/apt/sources.list Update APT and install Varnish: sudo apt-get update sudo apt-get install varnish Great, now you have Varnish but we still need to configure it. Changing Varnish settings First, we have to change the default port. Edit /etc/default/varnish: vim /etc/default/varnish Scroll down a bit, until you find an uncommented line starting with "DAEMON_OPTS". – Change *:6081 to *:80 so it will listen on the default HTTP port. – edit default.vcl to something else, I took "mysite.vcl". Save the file. Edit the VCL file you mentioned in the previous file. In my case, I'll be editing /etc/varnish/mysite.vcl. Paste the following contents: ## Redirect requests to Apache, running on port 8000 on localhost backend apache { .host = "127.0.0.1"; .port = "8000"; } ## Fetch sub vcl_fetch { ## Remove the X-Forwarded-For header if it exists. remove req.http.X-Forwarded-For; ## insert the client IP address as X-Forwarded-For. This is the normal IP address of the user. set req.http.X-Forwarded-For = req.http.rlnclientipaddr; ## Added security, the "w00tw00t" attacks are pretty annoying so lets block it before it reaches our webserver if (req.url ~ "^/w00tw00t") { error 403 "Not permitted"; } ## Deliver the content return(deliver); } ## Deliver sub vcl_deliver { ## We'll be hiding some headers added by Varnish. We want to make sure people are not seeing we're using Varnish. ## Since we're not caching (yet), why bother telling people we use it? remove resp.http.X-Varnish; remove resp.http.Via; remove resp.http.Age; ## We'd like to hide the X-Powered-By headers. Nobody has to know we can run PHP and have version xyz of it. remove resp.http.X-Powered-By; } Save the file. All right, that was the Varnish part. Do not start it yet. Changing Apache settings OK, so we have to let Apache2 listen on localhost. For this, there are a few small changes required. vim /etc/apache2/ports.conf Change: NameVirtualHost *:80 Listen 80 To: NameVirtualHost *:8000 Listen 127.0.0.1:8000 Apache will listen on that port. You will have to edit your vhosts as well. Open your vhost(s) and replace <VirtualHost *:80> with <VirtualHost *:8000> So far so good. We now have to install an extra Apache module to make sure the IP address of the user ends up correct. Since Varnish is basically talking with Apache2, you would see 127.0.0.1 as visitor IP. apt-get install libapache2-mod-rpaf The RPAF (Reverse Proxy Add Forward) module will make sure the IP of 127.0.0.1 will be replaced with the IP set in X-Forwarded-For set by Varnish. Restart daemons Restart Apache: /etc/init.d/apache2 restart Check if it is bound to the correct IP/Port by executing: netstat -lp | grep apache2 If you see: tcp 0 0 localhost:8000 *:* LISTEN 4586/apache2 This is correct. Otherwise, you made a mistake. All right, so now we have to restart Varnish to let it listen on port 80. /etc/init.d/varnish restart We check this again by executing: netstat -lp | grep varnish The result will be: tcp 0 0 *:www *:* LISTEN 4498/varnishd tcp6 0 0 [::]:www [::]:* LISTEN 4498/varnishd (Yes, varnish also listens on any IPv6 address). So.. Now we have placed Varnish in front of Apache2. We can test if the site still works by simply visiting it. You will see the site, just as nothing happened. You can test this further by shutting down apache. You will then see a Varnish error page. Bonus features Well, you might want to change the HTTP servername from "Apache" to something else. This can be done by editing your VCL file, located in /etc/varnish. After: sub vcl_fetch { Add: ## Remove the http.Server header unset obj.http.Server; ## Change the http.Server header to something else set obj.http.Server = "Incognito"; Obviously you can make it look like whatever you want. Yourdomain.com for example. Please note that all the domains on this server will use the same servername. Well, that's all. You now have a reverse proxy in front of your Apache! With a bit of tweaking, you can let it cache or loadbalance. Src: http://www.howtoforge.com/putting-varnish-in-front-of-apache-on-ubuntu-debian Configurations (Linux) Varnish