Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    Varnish problems

    Scheduled Pinned Locked Moved pfSense Packages
    12 Posts 3 Posters 5.2k Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • G
      Gob
      last edited by 

      
# Varnish configuration file
# Automatically generated by the pfSense package system

# This file is located in /var/etc/default.vcl

sub vcl_error {
		if (obj.status == 503 && req.restarts < 1) {
			return(restart);
		}

	set obj.http.Content-Type = "text/html; charset=utf-8";
	synthetic {"
"http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">

<title>"} + obj.status + " " + obj.response + {"</title>

# Error "} + obj.status + " " + obj.response + {"

"} + obj.response + {"

### Guru Meditation:

XID: "} + req.xid + {"

* * *

Varnish cache server

138	"};
	return(deliver);

}

backend Server1BACKEND {
	# used in catch_all 
	.host = "192.168.5.200";
	.port = "80";
	.first_byte_timeout = 3000s;
	.connect_timeout = 3000s;
	.probe = {
		.url = "/";
		.interval = 5s;
		.timeout = 1s;
		.window = 5;
		.threshold = 3;
	}
}

backend Server2BACKEND {
	# used in catch_all 
	.host = "192.168.5.201";
	.port = "80";
	.first_byte_timeout = 3000s;
	.connect_timeout = 3000s;
	.probe = {
		.url = "/";
		.interval = 5s;
		.timeout = 1s;
		.window = 5;
		.threshold = 3;
	}
}

sub vcl_recv {

	#BASIC VCL RULES SETTING
	#Fix gzip compression
	if (req.http.Accept-Encoding) {
	if (req.url ~ "\.(gif|jpg|jpeg|bmp|png|ico|img|tga|wmf|gz|tgz|bz2|tbz|mp3|ogg)$") {
		unset req.http.Accept-Encoding;
		}
	else if (req.http.Accept-Encoding ~ "gzip") {
		set req.http.Accept-Encoding = "gzip";
		}
	else if (req.http.Accept-Encoding ~ "deflate") {
		set req.http.Accept-Encoding = "deflate";
		}
	else	{
		unset req.http.Accept-Encoding;
		}
	}
	#set client balance identity
	set client.identity = req.url;

	#set X-forward
	set req.http.X-Forwarded-For = client.ip;

	if (req.http.host == "server1.mydomain.com") {
		set req.backend = Server1BACKEND;
	} 
		else if (req.http.host == "server2.mydomain.com") {
		set req.backend = Server2BACKEND;
	} 

	#respect client wish to refresh the page
	if (req.http.Pragma ~ "no-cache")
		{
		return(pass);
		}

	#BASIC VCL RULES ACTIONS
	#Disable post cache
	if (req.request == "POST") {
		return(pass);
		}
	#Enable static cache
	if (req.request=="GET" && req.url ~ "\.(css|js|txt|zip|pdf|rtf|flv|swf|html|htm)$") {
		return(pass);
		}
	if (req.request=="GET" && req.url ~ "\.(gif|jpg|jpeg|bmp|png|ico|img|tga|wmf|mp3|ogg)$") {
		return(pass);
		}
	#Disable session cache
	if (req.http.Cookie && req.http.Cookie ~ "(PHPSESSID|phpsessid)") {
		return(pass);
		}
	if (req.http.Cookie && req.http.Cookie ~ "(JSESSION|jsession)") {
		return(pass);
		}
	if (req.http.X-Requested-With == "XMLHttpRequest" || req.url ~ "nocache") {
		return(pass);
		}
	#Be rfc2616 compliant
	if (req.request ~ "^(GET|HEAD|PUT|POST|TRACE|OPTIONS|DELETE)$") {
		return(lookup);
		}
	else	{
		return(pipe);
		}

	return(lookup);
}

sub vcl_pipe {

	# If we don't set the Connection: close header, any following
	# requests from the client will also be piped through and
	# left untouched by varnish. We don't want that.
	set req.http.connection = "close";
	# Note: no "pipe" action here - we'll fall back to the default
	# pipe method so that when any changes are made there, we
	# still inherit them.

}
sub vcl_hit {
	return (deliver);
}

sub vcl_miss {
	return (fetch);
}

sub vcl_fetch {
	set beresp.do_stream = true;

	#Disable cache when backend is starting a session
	if (beresp.http.Set-Cookie && beresp.http.Set-Cookie ~ "(PHPSESSID|phpsessid)") {
		return(hit_for_pass);
		}
	if (beresp.http.Set-Cookie && beresp.http.Set-Cookie ~ "(JSESSION|jsession)") {
		return(hit_for_pass);
		}
	if (beresp.http.X-Requested-With == "XMLHttpRequest" || req.url ~ "nocache") {
		return(hit_for_pass);
		}

	# Varnish respects the wishes of the backend application.
	if (beresp.http.Pragma ~ "no-cache" || beresp.http.Cache-Control ~ "(no-cache|no-store|private)") {
	return(hit_for_pass);
	}
    ## If the request to the backend returns a code other than 200, restart the loop
    ## If the number of restarts reaches the value of the parameter max_restarts,
    ## the request will be error'ed.  max_restarts defaults to 4.  This prevents
    ## an eternal loop in the event that, e.g., the object does not exist at all.
    if (beresp.status != 200 && beresp.status != 403 && beresp.status != 404 && 
    	beresp.status != 303 && beresp.status != 302 && beresp.status != 301 && beresp.status != 401 ) {
		set beresp.saintmode = 60s;
		return(restart);
        }

	set beresp.grace = 60s;
		return(deliver);
}

sub vcl_deliver {
	##set resp.http.X-Served-By = server.hostname;
  	if (obj.hits > 0) {
    	set resp.http.X-Cache = "HIT";	
    	set resp.http.X-Cache-Hits = obj.hits;
  	} else {
    	set resp.http.X-Cache = "MISS";	
  	}
	return(deliver);
}

sub vcl_init {
	return (ok);
}

sub vcl_fini {
	return (ok);
}

      If I fix one more thing than I break in a day, it's a good day!

      1 Reply Last reply Reply Quote 0
      • marcellocM
        marcelloc
        last edited by

        The conf file is fine.

        Check if you do not have a nat forwarding http traffic to first server.

        Treinamentos de Elite: http://sys-squad.com

        Help a community developer! ;D

        1 Reply Last reply Reply Quote 0
        • G
          Gob
          last edited by

          Thanks for your reply.
          There was a NAT rule from WAN to LAN (Server1) but I have disabled that along with some other NAT rules that were allocated to Virtual IPs.
          Still no luck :(

          Do I need to restart Varnish or cleqar any caches when I make changes to the config?

          We have multiple WAN connections with Virtual IPs and also Manual Outrbound NAT. Is any of that likely to confuse the situation, or the fact that I am testing all from my LAN?

          If I fix one more thing than I break in a day, it's a good day!

          1 Reply Last reply Reply Quote 0
          • marcellocM
            marcelloc
            last edited by

            I've published a fix to widget download during instalation, please reinstall package, add the varnish dashboard widget and see backend status.

            Treinamentos de Elite: http://sys-squad.com

            Help a community developer! ;D

            1 Reply Last reply Reply Quote 0
            • G
              Gob
              last edited by

              thanks

              Backends both showing as up.
              I am now trying this from home - outside of the pfSense network but cannot get either working.
              Externally, the hostnames resolve to a Virtual IP on the WAN connection.

              I am unsure what rule I need to allow the traffic through to Varnish. Is it a NAT rule or a firewall rule (or both?)

              If I fix one more thing than I break in a day, it's a good day!

              1 Reply Last reply Reply Quote 0
              • marcellocM
                marcelloc
                last edited by

                Just a firewall rule. Nat on the same port will 'conflict' with varnish.

                Treinamentos de Elite: http://sys-squad.com

                Help a community developer! ;D

                1 Reply Last reply Reply Quote 0
                • V
                  viper
                  last edited by

                  Hi, i know this thread is a few months old but i have the same problem.
                  I have installed varnish and configured 2 different servers. Everything is working ok from inside my LAN but nobody can access my servers from outside.
                  What firewall rule should i check?

                  1 Reply Last reply Reply Quote 0
                  • G
                    Gob
                    last edited by

                    I ended up getting my reverse proxy working by using the Squid reverse proxy on the default WAN IP.
                    Couldn't get Varnish working 100%

                    If I fix one more thing than I break in a day, it's a good day!

                    1 Reply Last reply Reply Quote 0
                    • marcellocM
                      marcelloc
                      last edited by

                      @viper:

                      What firewall rule should i check?

                      • Disable web gui redirect rule on system advanced

                      • Disable any nat rule on port 80 to internal servers

                      • Configure backends/load balancer on varnish

                      • Add varnish widget to see if varnish could check your server using the test url

                      • create a wan rule to allow traffic to wan address at port 80

                      Treinamentos de Elite: http://sys-squad.com

                      Help a community developer! ;D

                      1 Reply Last reply Reply Quote 0
                      • V
                        viper
                        last edited by

                        I will try the above and let you know what happens.

                        Thank you both for taking the time to reply.

                        1 Reply Last reply Reply Quote 0
                        • First post
                          Last post
                        Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.