Skip to content
Projects
Groups
Snippets
Help
Loading...
Help
Submit feedback
Contribute to GitLab
Sign in
Toggle navigation
V
varnish-cache
Project
Project
Details
Activity
Releases
Cycle Analytics
Repository
Repository
Files
Commits
Branches
Tags
Contributors
Graph
Compare
Charts
Members
Members
Collapse sidebar
Close sidebar
Activity
Graph
Charts
Commits
Open sidebar
varnishcache
varnish-cache
Commits
c09887ae
Commit
c09887ae
authored
Nov 07, 2013
by
Poul-Henning Kamp
Browse files
Options
Browse Files
Download
Email Patches
Plain Diff
Trains are good for writing documentation :-)
parent
23c608f7
Changes
2
Show whitespace changes
Inline
Side-by-side
Showing
2 changed files
with
94 additions
and
43 deletions
+94
-43
command-line.rst
doc/sphinx/users-guide/command-line.rst
+83
-35
run_security.rst
doc/sphinx/users-guide/run_security.rst
+11
-8
No files found.
doc/sphinx/users-guide/command-line.rst
View file @
c09887ae
...
@@ -3,46 +3,94 @@
...
@@ -3,46 +3,94 @@
Typical command line options
Typical command line options
----------------------------
----------------------------
On a modern Linux distro the various options that are used when
If you run Varnish out of a package for your operating system,
starting up Varnish are stored in /etc/default/varnish (Debian, Ubuntu) or
you will find the default options here:
/etc/sysconfig/varnish (Red Hat, Centos).
There are quite a few options you can tweak but most of you will only
* Debian, Ubuntu: /etc/default/varnish
need to change a few them.
* Red Hat, Centos: /etc/sysconfig/varnish
* FreeBSD: /etc/rc.conf (See also: /usr/local/etc/rc.d/varnishd)
The
typical command line options you want to change are
:
The
re some command line options you will simply have choose values for
:
-a *listen_address*
-a *listen_address*
What address should Varnish listen to. The default is to listen to
^^^^^^^^^^^^^^^^^^^
all IP adresses and stick to port 80. ":80" will ask Varnish to
listen to all adresses, both IPv4 and IPv6 and is probably a
What address should Varnish listen to and service HTTP requests on.
sensible thing.
You will most likely want to set this to ":80" which is the Well
-f *config file*
Known Port for HTTP.
The -f options specifies what VCL file Varnish should use as the default.
You can specify multiple addresses separated by a comma, and you
-s *storage options*
can use numeric or host/service names as you like, varnish will try
to open and service as many of them as possible, but if none of them
This is probably the most important one. The default is to use
can be opened, varnishd will not start.
the memory storage backend and to allocate a small amount of
memory. On a small site this might suffice. If you have dedicated
Here are some examples::
Varnish Cache server you most definitivly want to increase
the memory allocated or consider another backend.
-a :80
Please note that in addition to the memory allocated by the
-a localhost:80
storage engine itself Varnish also has internal data structures
-a 192.168.1.100:8080
that consume memory. More or less 1kb per object.
-a '[fe80::1]:80'
See also :ref:`guide-storage`.
-a '0.0.0.0:8080,[::]:8081'
-T *listen address*
If your webserver runs on the same computer, you will have to move
Varnish has a built-in text-based administration
it to another port number first.
interface. Activating the interface makes Varnish manageble
without stopping it. You can specify what interface the
-f *VCL-file* or -b *backend*
management interface should listen to. Make sure you don't expose
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
the management interface to the world as you can easily gain root
access to a system via the Varnish management interface. I
Varnish needs to know where to find the HTTP server it is caching for.
recommend tieing it to localhost. If you have users on your
You can either specify it with -b and use the default VCL code, or you
system that you don't fully trust, use firewall rules to restrict
can put it in your own VCL file.
access to the interface to root only.
Using -b is a quick way to get started::
-b localhost:81
-b thatotherserver.example.com:80
-b 192.168.1.2:80
Notice that if you specify a name, it can at most resolve to one IPv4
*and* one IPv6 address.
If you go with -f, you can start with a VCL file containing just::
backend default {
.host = "localhost:81";
}
which is exactly what -b does.
-s *storage-options*
^^^^^^^^^^^^^^^^^^^^
This is probably the most important one. The default is to use
the memory storage backend and to allocate a small amount of
memory. On a small site this might suffice. If you have dedicated
Varnish Cache server you most definitivly want to increase
the memory allocated or consider another backend.
Please note that in addition to the memory allocated by the
storage engine itself Varnish also has internal data structures
that consume memory. More or less 1kb per object.
See also :ref:`guide-storage`.
-T *CLI-listen-address*
^^^^^^^^^^^^^^^^^^^^^^^
Varnish has a built-in text-based administration
interface. Activating the interface makes Varnish manageble
without stopping it. You can specify what interface the
management interface should listen to. Make sure you don't expose
the management interface to the world as you can easily gain root
access to a system via the Varnish management interface. I
recommend tieing it to localhost. If you have users on your
system that you don't fully trust, use firewall rules to restrict
access to the interface to root only.
-S *CLI-secret-file*
^^^^^^^^^^^^^^^^^^^^
This file stores a secret you must know, in order to get
access to the CLI.
For a complete list of the command line parameters please see
For a complete list of the command line parameters please see
:ref:`ref-varnishd-options`.
:ref:`ref-varnishd-options`.
...
...
doc/sphinx/users-guide/run_security.rst
View file @
c09887ae
...
@@ -80,14 +80,17 @@ and give remote users access via a secure connection to the local
...
@@ -80,14 +80,17 @@ and give remote users access via a secure connection to the local
machine (ssh, VPN, etc. etc.)
machine (ssh, VPN, etc. etc.)
It is also possible to configure varnishd for "reverse mode", using
It is also possible to configure varnishd for "reverse mode", using
the '-M' argument,
the '-M' argument. In that case varnishd will attempt to open a
TCP connection to the specified address, and initiate a CLI connection
In this case varnishd will attempt to open a TCP connection to the
to your central varnish management facility.
specified address, and initiate a CLI connection on it.
The connection is also in this case without secrecy, but if configured
The connection is also in this case without secrecy, but if configured
the remote end must still satisfy -S/PSK authentication.
the remote end must still satisfy -S/PSK authentication.
Finally, if you run varnishd with the '-d' option, you get a CLI
command on stdin/stdout, but since you started the process, it
would be hard to prevent you getting CLI access, wouldn't it ?
Parameters
Parameters
^^^^^^^^^^
^^^^^^^^^^
...
@@ -130,7 +133,7 @@ We do not currently have a way to restrict specific CLI commands
...
@@ -130,7 +133,7 @@ We do not currently have a way to restrict specific CLI commands
to specific CLI connections. One way to get such an effect is to
to specific CLI connections. One way to get such an effect is to
"wrap" all CLI access in pre-approved scripts which use varnishadm(1)
"wrap" all CLI access in pre-approved scripts which use varnishadm(1)
to submit the sanitized CLI commands, and restrict a remote user
to submit the sanitized CLI commands, and restrict a remote user
to only those scripts
in
sshd(8)'s configuration.
to only those scripts
, for instance using
sshd(8)'s configuration.
VCL programs
VCL programs
------------
------------
...
@@ -151,7 +154,7 @@ lower the privilege of a child process...
...
@@ -151,7 +154,7 @@ lower the privilege of a child process...
Inline-C is disabled by default starting with Varnish 4, so unless
Inline-C is disabled by default starting with Varnish 4, so unless
you enable it, you don't have to worry about it.
you enable it, you don't have to worry about it.
The param
s mentioned above can restrict VMOD
so they can only
The param
eters mentioned above can restrict VMOD,
so they can only
be imported from a designated directory, restricting VCL wranglers
be imported from a designated directory, restricting VCL wranglers
to a pre-approved subset of VMODs.
to a pre-approved subset of VMODs.
...
@@ -171,7 +174,7 @@ to do exactly stupid things to them, including opening youself up
...
@@ -171,7 +174,7 @@ to do exactly stupid things to them, including opening youself up
to various kinds of attacks and subversive activities.
to various kinds of attacks and subversive activities.
If you have "administrative" HTTP requests, for instance PURGE
If you have "administrative" HTTP requests, for instance PURGE
requests, we
recommend that you restrict them to trusted IP
requests, we
strongly recommend that you restrict them to trusted
numbers/nets using VCL's Access Control Lists.
IP
numbers/nets using VCL's Access Control Lists.
(XXX: missing ref to ACL)
(XXX: missing ref to ACL)
Write
Preview
Markdown
is supported
0%
Try again
or
attach a new file
Attach a file
Cancel
You are about to add
0
people
to the discussion. Proceed with caution.
Finish editing this message first!
Cancel
Please
register
or
sign in
to comment