Skip to end of metadata
Go to start of metadata

Getting going - simplest possible setup

part1_basic.cfm

<CFHEADER NAME="Cache-Control" VALUE="s-maxage=600">

<cfoutput>
<html>
	<body>
		<strong>Generated by server:</strong> #dateformat(now(),'ddd, mmm d yyyy')# #timeformat(now(),'HH:mm:ss')#<br>
		<strong>Loaded by browser:</strong> <script type="text/javascript">document.write(new Date());</script>
	</body>
</html>
</cfoutput>
  • The default varnish installation serves cached content from port 6081 proxied from 127.0.0.1:80.
  • that is important - the default varnish config is appended to yours
  • Cookies (i.e. sessions) should be disabled, as by default varnish will invalidate caches if cookies are present.
  • Setting browser cache separate to varnish cache - you can control varnish cache but not client

Static assets

/etc/varnish/default.vcl

sub vcl_recv {
    if (req.url ~ "\.(jpg|jpeg|gif|png|ico|css|zip|pdf|txt|tar|wav|bmp|rtf|js|flv|swf|html|htm)$") {
        unset req.http.Accept-Encoding;
        // Remove user agent
        if (req.http.User-Agent) {
            set req.http.User-Agent = "";
        }
        unset req.http.Cookie;
        return(lookup);
    }
}

virtual.conf

<VirtualHost *:80>
    ...
    
    # Set up caching on media files for 1 year (forever?)
    <FilesMatch "\.(jpg|jpeg|gif|png|ico|css|zip|pdf|txt|tar|wav|bmp|rtf|js|flv|swf|html|htm)$">
        ExpiresDefault A29030400
        Header append Cache-Control "public"
    </FilesMatch>
</VirtualHost>

Tips

  • Leave the default backend (127.0.0.1) in place.
  • ~ is a regex operator for strings
  • set and unset update and remove a property
  • req.http properties are request headers
  • this configuration leaves control of cache timeouts with Apache, but you can force a cache timeout in varnish with a line like "set beresp.ttl = 48h;"
  • return(lookup) returns control to varnish, requesting a cache lookup if possible
  • if there is not return in your config, the default varnish config is executed

Flush Varnish cache from backend

/etc/varnish/default.vcl

// IPs/domains that can access the purge url
acl purge {
    "localhost";
    "117.53.174.178";
    "117.53.174.179";
    "203.26.11.39";
}

sub vcl_recv {
    // Purge everything url - this isn't the squid way, but works
    if (req.url ~ "^/varnishpurge") {
       if (!client.ip ~ purge) {
                error 405 "Not allowed.";
       }
       if (req.url == "/varnishpurge") {
           ban("req.http.host == " + req.http.host + " && req.url ~ ^/");
           error 841 "Purged site.";
       }
       else {
           ban("req.http.host == " + req.http.host + " && req.url ~ ^" + regsub( req.url, "^/varnishpurge(.*)$", "\1" ) + "$" );
           error 842 "Purged page.";
       }
    }
}
  • it's a good idea to use an ACL to restrict access to the sensitive functionality like flushing
  • notice that for ACLs, the ~ operator is an 'in' check
  • this acl sets up a URL that will trigger a flush '/varnishpurge'
  • /varnishpurge by itself purges every page on the domain
  • /varnishpurge/url/you/want/to/purge purges /url/you/want/to/purge
  • 'ban' is for varnish 3 what 'purge' was for 2
  • in 3 you can do "string" + myvar, in 2 it was just "string" myvar (implicit concatenation)
  • notice the custom error numbers
  • bans are stored in memory, and every page request is checked against every ban - there are performance implications

Invalidate cache from client side

By IP

/etc/varnish/default.vcl

// IPs/domains that bypass cache
acl bypass {
    "1.2.3.4";
}

sub vcl_recv {
    if (client.ip ~ bypass) {
        return(pass);
    }
}

return(pass) passes the request to the backend

By Cookie

/etc/varnish/default.vcl

sub vcl_recv {
    if (req.http.Cookie ~ "LOGGED-IN=1") {
        return(pass)
    }
}

bypasses cache if there is a LOGGED-IN cookie with value 1

By Header

/etc/varnish/default.vcl

sub vcl_recv {
    if (req.http.X-Requested-With == "XMLHttpRequest") {
        return(pass)
    }
}

ajax requests bypass cache

Caching strategies; you can set, and flush now for real world scenarios

Bomb proof static delivery: fullasagoog.com

/etc/varnish/default.vcl

sub vcl_recv {
    set req.grace = 300s;
}

sub vcl_fetch {
    if (beresp.status == 500) {
       set beresp.saintmode = 20s;
       if (req.request != "POST") {
           return(restart);
       } else {
           error 500 "Failed";
       }
    }
    set beresp.grace = 300s;
    set beresp.ttl = 5s;
}

 

  • req.grace defines how old a cache can be if there is a backend problem
  • beresp.saintmode flags the current page on the current back end as "bad"
  • return(restart) loops varnish around to retry the request - if there is no "good" backend for the page, the grace will kick in
  • POST information can't really be restarted
  • beresp.grace is effectively the maximum grace the request can have
  • beresp.ttl is the cache timeout - setting it overrides the value in the Cache-Control header

 

Members vs The great unwashed: adnews

  • flat proxy for anonymous users
  • live site for logged in users; show VCL looking for loggedin cookies

/etc/varnish/default.vcl

sub vcl_hash { 
    ### these 2 entries are the default ones used for vcl. Below we add our own.
    set req.hash += req.http.host;
    set req.hash += req.url;

    set req.http.X-Varnish-Hashed-By = req.http.host req.url;
    
    if (req.http.Cookie ~ "LOGGED-IN=1") {
       set req.hash += regsub( req.http.Cookie, "^.*?LOGGED-IN=1" );
       set req.http.X-Varnish-Hashed-By = req.http.X-Varnish-Hashed-By regsub( req.http.Cookie, "^.*?LOGGED-IN=1" );
    }
    
    return(hash);
}
sub vcl_recv {
    // Let any non "GET" / "HEAD" right through
    if (req.request != "GET" && req.request != "HEAD"){
        return(pass);
    }
    
    // strip cookies for static files
    if (req.url ~ "\.(jpg|jpeg|gif|png|ico|css|zip|pdf|txt|tar|wav|bmp|rtf|js|flv|swf|html|htm)$") {
        unset req.http.Accept-Encoding;
        // Remove user agent
        if (req.http.User-Agent) {
            set req.http.User-Agent = "";
        }
        unset req.http.Cookie;
        return(lookup);
    }
    
    // strip cookies for everything except specific pages
    if ( !(req.url ~ "Login" || req.url ~ "login" || req.url ~ "logout") ) { 
        // Clean up accept encoding values
        # Handle compression correctly. Varnish treats headers literally, not
        # semantically. So it is very well possible that there are cache misses
        # because the headers sent by different browsers aren't the same.
        # @see: http://varnish.projects.linpro.no/wiki/FAQ/Compression
        if (req.http.Accept-Encoding) {
            if (req.http.Accept-Encoding ~ "gzip") {
       	        # if the browser supports it, we'll use gzip
       		set req.http.Accept-Encoding = "gzip";
            } elsif (req.http.Accept-Encoding ~ "deflate") {
                # next, try deflate if it is supported
                set req.http.Accept-Encoding = "deflate";
            } else {
                # unknown algorithm. Probably junk, remove it
                unset req.http.Accept-Encoding;
            }
        }
    
        // Remove user agent
        if (req.http.User-Agent) {
            set req.http.User-Agent = "";
        }
	
        // If the user is logged in, let session cookies through (Note: these values should not be getting included in the cache hash)
        if (req.http.Cookie ~ "FC-LOGGED-IN=1") {
    	   set req.http.Cookie = ";" req.http.Cookie;
    	   set req.http.Cookie = regsuball(req.http.Cookie, "; +", ";");
	   set req.http.Cookie = regsuball(req.http.Cookie, ";(CFID|CFTOKEN|JSESSIONID|FC-LOGGED-IN|FC-ROLES)=", "; \1=");
	   set req.http.Cookie = regsuball(req.http.Cookie, ";[^ ][^;]*", "");
	   set req.http.Cookie = regsuball(req.http.Cookie, "^[; ]+|[; ]+$", "");
	   
	   if (req.http.Cookie == "") {
	       unset req.http.Cookie;
	   }
	}
	
	return(lookup);
    }
    else {
        return(pass);
    }
}
sub vcl_fetch {
    // strip cookies for static files
    if (req.url ~ "\.(jpg|jpeg|gif|png|ico|css|zip|pdf|txt|tar|wav|bmp|rtf|js|flv|swf|html|htm)$") {
       unset beresp.http.set-cookie;
       return(deliver);
    }
    
    // strip cookies for everything except specific pages
    if ( req.url ~ "Login" || req.url ~ "login" || req.url ~ "logout" ) {
        set beresp.http.X-Cacheable = "NO:Login or logout page";
        return(pass);
    }
    else {
    	unset beresp.http.set-cookie;
    }
    
    // varnish determined the object was not cacheable
    if (!beresp.cacheable){
       set beresp.http.X-Cacheable = "NO:Not Cacheable";
    }
    elsif (beresp.http.Cache-Control ~ "private"){
       set beresp.http.X-Cacheable = "NO:Cache-Control=private";
       return(pass);
    }
    else {
	// Keep stale content for a little while, to serve while varnish gets a fresh copy
	set beresp.grace = 15s;
	
        set beresp.http.X-Cacheable = "YES";
    }
    return(deliver);
}

User interactivity: adnews

  • form posts are not proxied (only GET); comment forms; show VCL ignoring POST requests

/etc/varnish/default.vcl

sub vcl_hash { 
    ### these 2 entries are the default ones used for vcl. Below we add our own.
    set req.hash += req.http.host;
    set req.hash += req.url;

    set req.http.X-Varnish-Hashed-By = req.http.host req.url;
    
    if (req.http.Cookie ~ "LOGGED-IN=1") {
       set req.hash += regsub( req.http.Cookie, "^.*?LOGGED-IN=1" );
       set req.http.X-Varnish-Hashed-By = req.http.X-Varnish-Hashed-By regsub( req.http.Cookie, "^.*?LOGGED-IN=1" );
    }
    
    return(hash);
}
sub vcl_recv {
    // Let any non "GET" / "HEAD" right through
    if (req.request != "GET" && req.request != "HEAD"){
        return(pass);
    }
    
    // strip cookies for static files
    if (req.url ~ "\.(jpg|jpeg|gif|png|ico|css|zip|pdf|txt|tar|wav|bmp|rtf|js|flv|swf|html|htm)$") {
        unset req.http.Accept-Encoding;
        // Remove user agent
        if (req.http.User-Agent) {
            set req.http.User-Agent = "";
        }
        unset req.http.Cookie;
        return(lookup);
    }
    
    // strip cookies for everything except specific pages
    if ( !(req.url ~ "Login" || req.url ~ "login" || req.url ~ "logout") ) { 
        // Clean up accept encoding values
        # Handle compression correctly. Varnish treats headers literally, not
        # semantically. So it is very well possible that there are cache misses
        # because the headers sent by different browsers aren't the same.
        # @see: http://varnish.projects.linpro.no/wiki/FAQ/Compression
        if (req.http.Accept-Encoding) {
            if (req.http.Accept-Encoding ~ "gzip") {
       	        # if the browser supports it, we'll use gzip
       		set req.http.Accept-Encoding = "gzip";
            } elsif (req.http.Accept-Encoding ~ "deflate") {
                # next, try deflate if it is supported
                set req.http.Accept-Encoding = "deflate";
            } else {
                # unknown algorithm. Probably junk, remove it
                unset req.http.Accept-Encoding;
            }
        }
    
        // Remove user agent
        if (req.http.User-Agent) {
            set req.http.User-Agent = "";
        }
	
        // If the user is logged in, let session cookies through (Note: these values should not be getting included in the cache hash)
        if (req.http.Cookie ~ "FC-LOGGED-IN=1") {
    	   set req.http.Cookie = ";" req.http.Cookie;
    	   set req.http.Cookie = regsuball(req.http.Cookie, "; +", ";");
	   set req.http.Cookie = regsuball(req.http.Cookie, ";(CFID|CFTOKEN|JSESSIONID|FC-LOGGED-IN)=", "; \1=");
	   set req.http.Cookie = regsuball(req.http.Cookie, ";[^ ][^;]*", "");
	   set req.http.Cookie = regsuball(req.http.Cookie, "^[; ]+|[; ]+$", "");
	   
	   if (req.http.Cookie == "") {
	       unset req.http.Cookie;
	   }
	}
	
	return(lookup);
    }
    else {
        return(pass);
    }
}
sub vcl_fetch {
    // strip cookies for static files
    if (req.url ~ "\.(jpg|jpeg|gif|png|ico|css|zip|pdf|txt|tar|wav|bmp|rtf|js|flv|swf|html|htm)$") {
       unset beresp.http.set-cookie;
       return(deliver);
    }
    
    // Let any non "GET" / "HEAD" right through
    if (req.request != "GET" && req.request != "HEAD"){
        set beresp.http.X-Cacheable = "NO:Not GET or HEAD";
        return(pass);
    }
    // strip cookies for everything except specific pages
    elsif ( req.url ~ "Login" || req.url ~ "login" || req.url ~ "logout" ) {
        set beresp.http.X-Cacheable = "NO:Login or logout page";
        return(pass);
    }
    else {
    	unset beresp.http.set-cookie;
    }
    
    // varnish determined the object was not cacheable
    if (!beresp.cacheable){
       set beresp.http.X-Cacheable = "NO:Not Cacheable";
    }
    elsif (beresp.http.Cache-Control ~ "private"){
       set beresp.http.X-Cacheable = "NO:Cache-Control=private";
       return(pass);
    }
    else {
	// Keep stale content for a little while, to serve while varnish gets a fresh copy
	set beresp.grace = 15s;
	
        set beresp.http.X-Cacheable = "YES";
    }
    return(deliver);
}

 

We use the following strategy to have user specific content on a site:
  • unset all cookies for every page, with the following exceptions
  • all logging in / out are done on specific URLs that don't have cookies reset, and aren't cached
  • users and content should be segmented into groups - the relevant groups can be set into a cookie on login, which can be used to cache pages
  • personal content (e.g. "Welcome Bob!") can be AJAXed in, allowing the main content to be cached, and the personal content not

 

Personalized pods: adnews, newspaper works

  • Ajax personalized content after proxied page; show VCL ignoring Ajax requests
 
sub vcl_recv {
    
    // strip cookies for static files
    if (req.url ~ "^/favicon" || req.url ~ "^/cache" || req.url ~ "^/css" || req.url ~ "^/js" || req.url ~ "^/wsimages" || req.url ~ "^/base" || req.url ~ "^/webtop/cffp" || req.url ~ "^/webtop/icons"){
    //if (req.url ~ "\.(jpg|jpeg|gif|png|ico|css|zip|pdf|txt|tar|wav|bmp|rtf|js|flv|swf|html|htm)$") {
        unset req.http.Accept-Encoding;
        // Remove user agent
        if (req.http.User-Agent) {
            set req.http.User-Agent = "";
        }
        unset req.http.Cookie;
        return(lookup);
    }
    
    // strip cookies for everything except specific pages
    if ( !(req.url ~ "profile" || req.url ~ "Login" || req.url ~ "login" || req.url ~ "logout") ) { 
        // Clean up accept encoding values
        # Handle compression correctly. Varnish treats headers literally, not
        # semantically. So it is very well possible that there are cache misses
        # because the headers sent by different browsers aren't the same.
        # @see: http://varnish.projects.linpro.no/wiki/FAQ/Compression
        if (req.http.Accept-Encoding) {
            if (req.http.Accept-Encoding ~ "gzip") {
       	        # if the browser supports it, we'll use gzip
       		set req.http.Accept-Encoding = "gzip";
            } elsif (req.http.Accept-Encoding ~ "deflate") {
                # next, try deflate if it is supported
                set req.http.Accept-Encoding = "deflate";
            } else {
                # unknown algorithm. Probably junk, remove it
                unset req.http.Accept-Encoding;
            }
        }
    
        // Remove user agent
        if (req.http.User-Agent) {
            set req.http.User-Agent = "";
        }
	
	return(lookup);
    }
    else {
        return(pass);
    }
}
sub vcl_fetch {
    // strip cookies for static files
    if (req.url ~ "^/favicon" || req.url ~ "^/cache" || req.url ~ "^/css" || req.url ~ "^/js" || req.url ~ "^/wsimages" || req.url ~ "^/base" || req.url ~ "^/webtop/cffp" || req.url ~ "^/webtop/icons"){
    //if (req.url ~ "\.(jpg|jpeg|gif|png|ico|css|zip|pdf|txt|tar|wav|bmp|rtf|js|flv|swf|html|htm)$") {
       unset beresp.http.set-cookie;
       return(deliver);
    }
    
    // Let any non "GET" / "HEAD" right through
    if (req.request != "GET" && req.request != "HEAD"){
        set beresp.http.X-Cacheable = "NO:Not GET or HEAD";
        return(pass);
    }
    // strip cookies for everything except specific pages
    elsif ( req.url ~ "profile" || req.url ~ "Login" || req.url ~ "login" || req.url ~ "logout" ) {
        set beresp.http.X-Cacheable = "NO:Login or logout page";
        return(pass);
    }
    else {
    	unset beresp.http.set-cookie;
    }
    
    // varnish determined the object was not cacheable
    if (!beresp.cacheable){
       set beresp.http.X-Cacheable = "NO:Not Cacheable";
    }
    elsif (beresp.http.Cache-Control ~ "private"){
       set beresp.http.X-Cacheable = "NO:Cache-Control=private";
       return(pass);
    }
    else {
	// Keep stale content for a little while, to serve while varnish gets a fresh copy
	set beresp.grace = 15s;
	
        set beresp.http.X-Cacheable = "YES";
    }
    return(deliver);
}

Tips

Normalising user agent and compression headers

Varnish can include the user-agent and accept-encoding headers in cache hash, so normalising them is a good idea:

/etc/varnish/default.vcl

sub vcl_recv {
    if (req.http.Accept-Encoding) {
        if (req.http.Accept-Encoding ~ "gzip") {
       	    # if the browser supports it, we'll use gzip
            set req.http.Accept-Encoding = "gzip";
        } elsif (req.http.Accept-Encoding ~ "deflate") {
            # next, try deflate if it is supported
            set req.http.Accept-Encoding = "deflate";
        } else {
            # unknown algorithm. Probably junk, remove it
            unset req.http.Accept-Encoding;
        }
    }

    // Remove user agent
    if (req.http.User-Agent) {
        set req.http.User-Agent = "";
    }
}

If your website serves different HTML to mobile users, you might use code like this:

if (req.http.User-Agent ~ "iP(hone|od)" || req.http.User-Agent ~ "Android" || req.http.User-Agent ~ "Symbian" || req.http.User-Agent ~ "^BlackBerry" || req.http.User-Agent ~ "^SonyEricsson" || req.http.User-Agent ~ "^Nokia" || req.http.User-Agent ~ "^SAMSUNG" || req.http.User-Agent ~ "^LG" || req.http.User-Agent ~ " webOS") {
    set req.http.User-Agent = "mobile";
}
else {
    set req.http.User-Agent = "desktop";
}

Custom cache hash

This VCL adds a cookie value (ROLES) to the cache key. req.http.X-Varnish-Hashed-By is helpful for debugging, as you can inspect the request header to find out what the cache key is.

/etc/varnish/default.vcl

sub vcl_hash {
    ### these 2 entries are the default ones used for vcl. Below we add our own.
    set req.hash += req.http.host;
    set req.hash += req.url;
    
    set req.http.X-Varnish-Hashed-By = req.http.host req.url;
    
    if (req.http.Cookie ~ "ROLES=1") {
       set req.hash += regsub( req.http.Cookie, "^.*?ROLES=([^;]*);*.*$", "\1" );
       set req.http.X-Varnish-Hashed-By = req.http.X-Varnish-Hashed-By regsub( req.http.Cookie, "^.*?ROLES=([^;]*);*.*$", "\1" );
    }

    return(hash);
}

Pass along original IP address as a custom header

/etc/varnish/default.vcl

sub vcl_recv {
    // Pass along the IP for uncached pages
    if (req.http.x-forwarded-for) {
        set req.http.X-Forwarded-For = req.http.X-Forwarded-For ", " client.ip;
    } else {
        set req.http.X-Forwarded-For = client.ip;
    }
}

Refining your caching strategy.

Varnish tooling

  • showcase varnishhist
  • plus other command line utils