# Introduction
Apache is one of the most popular web servers around the world that allows you to host one or more websites on the internet. If your website is hosted with an Apache web server and you are suffering from the speed then you can boost your website speed by configuring a Varnish caching server.
Varnish is an open-source caching and reverse proxy HTTP accelerator that reduces the time it takes to serve content to a user. It caching responses from a website in memory, so all future requests with the same content can be served without having to retrieve it from the webserver. It is very useful for dynamic web applications. Varnish cache can speed up delivery with a factor of 300 โ 1000x, depending on your architecture.
In this post, we will show you how to install and use Varnish to improve your Apache web server performance. We will also show you how to add HTTPS support to Varnish.
# Requirements
- A server running Ubuntu 20.04 operating system.
- A root password is set up on your server.
# Install Varnish
By default, the Varnish package is included in the Ubuntu default repository. You can install it using the following command:
apt-get install varnish -y
Once the Varnish is installed, you can verify the Varnish version with the following command:
varnishd -V
Output:
varnishd (varnish-6.2.1 revision 9f8588e4ab785244e06c3446fe09bf9db5dd8753)
Copyright (c) 2006 Verdens Gang AS
Copyright (c) 2006-2019 Varnish Software AS
Next, you will need to configure Varnish to use your Apache backend. You can do it by editing the file /etc/varnish/default.vcl:
nano /etc/varnish/default.vcl
Change the following lines:
backend default {
.host = "127.0.0.1";
.port = "8080";
}
Save and close the file.
Where:
- host is the IP address of your Apache web server.
- port is the listening port of your Apache web server.
# Configure Varnish
By default, Varnish listens on port 6081. So you will need to set Varnish to listen on the default HTTP port 80. You can do it by editing varnish.service file:
nano /lib/systemd/system/varnish.service
Change the default port 6081 to port 80 as shown below:
[Unit]
Description=Varnish HTTP accelerator
Documentation=https://www.varnish-cache.org/docs/4.1/ man:varnishd
[Service]
Type=simple
LimitNOFILE=131072
LimitMEMLOCK=82000
ExecStart=/usr/sbin/varnishd -j unix,user=vcache -F -a :80 -T localhost:6082 -f /etc/varnish/default.vcl -S /etc/varnish/secret -s malloc,256M
ExecReload=/usr/share/varnish/varnishreload
ProtectSystem=full
ProtectHome=true
PrivateTmp=true
PrivateDevices=true
[Install]
WantedBy=multi-user.target
Save and close the file. Then, reload systemd daemon and restart the Varnish cache service with the following command:
systemctl daemon-reload
systemctl restart varnish
You can also check the status of the Varnish service with the following command:
systemctl status varnish
Output:
โ varnish.service - Varnish HTTP accelerator
Loaded: loaded (/lib/systemd/system/varnish.service; enabled; vendor preset: enabled)
Active: active (running) since Sat 2021-09-18 05:59:18 UTC; 4s ago
Docs: https://www.varnish-cache.org/docs/6.1/
man:varnishd
Main PID: 7005 (varnishd)
Tasks: 217 (limit: 2353)
Memory: 10.7M
CGroup: /system.slice/varnish.service
โโ7005 /usr/sbin/varnishd -j unix,user=vcache -F -a :80 -T localhost:6082 -f /etc/varnish/default.vcl -S /etc/varnish/secret -s m>
โโ7029 /usr/sbin/varnishd -j unix,user=vcache -F -a :80 -T localhost:6082 -f /etc/varnish/default.vcl -S /etc/varnish/secret -s m>
Sep 18 05:59:18 ubuntu2004 systemd[1]: Started Varnish HTTP accelerator.
# Install and Configure Apache
Next, you will need to install the Apache webserver and configure it to listen on port 8080.
First, install the Apache package with the following command:
apt-get install apache2 -y
Once the Apache is installed, change the Apache default port from 80 to 8080. You can do it by editing /etc/apache2/ports.conf file.
nano /etc/apache2/ports.conf
Change the following line:
Listen 8080
Save and close the file then edit the Apache default virtual host file:
nano /etc/apache2/sites-available/000-default.conf
Find the following line:
<VirtualHost *:80>
And, replaced it with the following line:
<VirtualHost *:8080>
Then, add the following line inside your server block:
ServerName mydomain.com
Save and close the file then restart the Apache service to apply the changes:
systemctl restart apache2
You can now verify the Apache listening port using the following command:
ss -antpl | grep apache2
You should see the following output:
LISTEN 0 511 *:8080 *:* users:(("apache2",pid=8495,fd=4),("apache2",pid=8494,fd=4),("apache2",pid=8493,fd=4))
# Generate Let's Encrypt SSL Certificate
Next, you will need to install the Certbot client package to download Let's Encrypt free SSL. You can install it using the following command:
apt-get install python3-certbot-apache -y
Once the Certbot package is installed, run the following command to download the Let's Encrypt SSL certificates:
certbot --apache -d mydomain.com
You will be asked to provide your email and accept the term of service as shown below:
Saving debug log to /var/log/letsencrypt/letsencrypt.log
Plugins selected: Authenticator standalone, Installer None
Enter email address (used for urgent renewal and security notices) (Enter 'c' to
cancel): hitjethva1981@gmail.com
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Please read the Terms of Service at
https://letsencrypt.org/documents/LE-SA-v1.2-November-15-2017.pdf. You must
agree in order to register with the ACME server at
https://acme-v02.api.letsencrypt.org/directory
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
(A)gree/(C)ancel: A
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Would you be willing to share your email address with the Electronic Frontier
Foundation, a founding partner of the Let's Encrypt project and the non-profit
organization that develops Certbot? We'd like to send you email about our work
encrypting the web, EFF news, campaigns, and ways to support digital freedom.
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
(Y)es/(N)o: Y
Plugins selected: Authenticator apache, Installer apache
Obtaining a new certificate
Performing the following challenges:
http-01 challenge for mydomain.com
Enabled Apache rewrite module
Waiting for verification...
Cleaning up challenges
Next, select whether or not to redirect HTTP traffic to HTTPS as shown below:
Please choose whether or not to redirect HTTP traffic to HTTPS, removing HTTP access.
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
1: No redirect - Make no further changes to the webserver configuration.
2: Redirect - Make all requests redirect to secure HTTPS access. Choose this for
new sites, or if you're confident your site works on HTTPS. You can undo this
change by editing your web server's configuration.
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Select the appropriate number [1-2] then [enter] (press 'c' to cancel): 1
Type 1 and hit Enter to download the Let's Encrypt SSL for your website:
Enabled Apache rewrite module
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Congratulations! You have successfully enabled https://mydomain.com
You should test your configuration at:
https://www.ssllabs.com/ssltest/analyze.html?d=mydomain.com
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
IMPORTANT NOTES:
- Congratulations! Your certificate and chain have been saved at:
/etc/letsencrypt/live/mydomain.com/fullchain.pem
Your key file has been saved at:
/etc/letsencrypt/live/mydomain.com/privkey.pem
Your cert will expire on 2021-04-17. To obtain a new or tweaked
version of this certificate in the future, simply run certbot again
with the "certonly" option. To non-interactively renew *all* of
your certificates, run "certbot renew"
- If you like Certbot, please consider supporting our work by:
Donating to ISRG / Let's Encrypt: https://letsencrypt.org/donate
Donating to EFF: https://eff.org/donate-le
The above command will download SSL certificate at /etc/letsencrypt/live/mydomain.com/fullchain.pem and /etc/letsencrypt/live/mydomain.com/privkey.pem
# Enable SSL Support on Apache
At this point, Let's Encrypt SSL are ready for use. Now, you will need to configure your Apache server to use those certificates:
nano /etc/apache2/sites-available/000-default.conf
Add the following lines at the end of the file:
<VirtualHost *:443>
RequestHeader set X-Forwarded-Proto "https"
ServerName mydomain.com
SSLEngine On
SSLCertificateFile /etc/letsencrypt/live/mydomain.com/fullchain.pem
SSLCertificateKeyFile /etc/letsencrypt/live/mydomain.com/privkey.pem
ProxyPreserveHost On
ProxyPass / http://127.0.0.1:80/
ProxyPassReverse / http://127.0.0.1:80/
</VirtualHost>
Save and close the file then enable the required modules with the following command:
a2enmod ssl
a2enmod rewrite
a2enmod headers
a2enmod proxy
a2enmod proxy_balancer
a2enmod proxy_http
Finally, restart the Apache service to apply the changes:
systemctl restart apache2
# Test Varnish
You can test your Varnish Cache server using the curl command as shown below
curl -I https://mydomain.com
Or
curl -I http://mydomain.com
If evrything is fine you should see the following output:
HTTP/1.1 200 OK
Date: Sat, 18 Sep 2021 06:02:00 GMT
Server: Apache/2.4.41 (Ubuntu)
Last-Modified: Sat, 18 Sep 2021 05:59:51 GMT
Vary: Accept-Encoding
Content-Type: text/html
X-Varnish: 32770 3
Age: 5
Via: 1.1 varnish (Varnish/6.2)
ETag: W/"2aa6-5cc3ec18fc7f0-gzip"
Accept-Ranges: bytes
Content-Length: 10918
Connection: keep-alive
You can also test the varnish cache with varnishlog command to view the Varnish log:
varnishlog
You should get the following output:
* << BeReq >> 6
- Begin bereq 5 fetch
- VCL_use boot
- Timestamp Start: 1631944963.528974 0.000000 0.000000
- BereqMethod GET
- BereqURL /
- BereqProtocol HTTP/1.1
- BereqHeader Host: 45.58.46.33
- BereqHeader Upgrade-Insecure-Requests: 1
- BereqHeader User-Agent: Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/91.0.4472.114 Safari/537.36
- BereqHeader Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/ signed-exchange;v=b3;q=0.9
# Conclusion
That's it for now. You have successfully installed and configured Varnish with Apache and SSL termination. I hope this setup will dramatically increase your website performance.