Putting Varnish In Front Of Apache On Ubuntu/Debian


Varnish is an open source "web accelerator" which you can use to speed up your website.

It can cache certain static elements, such as images or javascript but you can also use it for other purposes such as Loadbalancing or some additional security.

In this tutorial we will focus on the latter one. 

In this mode, Varnish will stop incomplete HTTP requests from reaching your Apache webserver.

This tutorial is built on Ubuntu, but will probably also work on Debian.

First of all, make sure you are running Apache2 and have it configured.

Installing Varnish

This is rather easy, since it is in the Ubuntu repository. However, you might want to use the Varnish repository to make sure you have a more recent version. To add this one, execute this:

sudo curl http://repo.varnish-cache.org/debian/GPG-key.txt | apt-key add –

sudo echo "deb http://repo.varnish-cache.org/debian/ $(lsb_release -s -c) varnish-2.1" >> /etc/apt/sources.list

Update APT and install Varnish:

sudo apt-get update

sudo apt-get install varnish

Great, now you have Varnish but we still need to configure it.

Changing Varnish settings

First, we have to change the default port. Edit /etc/default/varnish:

vim /etc/default/varnish

Scroll down a bit, until you find an uncommented line starting with "DAEMON_OPTS".

– Change *:6081 to *:80 so it will listen on the default HTTP port.

– edit default.vcl to something else, I took "mysite.vcl".

Save the file.

Edit the VCL file you mentioned in the previous file. In my case, I'll be editing /etc/varnish/mysite.vcl. Paste the following contents:

## Redirect requests to Apache, running on port 8000 on localhost

backend apache {

        .host = "";

        .port = "8000";


## Fetch

sub vcl_fetch {

## Remove the X-Forwarded-For header if it exists.

        remove req.http.X-Forwarded-For;

## insert the client IP address as X-Forwarded-For. This is the normal IP address of the user.

        set    req.http.X-Forwarded-For = req.http.rlnclientipaddr;

## Added security, the "w00tw00t" attacks are pretty annoying so lets block it before it reaches our webserver

        if (req.url ~ "^/w00tw00t") {

                error 403 "Not permitted";


## Deliver the content




## Deliver

sub vcl_deliver {

## We'll be hiding some headers added by Varnish. We want to make sure people are not seeing we're using Varnish.

              ## Since we're not caching (yet), why bother telling people we use it?

        remove resp.http.X-Varnish;

        remove resp.http.Via;

        remove resp.http.Age;


## We'd like to hide the X-Powered-By headers. Nobody has to know we can run PHP and have version xyz of it.

        remove resp.http.X-Powered-By;


Save the file. All right, that was the Varnish part. Do not start it yet.

Changing Apache settings

OK, so we have to let Apache2 listen on localhost. For this, there are a few small changes required.

vim /etc/apache2/ports.conf


NameVirtualHost *:80

Listen 80


NameVirtualHost *:8000


Apache will listen on that port. You will have to edit your vhosts as well. Open your vhost(s) and replace

<VirtualHost *:80>


<VirtualHost *:8000>

So far so good. We now have to install an extra Apache module to make sure the IP address of the user ends up correct. Since Varnish is basically talking with Apache2, you would see as visitor IP.

apt-get install libapache2-mod-rpaf

The RPAF (Reverse Proxy Add Forward) module will make sure the IP of will be replaced with the IP set in X-Forwarded-For set by Varnish.

Restart daemons

Restart Apache:

/etc/init.d/apache2 restart

Check if it is bound to the correct IP/Port by executing:

netstat -lp | grep apache2

If you see:

tcp        0      0 localhost:8000          *:*                     LISTEN      4586/apache2

This is correct. Otherwise, you made a mistake. All right, so now we have to restart Varnish to let it listen on port 80.

/etc/init.d/varnish restart

We check this again by executing:

netstat -lp | grep varnish

The result will be:

tcp        0      0 *:www                   *:*                     LISTEN      4498/varnishd

tcp6       0      0 [::]:www                [::]:*                  LISTEN      4498/varnishd

(Yes, varnish also listens on any IPv6 address).

So.. Now we have placed Varnish in front of Apache2. We can test if the site still works by simply visiting it. You will see the site, just as nothing happened. You can test this further by shutting down apache. You will then see a Varnish error page.

Bonus features

Well, you might want to change the HTTP servername from "Apache" to something else. This can be done by editing your VCL file, located in /etc/varnish. After:

sub vcl_fetch {


## Remove the http.Server header

unset obj.http.Server;

## Change the http.Server header to something else

set obj.http.Server = "Incognito";

Obviously you can make it look like whatever you want. Yourdomain.com for example. Please note that all the domains on this server will use the same servername.

Well, that's all. You now have a reverse proxy in front of your Apache!

With a bit of tweaking, you can let it cache or loadbalance.

Src: http://www.howtoforge.com/putting-varnish-in-front-of-apache-on-ubuntu-debian


Leave a Reply

This site uses Akismet to reduce spam. Learn how your comment data is processed.