feedback on varnish mini-book (free): overview, tips, challenges, setup checklist, resources

tloudon's picture


I created a mini-book (ie PDF) about Drupal and Varnish based on my experiences/lessons learned working on some pretty big sites.

I'm looking for feedback on it--I didn't really make it for me :) I made it in the hopes that it would be useful to the community at large; so please let me know what you think.



Very nice and thank you - I

calebtr's picture

Very nice and thank you - I definitely learned a few things and will use this as a reference in the future.

It looks to me like neither the 4 Kitchens or Lullabot VCL's handle image itok tokens introduced in Drupal 7.20.

I wouldn't mind a link or two explaining how to use nginx in front of Varnish for SSL - I know I've read about this, but it would be useful to add a link as a reference.


tloudon's picture

The main thing is that Varnish doesn't support SSL at all (ie, so no SSL handshake, no ciphers, no protocols, no SSL cert). If you haven't set up SSL before, look at this nginx config to get an idea
(this is outside of creating the cert, registering it w/ an authority, etc--I just mean the actual SSL termination config)

So you need to figure out what your environment needs, namely:

1) just SSL termination--eg, SSL encryption from the client to your load-balancer/what-have-you, but traffic from Varnish to your backend doesn't need to be encrypted. Here you can put nginx in front of Varnish, handle the SSL termination and pass a header via Varnish to the backend if needed. Something like:

2) SSL encryption all the way to the backend. Sometimes you have situation where the backend needs to actually receive SSL b/c of SSO integration or the like. In a situation like this, you end up more w/ Varnish and nginx side-by-side. Varnish serving traffic on 80 and nginx on 443, each talks to the backend separately. Here's a link describing that kind of a set up from @gchaix -

Note 1, things can get kind of wonky if you have several servers and you are running a mixed environment (HTTP and HTTPS). In the gchaix example, they have SSL on nginx and SSL on apache; so that's 2 certs (or one cert used twice)--good to know before you buy your certs or if self-signed certs will work w/ the backend. It helps to have a diagram of the network topology on-hand when you are planning things out.

Note 2, you wouldn't have to use nginx--you could use stunnel or stud. Although I've only personally used nginx w/ Drupal and Varnish for this kind of thing.

Note 3, largely unrelated but if you are doing SSL--go SPDY if you can:

BTW WRT itok, you are right! There's a note in the comments of the lullabot article tho

I appreciate you checking out the book and taking time to give some feedback.


gchaix's picture

Thanks for sharing this! The configs I've posted are all sadly out of date, so I'm delighted to see someone putting up more recent information.

A couple of additions:

Nginx can do a lot of this without Varnish. Originally support for Nginx cache (and more importantly cache flushing and invalidation) was a bit thin in Drupal. That's changed since I originally started posting about all this. Nginx support has become more robust and can often do the caching job on its own now. I still use both (depending on the situation), but in many cases it's possible to leverage the caching in Nginx to do it without Varnish.

ITOK - it's pretty easy to add support to the configs.

  # Tell Varnish to cache Drupal image derivatives with ?itok= introduced in Drupal 7.20
  if (req.url ~ "(\?itok=)([a-zA-Z0-9]+)?$") {
    unset req.http.Cookie;


  location ~* ".(png|gif|jpeg|jpg|ico|swf|css|js|html|htm)(\?[a-zA-Z0-9]+)?$" {
    expires max;
    proxy_set_header Host $http_host;
    proxy_set_header X-Real-IP $remote_addr;
    proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
    proxy_set_header X-Forwarded-Proto https;
    proxy_cache cache1;
    proxy_cache_key "$host$request_uri";
    proxy_cache_bypass $http_x_cache_purge;
    proxy_cache_use_stale updating;
    add_header X-Cached $upstream_cache_status;
    add_header X-Static TRUE;
    proxy_pass https://backend_secure;


adammalone's picture

Another service you may wish to consider if you require SSL termination and load balancing in front of Varnish is Pound.

The configuration is incredibly simple and just requires a suitable backend and a key/cert file for termination. I use Pound as an SSL termination point and alter my implementation of vcl_hash to ensure that https requests are cached differently.

Excellent with the nuances!

calebtr's picture

Excellent with the nuances!


sridharpandu's picture

Neat book. Thanks for sharing. Especially the curl commands.