How to Setup Varnish Cache with Apache and SSL Termination

Introduction

Apache is one of the most popular web servers around the world that allows you to host one or more websites on the internet. If your website is hosted with an Apache web server and you are suffering from the speed then you can boost your website speed by configuring a Varnish caching server.

Varnish is an open-source caching and reverse proxy HTTP accelerator that reduces the time it takes to serve content to a user. It caching responses from a website in memory, so all future requests with the same content can be served without having to retrieve it from the webserver. It is very useful for dynamic web applications. Varnish cache can speed up delivery with a factor of 300 – 1000x, depending on your architecture.

In this post, we will show you how to install and use Varnish to improve your Apache web server performance. We will also show you how to add HTTPS support to Varnish.

Requirements

• A server running Ubuntu 20.04 operating system.

• A root password is set up on your server.

Install Varnish

By default, the Varnish package is included in the Ubuntu default repository. You can install it using the following command:

apt-get install varnish -y

Once the Varnish is installed, you can verify the Varnish version with the following command:

varnishd -V

Output:

varnishd (varnish-6.2.1 revision 9f8588e4ab785244e06c3446fe09bf9db5dd8753) Copyright (c) 2006 Verdens Gang AS Copyright (c) 2006-2019 Varnish Software AS

Next, you will need to configure Varnish to use your Apache backend. You can do it by editing the file /etc/varnish/default.vcl:

nano /etc/varnish/default.vcl

Change the following lines:

backend default { .host = "127.0.0.1"; .port = "8080"; }

Save and close the file.

Where:

• host is the IP address of your Apache web server.

• port is the listening port of your Apache web server.

Configure Varnish

By default, Varnish listens on port 6081. So you will need to set Varnish to listen on the default HTTP port 80. You can do it by editing varnish.service file:

nano /lib/systemd/system/varnish.service

Change the default port 6081 to port 80 as shown below:

[Unit] Description=Varnish HTTP accelerator Documentation=https://www.varnish-cache.org/docs/4.1/ man:varnishd [Service] Type=simple LimitNOFILE=131072 LimitMEMLOCK=82000 ExecStart=/usr/sbin/varnishd -j unix,user=vcache -F -a :80 -T localhost:6082 -f /etc/varnish/default.vcl -S /etc/varnish/secret -s malloc,256M ExecReload=/usr/share/varnish/varnishreload ProtectSystem=full ProtectHome=true PrivateTmp=true PrivateDevices=true [Install] WantedBy=multi-user.target

Save and close the file. Then, reload systemd daemon and restart the Varnish cache service with the following command:

systemctl daemon-reload systemctl restart varnish

You can also check the status of the Varnish service with the following command:

systemctl status varnish

Output:

● varnish.service - Varnish HTTP accelerator Loaded: loaded (/lib/systemd/system/varnish.service; enabled; vendor preset: enabled) Active: active (running) since Sat 2021-09-18 05:59:18 UTC; 4s ago Docs: https://www.varnish-cache.org/docs/6.1/ man:varnishd Main PID: 7005 (varnishd) Tasks: 217 (limit: 2353) Memory: 10.7M CGroup: /system.slice/varnish.service ├─7005 /usr/sbin/varnishd -j unix,user=vcache -F -a :80 -T localhost:6082 -f /etc/varnish/default.vcl -S /etc/varnish/secret -s m> └─7029 /usr/sbin/varnishd -j unix,user=vcache -F -a :80 -T localhost:6082 -f /etc/varnish/default.vcl -S /etc/varnish/secret -s m> Sep 18 05:59:18 ubuntu2004 systemd[1]: Started Varnish HTTP accelerator.

Install and Configure Apache

Next, you will need to install the Apache webserver and configure it to listen on port 8080.

First, install the Apache package with the following command:

apt-get install apache2 -y

Once the Apache is installed, change the Apache default port from 80 to 8080. You can do it by editing /etc/apache2/ports.conf file.

nano /etc/apache2/ports.conf

Change the following line:

Listen 8080

Save and close the file then edit the Apache default virtual host file:

nano /etc/apache2/sites-available/000-default.conf

Find the following line:

<VirtualHost *:80>

And, replaced it with the following line:

<VirtualHost *:8080>

Then, add the following line inside your server block:

ServerName mydomain.com

Save and close the file then restart the Apache service to apply the changes:

systemctl restart apache2

You can now verify the Apache listening port using the following command:

ss -antpl | grep apache2

You should see the following output:

LISTEN 0 511 *:8080 *:* users:(("apache2",pid=8495,fd=4),("apache2",pid=8494,fd=4),("apache2",pid=8493,fd=4))

Generate Let's Encrypt SSL Certificate

Next, you will need to install the Certbot client package to download Let's Encrypt free SSL. You can install it using the following command:

apt-get install python3-certbot-apache -y

Once the Certbot package is installed, run the following command to download the Let's Encrypt SSL certificates:

certbot --apache -d mydomain.com

You will be asked to provide your email and accept the term of service as shown below:

Saving debug log to /var/log/letsencrypt/letsencrypt.log Plugins selected: Authenticator standalone, Installer None Enter email address (used for urgent renewal and security notices) (Enter 'c' to cancel): hitjethva1981@gmail.com - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Please read the Terms of Service at https://letsencrypt.org/documents/LE-SA-v1.2-November-15-2017.pdf. You must agree in order to register with the ACME server at https://acme-v02.api.letsencrypt.org/directory - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - (A)gree/(C)ancel: A - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Would you be willing to share your email address with the Electronic Frontier Foundation, a founding partner of the Let's Encrypt project and the non-profit organization that develops Certbot? We'd like to send you email about our work encrypting the web, EFF news, campaigns, and ways to support digital freedom. - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - (Y)es/(N)o: Y Plugins selected: Authenticator apache, Installer apache Obtaining a new certificate Performing the following challenges: http-01 challenge for mydomain.com Enabled Apache rewrite module Waiting for verification... Cleaning up challenges

Next, select whether or not to redirect HTTP traffic to HTTPS as shown below:

Please choose whether or not to redirect HTTP traffic to HTTPS, removing HTTP access. - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - 1: No redirect - Make no further changes to the webserver configuration. 2: Redirect - Make all requests redirect to secure HTTPS access. Choose this for new sites, or if you're confident your site works on HTTPS. You can undo this change by editing your web server's configuration. - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Select the appropriate number [1-2] then [enter] (press 'c' to cancel): 1

Type 1 and hit Enter to download the Let's Encrypt SSL for your website:

Enabled Apache rewrite module - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Congratulations! You have successfully enabled https://mydomain.com You should test your configuration at: https://www.ssllabs.com/ssltest/analyze.html?d=mydomain.com - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - IMPORTANT NOTES: - Congratulations! Your certificate and chain have been saved at: /etc/letsencrypt/live/mydomain.com/fullchain.pem Your key file has been saved at: /etc/letsencrypt/live/mydomain.com/privkey.pem Your cert will expire on 2021-04-17. To obtain a new or tweaked version of this certificate in the future, simply run certbot again with the "certonly" option. To non-interactively renew *all* of your certificates, run "certbot renew" - If you like Certbot, please consider supporting our work by: Donating to ISRG / Let's Encrypt: https://letsencrypt.org/donate Donating to EFF: https://eff.org/donate-le

The above command will download SSL certificate at /etc/letsencrypt/live/mydomain.com/fullchain.pem and /etc/letsencrypt/live/mydomain.com/privkey.pem

Enable SSL Support on Apache

At this point, Let's Encrypt SSL are ready for use. Now, you will need to configure your Apache server to use those certificates:

nano /etc/apache2/sites-available/000-default.conf

Add the following lines at the end of the file:

<VirtualHost *:443> RequestHeader set X-Forwarded-Proto "https" ServerName mydomain.com SSLEngine On SSLCertificateFile /etc/letsencrypt/live/mydomain.com/fullchain.pem SSLCertificateKeyFile /etc/letsencrypt/live/mydomain.com/privkey.pem ProxyPreserveHost On ProxyPass / http://127.0.0.1:80/ ProxyPassReverse / http://127.0.0.1:80/ </VirtualHost>

Save and close the file then enable the required modules with the following command:

a2enmod ssl a2enmod rewrite a2enmod headers a2enmod proxy a2enmod proxy_balancer a2enmod proxy_http

Finally, restart the Apache service to apply the changes:

systemctl restart apache2

Test Varnish

You can test your Varnish Cache server using the curl command as shown below

curl -I https://mydomain.com

Or

curl -I http://mydomain.com

If evrything is fine you should see the following output:

HTTP/1.1 200 OK Date: Sat, 18 Sep 2021 06:02:00 GMT Server: Apache/2.4.41 (Ubuntu) Last-Modified: Sat, 18 Sep 2021 05:59:51 GMT Vary: Accept-Encoding Content-Type: text/html X-Varnish: 32770 3 Age: 5 Via: 1.1 varnish (Varnish/6.2) ETag: W/"2aa6-5cc3ec18fc7f0-gzip" Accept-Ranges: bytes Content-Length: 10918 Connection: keep-alive

You can also test the varnish cache with varnishlog command to view the Varnish log:

varnishlog

You should get the following output:

* << BeReq >> 6 - Begin bereq 5 fetch - VCL_use boot - Timestamp Start: 1631944963.528974 0.000000 0.000000 - BereqMethod GET - BereqURL / - BereqProtocol HTTP/1.1 - BereqHeader Host: 45.58.46.33 - BereqHeader Upgrade-Insecure-Requests: 1 - BereqHeader User-Agent: Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/91.0.4472.114 Safari/537.36 - BereqHeader Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/ signed-exchange;v=b3;q=0.9

Conclusion

That's it for now. You have successfully installed and configured Varnish with Apache and SSL termination. I hope this setup will dramatically increase your website performance.