Posted by tloudon on March 8, 2014 at 3:18am
Hello,
I created a mini-book (ie PDF) about Drupal and Varnish based on my experiences/lessons learned working on some pretty big sites.
I'm looking for feedback on it--I didn't really make it for me :) I made it in the hopes that it would be useful to the community at large; so please let me know what you think.
http://loudonco.com/blog/drupal-varnish-mini-book
Thanks!
Comments
Very nice and thank you - I
Very nice and thank you - I definitely learned a few things and will use this as a reference in the future.
It looks to me like neither the 4 Kitchens or Lullabot VCL's handle image itok tokens introduced in Drupal 7.20.
I wouldn't mind a link or two explaining how to use nginx in front of Varnish for SSL - I know I've read about this, but it would be useful to add a link as a reference.
RE:SSL
The main thing is that Varnish doesn't support SSL at all (ie, so no SSL handshake, no ciphers, no protocols, no SSL cert). If you haven't set up SSL before, look at this nginx config to get an idea http://nginx.org/en/docs/http/configuring_https_servers.html
(this is outside of creating the cert, registering it w/ an authority, etc--I just mean the actual SSL termination config)
So you need to figure out what your environment needs, namely:
1) just SSL termination--eg, SSL encryption from the client to your load-balancer/what-have-you, but traffic from Varnish to your backend doesn't need to be encrypted. Here you can put nginx in front of Varnish, handle the SSL termination and pass a header via Varnish to the backend if needed. Something like: http://mikkel.hoegh.org/blog/2012/07/24/varnish-as-reverse-proxy-with-ng...
2) SSL encryption all the way to the backend. Sometimes you have situation where the backend needs to actually receive SSL b/c of SSO integration or the like. In a situation like this, you end up more w/ Varnish and nginx side-by-side. Varnish serving traffic on 80 and nginx on 443, each talks to the backend separately. Here's a link describing that kind of a set up from @gchaix - https://groups.drupal.org/node/62618
Note 1, things can get kind of wonky if you have several servers and you are running a mixed environment (HTTP and HTTPS). In the gchaix example, they have SSL on nginx and SSL on apache; so that's 2 certs (or one cert used twice)--good to know before you buy your certs or if self-signed certs will work w/ the backend. It helps to have a diagram of the network topology on-hand when you are planning things out.
Note 2, you wouldn't have to use nginx--you could use stunnel or stud. Although I've only personally used nginx w/ Drupal and Varnish for this kind of thing.
Note 3, largely unrelated but if you are doing SSL--go SPDY if you can: http://nginx.org/en/docs/http/ngx_http_spdy_module.html
BTW WRT itok, you are right! There's a note in the comments of the lullabot article tho http://www.lullabot.com/blog/article/configuring-varnish-high-availabili...
I appreciate you checking out the book and taking time to give some feedback.
Thanks!
Loudon & Company Consulting
Nice!
Thanks for sharing this! The configs I've posted are all sadly out of date, so I'm delighted to see someone putting up more recent information.
A couple of additions:
Nginx can do a lot of this without Varnish. Originally support for Nginx cache (and more importantly cache flushing and invalidation) was a bit thin in Drupal. That's changed since I originally started posting about all this. Nginx support has become more robust and can often do the caching job on its own now. I still use both (depending on the situation), but in many cases it's possible to leverage the caching in Nginx to do it without Varnish.
ITOK - it's pretty easy to add support to the configs.
Varnish:
# Tell Varnish to cache Drupal image derivatives with ?itok= introduced in Drupal 7.20
if (req.url ~ "(\?itok=)([a-zA-Z0-9]+)?$") {
unset req.http.Cookie;
return(lookup);
}
Nginx:
location ~* ".(png|gif|jpeg|jpg|ico|swf|css|js|html|htm)(\?[a-zA-Z0-9]+)?$" {
expires max;
proxy_set_header Host $http_host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto https;
proxy_cache cache1;
proxy_cache_key "$host$request_uri";
proxy_cache_bypass $http_x_cache_purge;
proxy_cache_use_stale updating;
add_header X-Cached $upstream_cache_status;
add_header X-Static TRUE;
proxy_pass https://backend_secure;
}
Pound
Another service you may wish to consider if you require SSL termination and load balancing in front of Varnish is Pound.
The configuration is incredibly simple and just requires a suitable backend and a key/cert file for termination. I use Pound as an SSL termination point and alter my implementation of vcl_hash to ensure that https requests are cached differently.
Excellent with the nuances!
Excellent with the nuances!
Excellent
Neat book. Thanks for sharing. Especially the curl commands.