Varnish help on setting up for multiple internal webservers

marcelloc

do i need to do this again?

cd /usr/local/www/widgets/widgets/
fetch http://www.pfsense.com/packages/config/varnish64/varnish.widget.php

Just if you do not want to reinstall package.

The fix I've published was just to fix this file path.

kegler

@marcelloc:

@kegler:

do i need to do this again?

cd /usr/local/www/widgets/widgets/
fetch http://www.pfsense.com/packages/config/varnish64/varnish.widget.php

Just if you do not want to reinstall package.

The fix I've published was just to fix this file path.

oh…i still see the same widget

ok let me recap, i disable all my NAT, i set any port80 to any port 80 on my rules and i set my backend servers on varnish. i still do not get thru, not even getting the error503. Just showing me the connection has time out after a 1-2min loading

marcelloc

maybe there is something missing on your varnish setup.

try to run it from console to see if there are any erros

/usr/local/etc/rc.d/varnish.sh start

kegler

@marcelloc:

maybe there is something missing on your varnish setup.

try to run it from console to see if there are any erros

/usr/local/etc/rc.d/varnish.sh start

omg… u r right.... i couldnt start.... varnish.sh command not found

but i do see varnish.sh when i ls

marcelloc

/usr/local/etc/rc.d/varnish.sh is generated when you enable varnish and save config.

Can you check your varnish settings tab?

kegler

Varnish configuration file

Automatically generated by the pfSense package system

This file is located in /var/etc/default.vcl

sub vcl_error {
if (obj.status == 503 && req.restarts < 2) {
restart;
}

set obj.http.Content-Type = "text/html; charset=utf-8";
synthetic {"
"http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
FAIL TO LOAD VARNISH"};
return(deliver);

}

backend kegwebBACKEND {

used in catch_all

.host = "192.168.1.95";
.port = "80";
.first_byte_timeout = 360s;
.connect_timeout = 5s;
.probe = {
.url = ""/"";
.interval = 5s;
.timeout = 1s;
.window = 5;
.threshold = 3;
}
}

backend kegapp3BACKEND {

used in catch_all

.host = "192.168.1.100";
.port = "80";
.first_byte_timeout = 360s;
.connect_timeout = 60s;
.probe = {
.url = ""/"";
.interval = 5s;
.timeout = 1s;
.window = 5;
.threshold = 3;
}
}

backend goldallianzeBACKEND {

used in catch_all

.host = "192.168.1.100";
.port = "80";
.first_byte_timeout = 360s;
.connect_timeout = 60s;
.probe = {
.url = ""/"";
.interval = 5s;
.timeout = 1s;
.window = 5;
.threshold = 3;
}
}

#Enable Per user session cache.
sub vcl_hash {
set req.hash += req.http.cookie;
}

sub vcl_recv {

#BASIC VCL RULES SETTING
#Fix gzip compression
if (req.http.Accept-Encoding) {
if (req.url ~ ".(gif|jpg|jpeg|bmp|png|ico|img|tga|wmf|gz|tgz|bz2|tbz|mp3|ogg)$") {
unset req.http.Accept-Encoding;
}
else if (req.http.Accept-Encoding ~ "gzip") {
set req.http.Accept-Encoding = "gzip";
}
else if (req.http.Accept-Encoding ~ "deflate") {
set req.http.Accept-Encoding = "deflate";
}
else {
unset req.http.Accept-Encoding;
}
}
#set client balance identity
set client.identity = client.ip;

#set X-forward
set req.http.X-Forwarded-Varnish = client.ip;

if (req.http.host == "www.example.com") {
set req.backend = kegwebBACKEND;
}
else if (req.http.host == "kcrm1.example.com") {
set req.backend = kegapp3BACKEND;
}
else if (req.http.host == "kcrm2.example.com ") {
set req.backend = goldallianzeBACKEND;
}

#respect client wish to refresh the page
if (req.http.Pragma ~ "no-cache")
{
return(pass);
}

#BASIC VCL RULES ACTIONS
#Disable post cache
if (req.request == "POST") {
return(pass);
}
#Enable static cache
if (req.request=="GET" && req.url ~ ".(css|js|txt|zip|pdf|rtf|flv|swf|html|htm)$") {
return(lookup);
}
if (req.request=="GET" && req.url ~ ".(gif|jpg|jpeg|bmp|png|ico|img|tga|wmf|mp3|ogg)$") {
return(lookup);
}
#Be rfc2616 compliant
if (req.request ~ "^(GET|HEAD|PUT|POST|TRACE|OPTIONS|DELETE)$") {
return(lookup);
}
else {
return(pipe);
}

return(lookup);
}

sub vcl_pipe {

If we don't set the Connection: close header, any following

requests from the client will also be piped through and

left untouched by varnish. We don't want that.

set req.http.connection = "close";

Note: no "pipe" action here - we'll fall back to the default

pipe method so that when any changes are made there, we

still inherit them.

}

sub vcl_fetch {

#Disable cache when backend is starting a session
if (beresp.http.Set-Cookie && beresp.http.Set-Cookie ~ "(PHPSESSID|phpsessid)") {
return(pass);
}
if (beresp.http.Set-Cookie && beresp.http.Set-Cookie ~ "(JSESSION|jsession)") {
return(pass);
}

Varnish respects the wishes of the backend application.

if (beresp.http.Pragma ~ "no-cache" || beresp.http.Cache-Control ~ "(no-cache|no-store|private)") {
return(pass);
}
## If the request to the backend returns a code other than 200, restart the loop
## If the number of restarts reaches the value of the parameter max_restarts,
## the request will be error'ed. max_restarts defaults to 4. This prevents
## an eternal loop in the event that, e.g., the object does not exist at all.
if (beresp.status != 200 && beresp.status != 403 && beresp.status != 404 &&
beresp.status != 303 && beresp.status != 302 && beresp.status != 301 && beresp.status != 401 ) {
set beresp.saintmode = 60s;
restart;
}

set beresp.grace = 60s;
return(deliver);
}

sub vcl_deliver {
##set resp.http.X-Served-By = server.hostname;
if (obj.hits > 0) {
set resp.http.X-Cache = "HIT";
set resp.http.X-Cache-Hits = obj.hits;
} else {
set resp.http.X-Cache = "MISS";
}
return(deliver);
}

kegler

my pfsense management port i change to https

change domain name on conf only for security purpose

marcelloc

The conf looks fine. Are you still unable to start varnish?
What files do you have on /usr/local/etc/rc.d ?

kegler

@marcelloc:

The conf looks fine. Are you still unable to start varnish?
What files do you have on /usr/local/etc/rc.d ?

varnish.sh
varnishd
varnishlog
varnishncsa
clamd

marcelloc

The file is there and package is installed, it should work. ???

Just to check, see if varnish package is installed with pkg_info on console.

ps ax | grep varnish will show if there is any varnish process running.

kegler

@marcelloc:

The file is there and package is installed, it should work. ???

Just to check, see if varnish package is installed with pkg_info on console.

ps ax | grep varnish will show if there is any varnish process running.

18796 0 S+ 0:00.00 grep varnish

looks like not running?

marcelloc

What about pkg_info cmd?

What does returns /usr/local/etc/rc.d/varnish.sh start

kegler

@marcelloc:

What about pkg_info cmd?

What does returns /usr/local/etc/rc.d/varnish.sh start

sorry what is the cmd to check the above ?

kegler

[2.0-RELEASE][admin@kegpfs.kegnet.com]/usr/local/etc/rc.d(6): varnish.sh start
varnish.sh: Command not found.

seems something not installed ?

marcelloc

Do not chdir to rc.d, Run varnish.sh with full path

kegler

@marcelloc:

Do not chdir to rc.d, Run varnish.sh with full path

kern.ipc.nmbclusters: 65536
sysctl: kern.ipc.nmbclusters: Invalid argument
kern.ipc.somaxconn: 16384 -> 16384
kern.maxfiles: 131072 -> 131072
kern.maxfilesperproc: 104856 -> 104856
kern.threads.max_threads_per_proc: 4096 -> 4096

wondering could it be due to my domain is host by no-ip.com?

kegler

php: /pkg_edit.php: The command '/usr/local/etc/rc.d/varnish.sh' returned exit code '2', the output was 'kern.ipc.nmbclusters: 65536 sysctl: kern.ipc.nmbclusters: Invalid argument kern.ipc.somaxconn: 16384 -> 16384 kern.maxfiles: 131072 -> 131072 kern.maxfilesperproc: 104856 -> 104856 kern.threads.max_threads_per_proc: 4096 -> 4096 storage_malloc: max size 1024 MB. Message from VCC-compiler: Expected ';' got '/' (program line 369), at (input Line 28 Pos 26) .url = ""/""; –-----------------------#--- In backend specification starting at: (input Line 21 Pos 1) backend kegapp33BACKEND { #######------------------ Running VCC-compiler failed, exit 1 VCL compilation failed'

saw this in my log… but i dont quite understand what went wrong

and i kvm into my pfsense and saw this on the screen.... seems like its stucked at the loading of varnish....

i think i messed up the pfsense somewhere

marcelloc

Remove quotes from your backend Test url

.url = ""/"";

kegler

omg…it worked now...thank you very much....

canefield

@marcelloc:

Each backend means a webserver

inside each configuration, you must provide:

Backend name = WindowsServer

Ip Address = 192.168.1.4

Port = 80 <– Q

Probe URL = "/"(if your server has a valid page on "/")

Probe Interval = 5

Probe Timeout = 1

Probe window = 5

Probe Threshold = 3

Q:
Can I enter multiple listening ports e.g. port: "80, 443"? Or should I configure that host several times according to how many ports it is listening on?

Thanks,
Canefield