Varnish and nginx setup

Setup

We will be using nginx as SSL offloader forwarding regular HTTP traffic to the varnish proxy on port 8080 on the same host.

Update and upgrade the server

sudo apt-get update && sudo apt-get upgrade && sudo apt-get autoremove && sudo reboot now

Install packages

sudo apt-get install nginx varnish

Configure nginx (nginx 代理)

Since nginx does the SSL offloading you need both the private key and the crt. For nginx we just have to update the default site.

/etc/nginx/sites-available/default

server {       listen   80; ## listen for ipv4; this line is default and implied    listen   [::]:80 default ipv6only=on; ## listen for ipv6         listen  443 ssl;     keepalive_timeout   70;    ssl_session_cache   shared:SSL:10m;    ssl_session_timeout 10m;    ssl_ciphers ALL:!kEDH!ADH:RC4+RSA:+HIGH:+MEDIUM:+LOW:+SSLv2:+EXP;     access_log off;    error_log off;     ssl_certificate      /home/ubuntu/multidomain.crt;    ssl_certificate_key  /home/ubuntu/multidomain.key;     location / {        proxy_pass         http://127.0.0.1:8080/;        proxy_redirect     off;         proxy_set_header   Host                 $host;        proxy_set_header   X-Real-IP            $remote_addr;        proxy_set_header   X-Forwarded-For      $proxy_add_x_forwarded_for;        proxy_set_header   X-Forwarded-Proto    $scheme;         proxy_max_temp_file_size 0;             client_max_body_size       10m;        client_body_buffer_size    128k;         proxy_connect_timeout      90;        proxy_send_timeout         90;        proxy_read_timeout         90;             proxy_buffer_size          4k;        proxy_buffers              4 32k;        proxy_busy_buffers_size    64k;        proxy_temp_file_write_size 64k;    } }

查看端口： sudo netstat -nlpt

修改apache 端口为8080   

 sudo vi /etc/apache2/sites-enabled/000-defaultsudo vi /etc/apache2/ports.conf

Configure varnish

/etc/default/varnish

START=yesNFILES=131072MEMLOCK=82000DAEMON_OPTS="-a :8080 \             -T localhost:6082 \             -f /etc/varnish/default.vcl \             -u varnish -g varnish \             -S /etc/varnish/secret \             -p thread_pool_add_delay=2 \             -p thread_pools=4 \             -p thread_pool_min=200 \             -p thread_pool_max=4000 \             -p session_linger=50 \             -p sess_workspace=262144 \             -s malloc,4096m"

/etc/varnish/default.vcl

# This is a basic VCL configuration file for varnish.  See the vcl(7)# man page for details on VCL syntax and semantics.## Default backend definition.  Set this to point to your content# server.#backend default {    .host = "127.0.0.1";    .port = "80";}  # admin backend with longer timeout values. Set this to the same IP & port as your default server.backend admin {  .host = "127.0.0.1";  .port = "80";  .first_byte_timeout = 18000s;  .between_bytes_timeout = 18000s;}  # add your Magento server IP to allow purges from the backendacl purge {  "localhost";  "127.0.0.1";}    sub vcl_recv {    if (req.restarts == 0) {        if (req.http.x-forwarded-for) {            set req.http.X-Forwarded-For =            req.http.X-Forwarded-For + ", " + client.ip;        } else {            set req.http.X-Forwarded-For = client.ip;        }    }          if (req.request != "GET" &&      req.request != "HEAD" &&      req.request != "PUT" &&      req.request != "POST" &&      req.request != "TRACE" &&      req.request != "OPTIONS" &&      req.request != "DELETE" &&      req.request != "PURGE") {        /* Non-RFC2616 or CONNECT which is weird. */        return (pipe);    }          # purge request    if (req.request == "PURGE") {        if (!client.ip ~ purge) {            error 405 "Not allowed.";        }        ban("obj.http.X-Purge-Host ~ " + req.http.X-Purge-Host + " && obj.http.X-Purge-URL ~ " + req.http.X-Purge-Regex + " && obj.http.Content-Type ~ " + req.http.X-Purge-Content-Type);        error 200 "Purged.";    }      # switch to admin backend configuration    if (req.http.cookie ~ "adminhtml=") {        set req.backend = admin;    }      # we only deal with GET and HEAD by default      if (req.request != "GET" && req.request != "HEAD") {        return (pass);    }          # normalize url in case of leading HTTP scheme and domain    set req.url = regsub(req.url, "^http[s]?://[^/]+", "");          # static files are always cacheable. remove SSL flag and cookie    if (req.url ~ "^/(media|js|skin)/.*\.(png|jpg|jpeg|gif|css|js|swf|ico)$") {        unset req.http.Https;        unset req.http.Cookie;    }      # not cacheable by default    if (req.http.Authorization || req.http.Https) {        return (pass);    }      # do not cache any page from    # - index files    # - ...    if (req.url ~ "^/(index)") {        return (pass);    }      # as soon as we have a NO_CACHE cookie pass request    if (req.http.cookie ~ "NO_CACHE=") {        return (pass);    }      # normalize Aceept-Encoding header    # http://varnish.projects.linpro.no/wiki/FAQ/Compression    if (req.http.Accept-Encoding) {        if (req.url ~ "\.(jpg|png|gif|gz|tgz|bz2|tbz|mp3|ogg|swf|flv)$") {            # No point in compressing these            remove req.http.Accept-Encoding;        } elsif (req.http.Accept-Encoding ~ "gzip") {            set req.http.Accept-Encoding = "gzip";        } elsif (req.http.Accept-Encoding ~ "deflate" && req.http.user-agent !~ "MSIE") {            set req.http.Accept-Encoding = "deflate";        } else {            # unkown algorithm            remove req.http.Accept-Encoding;        }    }          # remove Google gclid parameters    set req.url = regsuball(req.url,"\?gclid=[^&]+$",""); # strips when QS = "?gclid=AAA"    set req.url = regsuball(req.url,"\?gclid=[^&]+&","?"); # strips when QS = "?gclid=AAA&foo=bar"    set req.url = regsuball(req.url,"&gclid=[^&]+",""); # strips when QS = "?foo=bar&gclid=AAA" or QS = "?foo=bar&gclid=AAA&bar=baz"     return (lookup);}  sub vcl_hash {    hash_data(req.url);    if (req.http.host) {        hash_data(req.http.host);    } else {        hash_data(server.ip);    }    if (!(req.url ~ "^/(media|js|skin)/.*\.(png|jpg|jpeg|gif|css|js|swf|ico)$")) {        call design_exception;    }    return (hash);}  sub vcl_fetch {    if (beresp.status == 500) {       set beresp.saintmode = 10s;       return (restart);    }    set beresp.grace = 5m;      # add ban-lurker tags to object    set beresp.http.X-Purge-URL = req.url;    set beresp.http.X-Purge-Host = req.http.host;          if (beresp.status == 200 || beresp.status == 301 || beresp.status == 404) {        if (beresp.http.Content-Type ~ "text/html" || beresp.http.Content-Type ~ "text/xml") {            if ((beresp.http.Set-Cookie ~ "NO_CACHE=") || (beresp.ttl < 1s)) {                set beresp.ttl = 0s;                return (hit_for_pass);            }              # marker for vcl_deliver to reset Age:            set beresp.http.magicmarker = "1";                          # Don't cache cookies            unset beresp.http.set-cookie;        } else {            # set default TTL value for static content            set beresp.ttl = 4h;        }        return (deliver);    }          return (hit_for_pass);}  sub vcl_deliver {    # debug info    if (resp.http.X-Cache-Debug) {        if (obj.hits > 0) {            set resp.http.X-Cache = "HIT";            set resp.http.X-Cache-Hits = obj.hits;        } else {           set resp.http.X-Cache = "MISS";        }        set resp.http.X-Cache-Expires = resp.http.Expires;    } else {        # remove Varnish/proxy header        # remove resp.http.X-Varnish;        remove resp.http.Via;        remove resp.http.Age;        remove resp.http.X-Purge-URL;        remove resp.http.X-Purge-Host;    }          if (resp.http.magicmarker) {        # Remove the magic marker        unset resp.http.magicmarker;          set resp.http.Cache-Control = "no-store, no-cache, must-revalidate, post-check=0, pre-check=0";        set resp.http.Pragma = "no-cache";        set resp.http.Expires = "Mon, 31 Mar 2008 10:00:00 GMT";        set resp.http.Age = "0";    }}  sub design_exception {}

remove req.http.X-Forwarded-Proto;
set req.http.X-Forwarded-Proto = "https";
set req.http.X-Forwarded-Port = "443";