Varnish is an open source "web accelerator" which you can use to speed up your website.
It can cache certain static elements, such as images or javascript but you can also use it for other purposes such as Loadbalancing or some additional security.
In this tutorial we will focus on the latter one.
In this mode, Varnish will stop incomplete HTTP requests from reaching your Apache webserver.
This tutorial is built on Ubuntu, but will probably also work on Debian.
First of all, make sure you are running Apache2 and have it configured.
Installing Varnish
This is rather easy, since it is in the Ubuntu repository. However, you might want to use the Varnish repository to make sure you have a more recent version. To add this one, execute this:
sudo curl http://repo.varnish-cache.org/debian/GPG-key.txt | apt-key add –
sudo echo "deb http://repo.varnish-cache.org/debian/ $(lsb_release -s -c) varnish-2.1" >> /etc/apt/sources.list
Update APT and install Varnish:
sudo apt-get update
sudo apt-get install varnish
Great, now you have Varnish but we still need to configure it.
Changing Varnish settings
First, we have to change the default port. Edit /etc/default/varnish:
vim /etc/default/varnish
Scroll down a bit, until you find an uncommented line starting with "DAEMON_OPTS".
– Change *:6081 to *:80 so it will listen on the default HTTP port.
– edit default.vcl to something else, I took "mysite.vcl".
Save the file.
Edit the VCL file you mentioned in the previous file. In my case, I'll be editing /etc/varnish/mysite.vcl. Paste the following contents:
## Redirect requests to Apache, running on port 8000 on localhost
backend apache {
.host = "127.0.0.1";
.port = "8000";
}
## Fetch
sub vcl_fetch {
## Remove the X-Forwarded-For header if it exists.
remove req.http.X-Forwarded-For;
## insert the client IP address as X-Forwarded-For. This is the normal IP address of the user.
set req.http.X-Forwarded-For = req.http.rlnclientipaddr;
## Added security, the "w00tw00t" attacks are pretty annoying so lets block it before it reaches our webserver
if (req.url ~ "^/w00tw00t") {
error 403 "Not permitted";
}
## Deliver the content
return(deliver);
}
## Deliver
sub vcl_deliver {
## We'll be hiding some headers added by Varnish. We want to make sure people are not seeing we're using Varnish.
## Since we're not caching (yet), why bother telling people we use it?
remove resp.http.X-Varnish;
remove resp.http.Via;
remove resp.http.Age;
## We'd like to hide the X-Powered-By headers. Nobody has to know we can run PHP and have version xyz of it.
remove resp.http.X-Powered-By;
}
Save the file. All right, that was the Varnish part. Do not start it yet.
Changing Apache settings
OK, so we have to let Apache2 listen on localhost. For this, there are a few small changes required.
vim /etc/apache2/ports.conf
Change:
NameVirtualHost *:80
Listen 80
To:
NameVirtualHost *:8000
Listen 127.0.0.1:8000
Apache will listen on that port. You will have to edit your vhosts as well. Open your vhost(s) and replace
<VirtualHost *:80>
with
<VirtualHost *:8000>
So far so good. We now have to install an extra Apache module to make sure the IP address of the user ends up correct. Since Varnish is basically talking with Apache2, you would see 127.0.0.1 as visitor IP.
apt-get install libapache2-mod-rpaf
The RPAF (Reverse Proxy Add Forward) module will make sure the IP of 127.0.0.1 will be replaced with the IP set in X-Forwarded-For set by Varnish.
Restart daemons
Restart Apache:
/etc/init.d/apache2 restart
Check if it is bound to the correct IP/Port by executing:
netstat -lp | grep apache2
If you see:
tcp 0 0 localhost:8000 *:* LISTEN 4586/apache2
This is correct. Otherwise, you made a mistake. All right, so now we have to restart Varnish to let it listen on port 80.
/etc/init.d/varnish restart
We check this again by executing:
netstat -lp | grep varnish
The result will be:
tcp 0 0 *:www *:* LISTEN 4498/varnishd
tcp6 0 0 [::]:www [::]:* LISTEN 4498/varnishd
(Yes, varnish also listens on any IPv6 address).
So.. Now we have placed Varnish in front of Apache2. We can test if the site still works by simply visiting it. You will see the site, just as nothing happened. You can test this further by shutting down apache. You will then see a Varnish error page.
Bonus features
Well, you might want to change the HTTP servername from "Apache" to something else. This can be done by editing your VCL file, located in /etc/varnish. After:
sub vcl_fetch {
Add:
## Remove the http.Server header
unset obj.http.Server;
## Change the http.Server header to something else
set obj.http.Server = "Incognito";
Obviously you can make it look like whatever you want. Yourdomain.com for example. Please note that all the domains on this server will use the same servername.
Well, that's all. You now have a reverse proxy in front of your Apache!
With a bit of tweaking, you can let it cache or loadbalance.
Src: http://www.howtoforge.com/putting-varnish-in-front-of-apache-on-ubuntu-debian