Jon Kristian

Mixing Business with Pleasure since 1999

Varnish on virtualmin with apache proxy for ssl

This guide is written for Debian Jessie but should work with other distro’s as well, for older distro’s still using SysV init you should check out virtualmin documentation for varnish.

Varnish is an HTTP accelerator designed for content-heavy dynamic web sites as well as heavily consumed APIs. Unfortunately varnish doesn’t support SSL directly, but there’s a sound reasoning behind this. Fortunately there are several remedies; like hitch, nginx and even apache. Since apache is standard with virtualmin and we don’t want to complicate our neat little server more than necessary we’re going to configure apache ssl termination.

So let’s get going and install varnish: apt get install varnish

Once installed copy the varnish systemd file:
cp /lib/systemd/system/varnish.service /etc/systemd/system/
… or you could issue systemctl enable varnish which should do the same as above.

Then open the service file and replace ExecStart line with this line:
ExecStart=/usr/sbin/varnishd -a :80 -T localhost:6082 -f /etc/varnish/default.vcl -S /etc/varnish/secret -s malloc,256m

Now edit /etc/varnish/default.vcl, and set the following host and port:

backend default {
.host = "127.0.0.1";
.port = "8080";
}

Apache needs to listen on 8080 instead of 80, edit /etc/apache2/ports.conf and replace port 80 with 8080. For any existing virtual servers you would need to change New HTTP port from 80 to 8080 in Server Configuration -> Change IP Address.

If you want this to be applied automatically for all new virtual servers you should modify System Settings -> Server Templates -> Default Settings -> Apache Website -> Port number for virtual hosts.

Now for SSL to work we need to tell apache to proxy all incoming requests on :443 back to varnish for processing. For this to work some extra headers needs to be sendt back and by default in virtualmin the apache headers module is not enabled, so we need to activate it here: Webmin -> Servers -> Apache webserver -> Global configuration -> Configure Apache Modules.

Once headers module is active we need to edit the directives on the site in question. Visit Services -> Configure website for SSL -> Edit Directives, scroll down to the bottom and add the following code:

ProxyPreserveHost On
ProxyPass / http://127.0.0.1:80/
RequestHeader set X-Forwarded-Port "443"
RequestHeader set X-Forwarded-Proto "https"

Once again, if you want this to be default for all new virtual servers you need to modify System Settings -> Server Templates -> Default Settings -> Apache Website -> Directives and settings for new websites with the code above.

For logging to /var/log/varnish/* you could start varnishlog service with: systemctl enable varnishlog or you could use the following command straight in your terminal: varnishlog.

Once everything is configured you are ready to restart apache and varnish:
service apache2 restart
service varnish restart

While caching is really neat, we need a way to let varnish know if it should serve the cache or pass the request straight to apache, in other words it needs to know when your website content is modified. I use WordPress and Laravel mostly and for them to play nice with varnish I installed:

  • https://wordpress.org/plugins/varnish-http-purge/
  • https://github.com/spatie/laravel-varnish

Some resources used in this guide:

If you have any suggestions to this guide, please don’t hesitate to leave a comment.

« »

© 2017 Jon Kristian. Theme by Anders Norén.