SnapShooter Learning Center

How to Setup Varnish Cache with Apache and SSL Termination

How to Setup Varnish Cache with Apache and SSL Termination

Simon Bennett]
Simon Bennett
Last Updated: Sep 28, 2021
Table of Contents

# Introduction

Apache is one of the most popular web servers around the world that allows you to host one or more websites on the internet. If your website is hosted with an Apache web server and you are suffering from the speed then you can boost your website speed by configuring a Varnish caching server.

Varnish is an open-source caching and reverse proxy HTTP accelerator that reduces the time it takes to serve content to a user. It caching responses from a website in memory, so all future requests with the same content can be served without having to retrieve it from the webserver. It is very useful for dynamic web applications. Varnish cache can speed up delivery with a factor of 300 โ€“ 1000x, depending on your architecture.

In this post, we will show you how to install and use Varnish to improve your Apache web server performance. We will also show you how to add HTTPS support to Varnish.


# Requirements

  • A server running Ubuntu 20.04 operating system.
  • A root password is set up on your server.

# Install Varnish

By default, the Varnish package is included in the Ubuntu default repository. You can install it using the following command:

apt-get install varnish -y

Once the Varnish is installed, you can verify the Varnish version with the following command:

varnishd -V

Output:

varnishd (varnish-6.2.1 revision 9f8588e4ab785244e06c3446fe09bf9db5dd8753)
Copyright (c) 2006 Verdens Gang AS
Copyright (c) 2006-2019 Varnish Software AS

Next, you will need to configure Varnish to use your Apache backend. You can do it by editing the file /etc/varnish/default.vcl:

nano /etc/varnish/default.vcl

Change the following lines:

backend default {
    .host = "127.0.0.1";
    .port = "8080";
}

Save and close the file.

Where:

  • host is the IP address of your Apache web server.
  • port is the listening port of your Apache web server.

# Configure Varnish

By default, Varnish listens on port 6081. So you will need to set Varnish to listen on the default HTTP port 80. You can do it by editing varnish.service file:

nano /lib/systemd/system/varnish.service

Change the default port 6081 to port 80 as shown below:

[Unit]
Description=Varnish HTTP accelerator
Documentation=https://www.varnish-cache.org/docs/4.1/ man:varnishd

[Service]
Type=simple
LimitNOFILE=131072
LimitMEMLOCK=82000
ExecStart=/usr/sbin/varnishd -j unix,user=vcache -F -a :80 -T localhost:6082 -f /etc/varnish/default.vcl -S /etc/varnish/secret -s     malloc,256M  
ExecReload=/usr/share/varnish/varnishreload
ProtectSystem=full
ProtectHome=true
PrivateTmp=true
PrivateDevices=true

[Install]
WantedBy=multi-user.target

Save and close the file. Then, reload systemd daemon and restart the Varnish cache service with the following command:

systemctl daemon-reload
systemctl restart varnish

You can also check the status of the Varnish service with the following command:

systemctl status varnish

Output:

โ— varnish.service - Varnish HTTP accelerator
     Loaded: loaded (/lib/systemd/system/varnish.service; enabled; vendor preset: enabled)
     Active: active (running) since Sat 2021-09-18 05:59:18 UTC; 4s ago
       Docs: https://www.varnish-cache.org/docs/6.1/
             man:varnishd
   Main PID: 7005 (varnishd)
      Tasks: 217 (limit: 2353)
     Memory: 10.7M
     CGroup: /system.slice/varnish.service
             โ”œโ”€7005 /usr/sbin/varnishd -j unix,user=vcache -F -a :80 -T localhost:6082 -f /etc/varnish/default.vcl -S /etc/varnish/secret -s m>
             โ””โ”€7029 /usr/sbin/varnishd -j unix,user=vcache -F -a :80 -T localhost:6082 -f /etc/varnish/default.vcl -S /etc/varnish/secret -s m>

Sep 18 05:59:18 ubuntu2004 systemd[1]: Started Varnish HTTP accelerator.

# Install and Configure Apache

Next, you will need to install the Apache webserver and configure it to listen on port 8080.

First, install the Apache package with the following command:

apt-get install apache2 -y

Once the Apache is installed, change the Apache default port from 80 to 8080. You can do it by editing /etc/apache2/ports.conf file.

nano /etc/apache2/ports.conf

Change the following line:

Listen 8080

Save and close the file then edit the Apache default virtual host file:

nano /etc/apache2/sites-available/000-default.conf 

Find the following line:

<VirtualHost *:80>

And, replaced it with the following line:

<VirtualHost *:8080>

Then, add the following line inside your server block:

ServerName mydomain.com

Save and close the file then restart the Apache service to apply the changes:

systemctl restart apache2

You can now verify the Apache listening port using the following command:

ss -antpl | grep apache2

You should see the following output:

LISTEN    0         511                      *:8080                   *:*        users:(("apache2",pid=8495,fd=4),("apache2",pid=8494,fd=4),("apache2",pid=8493,fd=4))

# Generate Let's Encrypt SSL Certificate

Next, you will need to install the Certbot client package to download Let's Encrypt free SSL. You can install it using the following command:

apt-get install python3-certbot-apache -y

Once the Certbot package is installed, run the following command to download the Let's Encrypt SSL certificates:

certbot --apache -d mydomain.com

You will be asked to provide your email and accept the term of service as shown below:

Saving debug log to /var/log/letsencrypt/letsencrypt.log
Plugins selected: Authenticator standalone, Installer None
Enter email address (used for urgent renewal and security notices) (Enter 'c' to
cancel): hitjethva1981@gmail.com

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Please read the Terms of Service at
https://letsencrypt.org/documents/LE-SA-v1.2-November-15-2017.pdf. You must
agree in order to register with the ACME server at
https://acme-v02.api.letsencrypt.org/directory
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
(A)gree/(C)ancel: A

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Would you be willing to share your email address with the Electronic Frontier
Foundation, a founding partner of the Let's Encrypt project and the non-profit
organization that develops Certbot? We'd like to send you email about our work
encrypting the web, EFF news, campaigns, and ways to support digital freedom.
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
(Y)es/(N)o: Y
Plugins selected: Authenticator apache, Installer apache
Obtaining a new certificate
Performing the following challenges:
http-01 challenge for mydomain.com
Enabled Apache rewrite module
Waiting for verification...
Cleaning up challenges

Next, select whether or not to redirect HTTP traffic to HTTPS as shown below:

Please choose whether or not to redirect HTTP traffic to HTTPS, removing HTTP access.
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
1: No redirect - Make no further changes to the webserver configuration.
2: Redirect - Make all requests redirect to secure HTTPS access. Choose this for
new sites, or if you're confident your site works on HTTPS. You can undo this
change by editing your web server's configuration.
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Select the appropriate number [1-2] then [enter] (press 'c' to cancel): 1

Type 1 and hit Enter to download the Let's Encrypt SSL for your website:

Enabled Apache rewrite module
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Congratulations! You have successfully enabled https://mydomain.com

You should test your configuration at:
https://www.ssllabs.com/ssltest/analyze.html?d=mydomain.com
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

IMPORTANT NOTES:
 - Congratulations! Your certificate and chain have been saved at:
   /etc/letsencrypt/live/mydomain.com/fullchain.pem
   Your key file has been saved at:
   /etc/letsencrypt/live/mydomain.com/privkey.pem
   Your cert will expire on 2021-04-17. To obtain a new or tweaked
   version of this certificate in the future, simply run certbot again
   with the "certonly" option. To non-interactively renew *all* of
   your certificates, run "certbot renew"
 - If you like Certbot, please consider supporting our work by:

   Donating to ISRG / Let's Encrypt:   https://letsencrypt.org/donate
   Donating to EFF:                    https://eff.org/donate-le

The above command will download SSL certificate at /etc/letsencrypt/live/mydomain.com/fullchain.pem and /etc/letsencrypt/live/mydomain.com/privkey.pem


# Enable SSL Support on Apache

At this point, Let's Encrypt SSL are ready for use. Now, you will need to configure your Apache server to use those certificates:

nano /etc/apache2/sites-available/000-default.conf

Add the following lines at the end of the file:

<VirtualHost *:443>
    RequestHeader set X-Forwarded-Proto "https"
    ServerName mydomain.com

    SSLEngine On
    SSLCertificateFile /etc/letsencrypt/live/mydomain.com/fullchain.pem
    SSLCertificateKeyFile /etc/letsencrypt/live/mydomain.com/privkey.pem

    ProxyPreserveHost On
    ProxyPass / http://127.0.0.1:80/
    ProxyPassReverse / http://127.0.0.1:80/
</VirtualHost>

Save and close the file then enable the required modules with the following command:

a2enmod ssl
a2enmod rewrite
a2enmod headers
a2enmod proxy
a2enmod proxy_balancer
a2enmod proxy_http

Finally, restart the Apache service to apply the changes:

systemctl restart apache2

# Test Varnish

You can test your Varnish Cache server using the curl command as shown below

curl -I https://mydomain.com

Or

curl -I http://mydomain.com

If evrything is fine you should see the following output:

HTTP/1.1 200 OK
Date: Sat, 18 Sep 2021 06:02:00 GMT
Server: Apache/2.4.41 (Ubuntu)
Last-Modified: Sat, 18 Sep 2021 05:59:51 GMT
Vary: Accept-Encoding
Content-Type: text/html
X-Varnish: 32770 3
Age: 5
Via: 1.1 varnish (Varnish/6.2)
ETag: W/"2aa6-5cc3ec18fc7f0-gzip"
Accept-Ranges: bytes
Content-Length: 10918
Connection: keep-alive

You can also test the varnish cache with varnishlog command to view the Varnish log:

varnishlog

You should get the following output:

*   << BeReq    >> 6         
-   Begin          bereq 5 fetch
-   VCL_use        boot
-   Timestamp      Start: 1631944963.528974 0.000000 0.000000
-   BereqMethod    GET
-   BereqURL       /
-   BereqProtocol  HTTP/1.1
-   BereqHeader    Host: 45.58.46.33
-   BereqHeader    Upgrade-Insecure-Requests: 1
-   BereqHeader    User-Agent: Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/91.0.4472.114 Safari/537.36
-   BereqHeader    Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/   signed-exchange;v=b3;q=0.9

# Conclusion

That's it for now. You have successfully installed and configured Varnish with Apache and SSL termination. I hope this setup will dramatically increase your website performance.


Did you find this article helpful?