lightning fast with varnish
TRANSCRIPT
Lightning fast
Using Varnish to accelerate your web applications
By Thijs Feryn
Slow websites suck
Web performance is an essential part of the
user experience
Down
Slowdown ~ downtime
Hi, I’m Thijs
I’m @ThijsFeryn on Twitter
I’m an Evangelist
At
Mo moneyMo servers
Write better code
Cache
Don’t recompute if the data
hasn’t changed
How does Varnish work?
Normally
User Server
With Varnish
User Varnish Server
Why is it so good?
Smart kernel tricks
Stores HTTP output in memory*
Respects HTTP best
practices
Varnish Configuration Language
What about TLS/SSL?
Quick install
& configure
apt-get install apt-transport-https curl https://repo.varnish-cache.org/GPG-key.txt | apt-key add - echo "deb https://repo.varnish-cache.org/debian/ jessie varnish-4.1"\ >> /etc/apt/sources.list.d/varnish-cache.list apt-get update apt-get install varnish
Install on Linux (Debian)
There's stuff for Ubuntu, RHEL
& CentOS too
-a :80 \ -a :81,PROXY \ -T localhost:6082 \ -f /etc/varnish/default.vcl \ -S /etc/varnish/secret \ -s malloc,3g \ -j unix,user=myUser
Simple config
Varnish speaks HTTP
✓Idempotence ✓State ✓Expiration ✓Conditional requests ✓Cache variations
Varnish speaks HTTP
✓GET ✓HEAD -POST -PUT -PATCH -DELETE -TRACE -OPTIONS
Idempotency
Only cache GET & HEAD
✓Doesn't cache when cookies are present ✓Doesn't cache when cookies are set ✓Doesn't cache when Autorization headers are present
State
Avoids caching user-
specific contentAffects hit
rate
Expiration
Expires: Sat, 09 Sep 2017 14:30:00 GMT
Cache-control: public, max-age=3600, s-maxage=86400
Cache-control: private, no-cache, no-store
Expiration precedence
1. beresp.ttl (VCL) 2. s-maxage 3. max-age 4. expires 5. 120 seconds by default
Conditional requests
HTTP/1.1 200 OK Host: localhost Etag: 7c9d70604c6061da9bb9377d3f00eb27 Content-type: text/html; charset=UTF-8
Hello world output
GET /if_none_match.php HTTP/1.1 Host: localhost User-Agent: curl/7.48.0
Conditional requests
HTTP/1.0 304 Not Modified Host: localhost Etag: 7c9d70604c6061da9bb9377d3f00eb27
GET /if_none_match.php HTTP/1.1 Host: localhost User-Agent: curl/7.48.0 If-None-Match: 7c9d70604c6061da9bb9377d3f00eb27
Conditional requests
HTTP/1.1 200 OK Host: localhost Last-Modified: Fri, 22 Jul 2016 10:11:16 GMT Content-type: text/html; charset=UTF-8
Hello world output
GET /if_none_match.php HTTP/1.1 Host: localhost User-Agent: curl/7.48.0
Conditional requests
HTTP/1.0 304 Not Modified Host: localhost Last-Modified: Fri, 22 Jul 2016 10:11:16 GMT
GET /if_none_match.php HTTP/1.1 Host: localhost User-Agent: curl/7.48.0 If-Last-Modified: Fri, 22 Jul 2016 10:11:16 GMT
✓Hostname (or IP) ✓URL
Cache variations
Identify object in
cache
Cache variationsGET / HTTP/1.1 Host: localhost Accept-Language: nl
HTTP/1.1 200 OK Host: localhost Vary: Accept-Language
Hallo, deze pagina is in het Nederlands geschreven.
Built-in VCL cheat sheet
✓Only GET & HEAD ✓No Cookie ✓No Authorization
Built-in VCL (frontend)
Lookup in cache
Otherwise pass and don't
cache
✓No Set-Cookie ✓TTL > 0 ✓No "no-cache", "private", "no-store"
Built-in VCL (backend)
Store in cacheOtherwise
blacklist for 120s
The actual VCL code
sub vcl_recv { if (req.method == "PRI") { /* We do not support SPDY or HTTP/2.0 */ return (synth(405)); } if (req.method != "GET" && req.method != "HEAD" && req.method != "PUT" && req.method != "POST" && req.method != "TRACE" && req.method != "OPTIONS" && req.method != "DELETE") { /* Non-RFC2616 or CONNECT which is weird. */ return (pipe); }
if (req.method != "GET" && req.method != "HEAD") { /* We only deal with GET and HEAD by default */ return (pass); } if (req.http.Authorization || req.http.Cookie) { /* Not cacheable by default */ return (pass); } return (hash); }
sub vcl_pipe { # By default Connection: close is set on all piped requests, to stop # connection reuse from sending future requests directly to the # (potentially) wrong backend. If you do want this to happen, you can undo # it here. # unset bereq.http.connection; return (pipe); }
sub vcl_pass { return (fetch); }
sub vcl_hash { hash_data(req.url); if (req.http.host) { hash_data(req.http.host); } else { hash_data(server.ip); } return (lookup); }
sub vcl_purge { return (synth(200, "Purged")); }
sub vcl_hit { if (obj.ttl >= 0s) { // A pure unadultered hit, deliver it return (deliver); } if (obj.ttl + obj.grace > 0s) { // Object is in grace, deliver it // Automatically triggers a background fetch return (deliver); } // fetch & deliver once we get the result return (miss); }
sub vcl_miss { return (fetch); }
sub vcl_deliver { return (deliver); }
sub vcl_backend_fetch { return (fetch); }
sub vcl_backend_response { if (beresp.ttl <= 0s || beresp.http.Set-Cookie || beresp.http.Surrogate-control ~ "no-store" || (!beresp.http.Surrogate-Control && beresp.http.Cache-Control ~ "no-cache|no-store|private") || beresp.http.Vary == "*") { /* * Mark as "Hit-For-Pass" for the next 2 minutes */ set beresp.ttl = 120s; set beresp.uncacheable = true; } return (deliver); }
Reality sucks
Cache-control ?
Legacy
Write VCL
Normalize
vcl 4.0;import std;
sub vcl_recv { set req.http.Host = regsub(req.http.Host, ":[0-9]+", "");
set req.url = std.querysort(req.url);
if (req.url ~ "\#") { set req.url = regsub(req.url, "\#.*$", ""); }
if (req.url ~ "\?$") { set req.url = regsub(req.url, "\?$", ""); }
if (req.restarts == 0) { if (req.http.Accept-Encoding) { if (req.http.User-Agent ~ "MSIE 6") { unset req.http.Accept-Encoding; } elsif (req.http.Accept-Encoding ~ "gzip") { set req.http.Accept-Encoding = "gzip"; } elsif (req.http.Accept-Encoding ~ "deflate") { set req.http.Accept-Encoding = "deflate"; } else { unset req.http.Accept-Encoding; } } }}
sub vcl_recv { if (req.url ~ "^/status\.php$" || req.url ~ "^/update\.php$" || req.url ~ "^/admin$" || req.url ~ "^/admin/.*$" || req.url ~ "^/user$" || req.url ~ "^/user/.*$" || req.url ~ "^/flag/.*$" || req.url ~ "^.*/ajax/.*$" || req.url ~ "^.*/ahah/.*$") { return (pass); }}
URL blacklist
sub vcl_recv { if (req.url ~ "^/products/?" return (hash); }}
URL whitelist
Cookies
vcl 4.0;
sub vcl_recv { set req.http.Cookie = regsuball(req.http.Cookie, "has_js=[^;]+(; )?", ""); set req.http.Cookie = regsuball(req.http.Cookie, "__utm.=[^;]+(; )?", ""); set req.http.Cookie = regsuball(req.http.Cookie, "_ga=[^;]+(; )?", ""); set req.http.Cookie = regsuball(req.http.Cookie, "_gat=[^;]+(; )?", ""); set req.http.Cookie = regsuball(req.http.Cookie, "utmctr=[^;]+(; )?", ""); set req.http.Cookie = regsuball(req.http.Cookie, "utmcmd.=[^;]+(; )?", ""); set req.http.Cookie = regsuball(req.http.Cookie, "utmccn.=[^;]+(; )?", ""); set req.http.Cookie = regsuball(req.http.Cookie, "__gads=[^;]+(; )?", ""); set req.http.Cookie = regsuball(req.http.Cookie, "__qc.=[^;]+(; )?", ""); set req.http.Cookie = regsuball(req.http.Cookie, "__atuv.=[^;]+(; )?", ""); set req.http.Cookie = regsuball(req.http.Cookie, "^;\s*", "");
if (req.http.cookie ~ "^\s*$") { unset req.http.cookie; }}
Remove tracking cookies
vcl 4.0;
sub vcl_recv { if (req.http.Cookie) { set req.http.Cookie = ";" + req.http.Cookie; set req.http.Cookie = regsuball(req.http.Cookie, "; +", ";"); set req.http.Cookie = regsuball(req.http.Cookie, ";(PHPSESSID)=", "; \1="); set req.http.Cookie = regsuball(req.http.Cookie, ";[^ ][^;]*", ""); set req.http.Cookie = regsuball(req.http.Cookie, "^[; ]+|[; ]+$", "");
if (req.http.cookie ~ "^\s*$") { unset req.http.cookie; } }}
Only keep session cookie
sub vcl_recv { if (req.http.Cookie) { set req.http.Cookie = ";" + req.http.Cookie; set req.http.Cookie = regsuball(req.http.Cookie, "; +", ";"); set req.http.Cookie = regsuball(req.http.Cookie, ";(language)=", "; \1="); set req.http.Cookie = regsuball(req.http.Cookie, ";[^ ][^;]*", ""); set req.http.Cookie = regsuball(req.http.Cookie, "^[; ]+|[; ]+$", "");
if (req.http.cookie ~ "^\s*$") { unset req.http.cookie; return(pass); }
return(hash); }}
sub vcl_hash { hash_data(regsub( req.http.Cookie, "^.*language=([^;]*);*.*$", "\1" ));}
Language cookie cache variation
Alternative language cache
variation
sub vcl_hash { hash_data(req.http.Accept-Language);}
HTTP/1.1 200 OK Host: localhost Vary: Accept-Language
Hash language
Or just use
Cookie guidelines
✓Don't throw everything in a session ✓Use dedicated cookies ✓Strip off tracking cookies in VCL ✓Match cookies in VCL & make decisions ✓Perform cache variations on cookie values ✓Only use session cookies when you really have to ✓Use JWT to store session state client-side
Cookie guidelines
Block caching
Code renders
single HTTP response
Lowest denominator:
no cache
<esi:include src="/header" />
Edge Side Includes
✓Placeholder ✓Parsed by Varnish ✓Output is a composition of blocks ✓State per block ✓TTL per block
sub vcl_recv { set req.http.Surrogate-Capability = "key=ESI/1.0";}
sub vcl_backend_response { if (beresp.http.Surrogate-Control ~ "ESI/1.0") { unset beresp.http.Surrogate-Control; set beresp.do_esi = true; }}
Edge Side Includes
ESI vs
AJAX
<esi:include src="/header" />
Choose wisely
<hx:include src="/header"></hx:include>
ESI, parsed by Varnish
HInclude, parsed by Javascript
Breaking news isn't breaking
Purging
acl purge { "localhost"; "127.0.0.1"; "::1";}
sub vcl_recv { if (req.method == "PURGE") { if (!client.ip ~ purge) { return (synth(405, “Not allowed.”)); } return (purge); }}
Purging
acl purge { "localhost"; "127.0.0.1"; "::1";}
sub vcl_backend_response { set beresp.http.x-url = bereq.url; set beresp.http.x-host = bereq.http.host; }
sub vcl_deliver { unset resp.http.x-url; unset resp.http.x-host; }
sub vcl_recv { if (req.method == "PURGE") { if (!client.ip ~ purge) { return (synth(405, "Not allowed")); } if(req.http.x-purge-regex) { ban("obj.http.x-host == " + req.http.host + " && obj.http.x-url ~ " + req.http.x-purge-regex); } else { ban("obj.http.x-host == " + req.http.host + " && obj.http.x-url == " + req.url); } return (synth(200, "Purged")); }}
Banning
Banningcurl -XPURGE "http://example.com/products"
curl -XPURGE -H "x-purge-regex:/products" \ "http://example.com"
varnishadm> ban obj.http.x-host == example.com && obj.http.x-url ~ ^/product/[0-9]+/details
Want more?
VMODs
Write less VCL
Write more code
https://twitter.com/thijsferyn
https://instagram.com/thijsferyn
https://blog.feryn.eu
https://talks.feryn.eu
https://youtube.com/thijsferyn
https://soundcloud.com/thijsferyn
http://itunes.feryn.eu