I am thinking to install varnish cache on a small VPS configuration. My VPS configuration is 2 core CPU & 2 GB RAM with 50 GB SSD.
I would like to know on such small VPS configuration what should be best to install
Varnish Cache, Nginx Web server (PHP & MySQL also)
Nginx Cache (for static file caching) on top of Nginx webserver along with PHP & MySQL
Fyi I also need to install SSL on all virtual host. What I know by default Varnish doesn't work on SSL. There should be additional things has to be installed to support SSL. So if I have to install multiple service on server to support varnish cache does it not better to use the nginx only with nginx cache remembering the server specs are low.
I am waiting for an open discussion to find best solution. Thanks in advance.
Nginx is a great webserver, but isn't a specialized reverse caching proxy. Varnish is specifically built for caching and its caching policies are far more granular.
Components
Use Hitch as your TLS proxy
Use Varnish for caching
Use Nginx as your webserver and connect to Nginx from Varnish
See https://www.varnish-software.com/developers/tutorials/terminate-tls-varnish-hitch/ for a tutorial on how to install Hitch for TLS termination.
See https://www.varnish-software.com/developers/tutorials/#installations for a list of tutorials (per platform and distribution) on how to install Varnish.
Port configuration
Configure Nginx to listen on port 8080
Configure Varnish to listen on port 80
Add an additional listening interface in Varnish on port 8443 for PROXY protocol traffic
Configure Hitch to listen on port 443
Let Hitch connect to Varnish over port 8443 via the PROXY protocol
Let Varnish connect to Nginx over port 8080 via a backend definition
Related
I have website and some game server.
I have domain which I connect to Cloudflare.
I want to redirect non http/https traffic to my server IP because when I try to connect to server with domain I can't do this because of Cloudflare proxy.
Maybe it can be done differently?
I use Nginx.
Cloudflare has its own SSL configuration.
There are 4 options for you:
Off disables https completely
Flexible Cloudflare will automatically switch client requests from HTTP to HTTPS but it still points to port 80 on your nginx server, should not configure SSL on nginx in this case.
So the only options for you are Full or Full Strict (more restricted on the cert configured on nginx, must be a valid cert).
With Full you can configure your nginx with a self-signed SSL and let it go. Cloudflare will handle the part between client and its proxy server.
In nearly every example I've seen for setting up Varnish with nginx and SSL support, the setup is Varnish running on port 80, nginx on port 443 for SSL termination and nginx running on another port doing the actual work communicating with the backend.
Given most websites now redirect port 80 to 443, what advantage is there in having Varnish running on port 80?
Why wouldn't you have nginx running on port 80, doing the 301 to the HTTPS version, nginx running on port 443 doing the SSL termination and proxying to Varnish, which is running on a different port, with nginx again running on another port doing the actual work?
HTTP: nginx [80] (301)
HTTPS: nginx [443] <> Varnish [6081] <> nginx [8080] <> backend
I really can't see any merit in having Varnish on port 80 front of house just to do a redirect. Unless, there's some problem with redirects and the unwanted addition of port numbers to URLs? Maybe adding 3 nginx server blocks is adding "more" work to the setup, but then having to configure Varnish to redirect port 80, unless it's internal, seems like "more" work.
Bonus question: Why is Apache added to the mix in most of these setups when nginx is already in use and visa-versa? They can both handle SSL termination and proxying.
I agree with "why not":
HTTP: nginx [80] (301)
HTTPS: nginx [443] <> Varnish [6081] <> nginx [8080] <> backend
As to why:
HTTP: Varnish [80] (conditional 301, using VCL)
HTTPS: nginx [443] <> Varnish [80] <> nginx [8080] <> backend
The answer is:
legacy reasons. This is just the way to go in "conditional HTTPs" world (where it is OK to have a website work in both HTTP and HTTPs versions or no HTTPs version at all), which was just a couple years ago, before Google, as web monopolist, did not insist on all websites having HTTPs or fear poor-er search rankings. It is relatively recently, that LetsEncrypt allowed everyone to avail of free certificates, and the aforementioned requirement from Google made so many websites use those. The websites/tutorials for Varnish setup, simply did not pick up / adjust ports as something that doesn't strike as being needed to be adjusted.
expandability. Think outside the "single server" setup. When you decide to build a stack of Varnish-es (CDN), it makes much more sense to keep the "main" Varnish on port 80. (Outside/edge Varnish instances will be talking to the main Varnish,as opposed to talking to main backend, for "cache of cache" sort of thing). The traffic between edge<>main wouldn't be secure but have no performance penalty of encryption.
I think we can simplify a bit:
HTTPS: nginx [443] <> Varnish [6081]<> backend
Let Varnish do the caching and avoid the extra Nginx layer.
More simplification:
hitch [443] <> Varnish [6081]<> backend
Hitch: https://hitch-tls.org/
We used http:servername:8080 when configured jenkins. Later we enabled ssl and made the jenkins access under https:servername:8080. But We want to redirect http:servername:8080 to https:servername:8080. Can you please help us here.
First of all you need to change the port for https connections, because the server can not listen on the same port for the same protocol (in your case TCP protocol and port 8080).
For example, you can configure https to a default 443 port.
Regarding redirection, actually, it is recommended to put a reverse proxy in front of the jenkins server. See official documentation about running jenkins with SSL https://wiki.jenkins.io/pages/viewpage.action?pageId=135468777.
Here is the manual how to configure jenkins behind an nginx reverse proxy with http to https redirection: https://wiki.jenkins.io/display/JENKINS/Jenkins+behind+an+NGinX+reverse+proxy
I need to have 3 varnish instances, I follow this guide creating-varnish-cluster and now I have those systems
3 servers that have varnish, each varnish has vcl like that vcl-cluster
1 backend server, that contains application and Nginx for load balancing between varnish servers, Nginx config: nginx-config
but requests received in Nginx and passes through varnish but varnish server can't forward request to the backend. when I call directly backend it perfectly works.
how can I fix this issue? and is there any better solution for varnish scaling? (except varnish plus:D)
server.identity is the hostname of the machine, by default. I assume your machines are not called node1, node2 and node3, so you need to edit your VCL to reflect that.
I am trying to setup a reverse proxy using IBM HTTP server and what I want to do is that user will hit a HTTP url to my reverse proxy server that will forward request internally to HTTPs server.
HTTP Address <--> Reverse Proxy (IBM HTTP Server) <--> HTTPS server (https://example.com)
In my configuration I have enabled mod_proxy & mod_proxy_http and configured below ProxyPass
Proxypass / https://example.com
But I am unable to configure it. I am getting error:
proxy: HTTPS: failed to enable SSL support for example.com
Anybody help what I might be doing wrong. I have also already loaded below modules:
LoadModule ibm_ssl_module modules/mod_ibm_ssl.so
Thanks
You need to specify a KeyFile and SSLProxyEngine ON.
Caveat:
However, generally IBM HTTP Server uses the WebSphere WebServer Plug-in as a websphere-specific HTTP reverse proxy plugin that doesn't share any of this configuration.
Most people use IBM HTTP Server because it's supported by IBM, but it's only supported by IBM when you use it in a way prescribed by a product that bundled it. That's rarely w/ mod_proxy.