Varnish4: Cache all!

Varnish offers great capabilities to manipulate requests coming from the backend servers.

The following example let you cache all request despite from what is coming from the backend servers.

sub vcl_backend_response {  

     # client browser and server cache  
     # Force cache: remove expires, Cache-control & Pragma header coming from the backend  
     if (beresp.http.Cache-Control ~ "(no-cache|private)" || beresp.http.Pragma ~ "no-cache") {  
         unset beresp.http.Expires;  
         unset beresp.http.Cache-Control;  
         unset beresp.http.Pragma;  

         # Marker for vcl_deliver to reset Age: /  
         set beresp.http.magicmarker = "1";  

         # Leveraging browser, cache set the clients TTL on this object /  
         set beresp.http.Cache-Control = "public, max-age=60";  

         # cache set the clients TTL on this object /  
         set beresp.ttl = 1m;  

         # Allow stale content, in case the backend goes down.  
         # make Varnish keep all objects for 6 hours beyond their TTL  
         set beresp.grace = 6h;  
         return (deliver);  
     }  
 }
sub vcl_deliver {  

     # Called before a cached object is delivered to the client.  
     if (resp.http.magicmarker) {  
     unset resp.http.magicmarker;  

     # By definition we have a fresh object  
     set resp.http.Age = "0";  
     }  

     if (obj.hits > 0) { # Add debug header to see if it's a HIT/MISS and the number of hits, disable when not needed  
     set resp.http.X-Cache = "HIT";  
     } else { set resp.http.X-Cache = "MISS"; }  

     # Please note that obj.hits behaviour changed in 4.0, now it counts per objecthead, not per object  
     # and obj.hits may not be reset in some cases where bans are in use. See bug 1492 for details.  
     # So take hits with a grain of salt  
     set resp.http.X-Cache-Hits = obj.hits; 
 
     # Set Varnish server name  
     set resp.http.X-Served-By = server.hostname;  

     # Remove some headers: PHP version  
     unset resp.http.X-Powered-By;  

     # Remove some headers: Apache version & OS  
     unset resp.http.Server;  
     unset resp.http.X-Varnish;  
     unset resp.http.Via;  
     unset resp.http.Link;  
     unset resp.http.X-Generator;  
     return (deliver);  
 }

Force redirect in Varnish

Sometimes in certain occasion you need to manage a complete redirection to an external site directly from Varnish.

Following you will find how to implement this using Varnish 4.0 and some specific rules in the VCL.


sub force_redirect {
   set req.http.host = "www.atomictag.com";
   return(synth(750, "Force redirection to external site."));
}

sub vcl_recv {
   # Force redirect
   call force_redirect;
   # Everything else will be ignored
}

sub vcl_synth {
   # Managing redirection
   if (resp.status == 750) {
      set resp.status = 301;
      set resp.http.Location = "http://www.atomictag.com/";
      return(deliver);
   }
}

Of course you can easily add more intelligence to the VCL, e.g.: by evaluating the redirection based on the http referrer or on a specific hostname.

Enable VCL variables logging

Varnish Cache offers several ways to log and most of the documentation is related to varnishlog which includes several information related to request, response and backend response. Now what’s happen if we need to log our own variables or message to a file?

The key function is std.syslog enabled via std (standard) Varnish module, which is the only built-in “vmod” and is thus natively available and doesn’t have to be compiled.

 import std; 

then you can easily add into your VCL the following line:


std.syslog(180, "log description");

The first parameter, 180, is the priority value. If you want to add some variables to your log message:


std.syslog(180, "log description" + beresp.ttl);

This will logo the message to general system log, which is often, in a Linux system, is located in /var/log/messages.

Monitoring heart beat in Varnish Cache

In order to know Varnish Cache if is running and able to handle HTTP requests properly, without having the backends as part the equation please add the following VCL snippet makes sure that the URL /heart-beat always returns 200:

Varnish 4 equivalent:


sub vcl_recv {
if (req.method == "GET" && req.url == “/heart-beat") {
   return(synth(200, "OK"));
   }
}

Varnish 3 equivalent:


sub vcl_recv {
if (req.request == "GET" && req.url == "/heart-beat") {
    error 200 "OK";
   }
}

You may want to protect the URL by using ACLs if you don’t want to expose /heart-beat to the public.

Please see original page: https://www.varnish-software.com/blog/blog-sysadmin-monitoring-health-varnish-cache

vclFiddle for Varnish Cache

vclFiddle, is a free online tool for experimenting with the Varnish Cache HTTP reverse-proxy in a sandboxed environment where you can reproduce a website caching scenario for testing, collaborative debugging, or just trying new ideas, with the least friction possible.

You can use it now at http://www.vclfiddle.net and it is open-sourced on GitHub too.

vcl-fiddle
vcl-fiddle

Configure PURGE in VCL 4.0

In order to configure PURGE add this lines into your VCL_RECV:

vcl 4.0;
import std;

sub vcl_recv {

  # Allow banning  
  if (req.method == "PURGE") {
     # Same ACL check as above:
     if (!client.ip ~ purge) {
        return(synth(405, "This IP is not allowed to send PURGE requests."));
     }
     ban("req.http.host == " + req.http.host + " && req.url == " + req.url);
     # If you got this stage (and didn't error out above), purge the cached result
     return (synth(200, "Purged"));
  }

}

To test it:

$ curl -v -k -H "host: www.mydomain.com" -X PURGE http://varnish_server_ip/

Remember to add ACL into your files

Force cache and leverage browser caching for non cachable contents

Add this code in the VCL_BACKEND_RESPONSE:


sub vcl_backend_response {

  # client browser and server cache
  # Force cache: remove expires, Cache-control & Pragma header coming from the backend
  if (beresp.http.Cache-Control ~ "(no-cache|private)" || beresp.http.Pragma ~ "no-cache")  {
     unset beresp.http.Expires;
     unset beresp.http.Cache-Control;
     unset beresp.http.Pragma;
              
     # Marker for vcl_deliver to reset Age: /
     set beresp.http.magicmarker = "1";
     
     # Leveraging browser, cache set the clients TTL on this object /
     set beresp.http.Cache-Control = "public, max-age=2592000";
	 
     # cache set the clients TTL on this object /        
     set beresp.ttl = 30d;  

     # Allow stale content, in case the backend goes down.
     # make Varnish keep all objects for 6 hours beyond their TTL
     set beresp.grace = 6h;
     return (deliver);
  }

}

Also add this in the VCL_DELIVER:


sub vcl_deliver {
# Called before a cached object is delivered to the client.
	
  if (resp.http.magicmarker) {
	unset resp.http.magicmarker;
	# By definition we have a fresh object 
	set resp.http.Age = "0";
	}
    
  if (obj.hits > 0) { # Add debug header to see if it's a HIT/MISS and the number of hits, disable when not needed
    set resp.http.X-Cache = "HIT";
  } else {
    set resp.http.X-Cache = "MISS";
  }
  # Please note that obj.hits behaviour changed in 4.0, now it counts per objecthead, not per object
  # and obj.hits may not be reset in some cases where bans are in use. See bug 1492 for details.
  # So take hits with a grain of salt
  set resp.http.X-Cache-Hits = obj.hits;
  
  # Set Varnish server name
  set resp.http.X-Served-By = server.hostname;

  # Remove some headers: PHP version
  unset resp.http.X-Powered-By;

  # Remove some headers: Apache version & OS
  unset resp.http.Server;
  unset resp.http.X-Varnish;
  unset resp.http.Via;
  unset resp.http.Link;
  unset resp.http.X-Generator;

  return (deliver);
}

Retrieve WordPress logged in username, store it in a custom http x-header and clean cookie


vcl 4.0;
import std;

sub vcl_recv {

  # Retrieve WordPress logged in username, store it in a custom http x-header and clean cookie
  if (req.http.Cookie ~ "wordpress_logged_in")  {      
     set req.http.X-UserID = regsuball(req.http.Cookie, "^.*wordpress_logged_in_[^=]+[^;]=([^;]*);*.*$", "\1");
     set req.http.X-UserID = regsuball(req.http.X-UserID, "%7C.*", "");
     # Remove wordpress_logged_in and wordpress_ cookies
     set req.http.Cookie = regsuball(req.http.Cookie, "wordpress_logged_in_[^=]+[^;]+(; )?", "");
  } 

}

Customizing 404 error page

In Varnish 3, in order to customize the error page you should customize the subroutine VCL_ERROR:

Things changes in Varnish 4, errors that occur in the backend server subroutine VCL_BACKEND_ERROR are processed used the SYNTH command in the VCL and defined by creating a specific synthetic object in the subroutine VCL_SYNTH.

Following a VCL example that generate a 404 managed by a synthetic object by invoking the following URL http://www.myservname.com:port/404 When you access to the URL, Synth (status_code, reason).


vcl 4.0;
import std;

sub vcl_recv {
    if (req.url ~ "^/404") {
        return (synth(999, "Generate a 404 error explicitly"));
    }
}
 
sub vcl_backend_response {
}
 
sub vcl_deliver {
}
 
sub vcl_backend_error {
    set beresp.http.Content-Type = "text/html; charset=utf-8";
    synthetic( {"errors due to backend fetch"} );
    return (deliver);
}
 
sub vcl_synth {
    if (resp.status == 999) {
        set resp.status = 404;
        set resp.http.Content-Type = "text/plain; charset=utf-8";
        synthetic(std.fileread("/tmp/vcl_404_error.html"));
        return (deliver);
    }
    return (deliver);
}

Remember to create the error page in the correct path:


$ cat /tmp//tmp/vcl_404_error.html
errors due to vcl

To test the response do the following:


$ curl -D - http://www.varnishservername.com:port/
HTTP/1.1 503 Backend fetch failed
Date: Sun, 08 Feb 2015 09:26:35 GMT
Server: Varnish
Content-Type: text/html; charset=utf-8
X-Varnish: 2
Age: 0
Via: 1.1 varnish-v4
Content-Length: 27
Connection: keep-alive
 
errors due to backend fetch

$ curl -D - http://www.varnishservername.com:port//404/foo
HTTP/1.1 404 Not Found
Date: Sun, 08 Feb 2015 09:26:39 GMT
Server: Varnish
X-Varnish: 5
Content-Type: text/plain; charset=utf-8
Content-Length: 18
Connection: keep-alive
 
errors due to vcl

Configure BAN in VCL 4.0

To configure PURGE add this lines into your VCL_RECV:

vcl 4.0;
import std;

sub vcl_recv {

  # Allow banning  
  if (req.method == "BAN") {
     # Same ACL check as above:
     if (!client.ip ~ purge) {
        return(synth(405, "This IP is not allowed to send BAN requests."));
     }
	 ban("req.http.host == " + req.http.host + " && req.url == " + req.url);
     # Throw a synthetic page so the request won't go to the backend.
     return(synth(200, "Ban added"));
  }

}

To test it:

$ curl -v -k -H "host: www.mydomain.com" -X BAN http://varnish_server_ip/