Varnish problems

marcelloc

I'll check again why widget is not installing.

Can you post your varnish conf?

I'm using varnish for long time without issues.

Gob

# Varnish configuration file
# Automatically generated by the pfSense package system

# This file is located in /var/etc/default.vcl

sub vcl_error {
		if (obj.status == 503 && req.restarts < 1) {
			return(restart);
		}

	set obj.http.Content-Type = "text/html; charset=utf-8";
	synthetic {"
"http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">

<title>"} + obj.status + " " + obj.response + {"</title>

# Error "} + obj.status + " " + obj.response + {"

"} + obj.response + {"

### Guru Meditation:

XID: "} + req.xid + {"

* * *

Varnish cache server

138	"};
	return(deliver);

}

backend Server1BACKEND {
	# used in catch_all 
	.host = "192.168.5.200";
	.port = "80";
	.first_byte_timeout = 3000s;
	.connect_timeout = 3000s;
	.probe = {
		.url = "/";
		.interval = 5s;
		.timeout = 1s;
		.window = 5;
		.threshold = 3;
	}
}

backend Server2BACKEND {
	# used in catch_all 
	.host = "192.168.5.201";
	.port = "80";
	.first_byte_timeout = 3000s;
	.connect_timeout = 3000s;
	.probe = {
		.url = "/";
		.interval = 5s;
		.timeout = 1s;
		.window = 5;
		.threshold = 3;
	}
}

sub vcl_recv {

	#BASIC VCL RULES SETTING
	#Fix gzip compression
	if (req.http.Accept-Encoding) {
	if (req.url ~ "\.(gif|jpg|jpeg|bmp|png|ico|img|tga|wmf|gz|tgz|bz2|tbz|mp3|ogg)$") {
		unset req.http.Accept-Encoding;
		}
	else if (req.http.Accept-Encoding ~ "gzip") {
		set req.http.Accept-Encoding = "gzip";
		}
	else if (req.http.Accept-Encoding ~ "deflate") {
		set req.http.Accept-Encoding = "deflate";
		}
	else	{
		unset req.http.Accept-Encoding;
		}
	}
	#set client balance identity
	set client.identity = req.url;

	#set X-forward
	set req.http.X-Forwarded-For = client.ip;

	if (req.http.host == "server1.mydomain.com") {
		set req.backend = Server1BACKEND;
	} 
		else if (req.http.host == "server2.mydomain.com") {
		set req.backend = Server2BACKEND;
	} 

	#respect client wish to refresh the page
	if (req.http.Pragma ~ "no-cache")
		{
		return(pass);
		}

	#BASIC VCL RULES ACTIONS
	#Disable post cache
	if (req.request == "POST") {
		return(pass);
		}
	#Enable static cache
	if (req.request=="GET" && req.url ~ "\.(css|js|txt|zip|pdf|rtf|flv|swf|html|htm)$") {
		return(pass);
		}
	if (req.request=="GET" && req.url ~ "\.(gif|jpg|jpeg|bmp|png|ico|img|tga|wmf|mp3|ogg)$") {
		return(pass);
		}
	#Disable session cache
	if (req.http.Cookie && req.http.Cookie ~ "(PHPSESSID|phpsessid)") {
		return(pass);
		}
	if (req.http.Cookie && req.http.Cookie ~ "(JSESSION|jsession)") {
		return(pass);
		}
	if (req.http.X-Requested-With == "XMLHttpRequest" || req.url ~ "nocache") {
		return(pass);
		}
	#Be rfc2616 compliant
	if (req.request ~ "^(GET|HEAD|PUT|POST|TRACE|OPTIONS|DELETE)$") {
		return(lookup);
		}
	else	{
		return(pipe);
		}

	return(lookup);
}

sub vcl_pipe {

	# If we don't set the Connection: close header, any following
	# requests from the client will also be piped through and
	# left untouched by varnish. We don't want that.
	set req.http.connection = "close";
	# Note: no "pipe" action here - we'll fall back to the default
	# pipe method so that when any changes are made there, we
	# still inherit them.

}
sub vcl_hit {
	return (deliver);
}

sub vcl_miss {
	return (fetch);
}

sub vcl_fetch {
	set beresp.do_stream = true;

	#Disable cache when backend is starting a session
	if (beresp.http.Set-Cookie && beresp.http.Set-Cookie ~ "(PHPSESSID|phpsessid)") {
		return(hit_for_pass);
		}
	if (beresp.http.Set-Cookie && beresp.http.Set-Cookie ~ "(JSESSION|jsession)") {
		return(hit_for_pass);
		}
	if (beresp.http.X-Requested-With == "XMLHttpRequest" || req.url ~ "nocache") {
		return(hit_for_pass);
		}

	# Varnish respects the wishes of the backend application.
	if (beresp.http.Pragma ~ "no-cache" || beresp.http.Cache-Control ~ "(no-cache|no-store|private)") {
	return(hit_for_pass);
	}
    ## If the request to the backend returns a code other than 200, restart the loop
    ## If the number of restarts reaches the value of the parameter max_restarts,
    ## the request will be error'ed.  max_restarts defaults to 4.  This prevents
    ## an eternal loop in the event that, e.g., the object does not exist at all.
    if (beresp.status != 200 && beresp.status != 403 && beresp.status != 404 && 
    	beresp.status != 303 && beresp.status != 302 && beresp.status != 301 && beresp.status != 401 ) {
		set beresp.saintmode = 60s;
		return(restart);
        }

	set beresp.grace = 60s;
		return(deliver);
}

sub vcl_deliver {
	##set resp.http.X-Served-By = server.hostname;
  	if (obj.hits > 0) {
    	set resp.http.X-Cache = "HIT";	
    	set resp.http.X-Cache-Hits = obj.hits;
  	} else {
    	set resp.http.X-Cache = "MISS";	
  	}
	return(deliver);
}

sub vcl_init {
	return (ok);
}

sub vcl_fini {
	return (ok);
}	

marcelloc

The conf file is fine.

Check if you do not have a nat forwarding http traffic to first server.

Gob

Thanks for your reply.
There was a NAT rule from WAN to LAN (Server1) but I have disabled that along with some other NAT rules that were allocated to Virtual IPs.
Still no luck :(

Do I need to restart Varnish or cleqar any caches when I make changes to the config?

We have multiple WAN connections with Virtual IPs and also Manual Outrbound NAT. Is any of that likely to confuse the situation, or the fact that I am testing all from my LAN?

marcelloc

I've published a fix to widget download during instalation, please reinstall package, add the varnish dashboard widget and see backend status.

Gob

thanks

Backends both showing as up.
I am now trying this from home - outside of the pfSense network but cannot get either working.
Externally, the hostnames resolve to a Virtual IP on the WAN connection.

I am unsure what rule I need to allow the traffic through to Varnish. Is it a NAT rule or a firewall rule (or both?)

marcelloc

Just a firewall rule. Nat on the same port will 'conflict' with varnish.

viper

Hi, i know this thread is a few months old but i have the same problem.
I have installed varnish and configured 2 different servers. Everything is working ok from inside my LAN but nobody can access my servers from outside.
What firewall rule should i check?

Gob

I ended up getting my reverse proxy working by using the Squid reverse proxy on the default WAN IP.
Couldn't get Varnish working 100%

marcelloc

@viper:

What firewall rule should i check?

• Disable web gui redirect rule on system advanced

• Disable any nat rule on port 80 to internal servers

• Configure backends/load balancer on varnish

• Add varnish widget to see if varnish could check your server using the test url

• create a wan rule to allow traffic to wan address at port 80

viper

I will try the above and let you know what happens.

Thank you both for taking the time to reply.