Why is Varnish Cache neat? Who am I? Per Buer CTO @ Varnish - - PowerPoint PPT Presentation

why is varnish cache neat who am i
SMART_READER_LITE
LIVE PREVIEW

Why is Varnish Cache neat? Who am I? Per Buer CTO @ Varnish - - PowerPoint PPT Presentation

Jul 01, 2023 158 likes •549 views

Why is Varnish Cache neat? Who am I? Per Buer CTO @ Varnish Software Programmer Sysadmin Varnish Software We sell Varnish Plus Products (clustering, scalability, etc) Support Custom development

slide-1
SLIDE 1

Why is Varnish Cache neat?

slide-2
SLIDE 2

Who am I?

  • Per Buer
  • CTO @

Varnish Software

  • Programmer
  • Sysadmin
slide-3
SLIDE 3

Varnish Software

  • We sell

Varnish Plus

  • Products (clustering, scalability, etc)
  • Support
  • Custom development
  • Other software built on

Varnish

slide-4
SLIDE 4

What is Varnish?

Client Varnish Web server

  • Cache it?
  • Transform it?
  • Reject?
  • Auth? Authz?
slide-5
SLIDE 5

Q: Why do we cache?
 A: <40µs TTFB (vs 40ms)

slide-6
SLIDE 6

Design

  • A HTTP server with HTTP backend
  • Threaded architecture
  • Logs to shared memory - weird, right?
slide-7
SLIDE 7

VCL

  • Varnish Configuration Language
  • Gets compiled into binary code (.so),

loaded and run

slide-8
SLIDE 8
slide-9
SLIDE 9

Varnish doesn’t support purging of content …

  • ut of the box
slide-10
SLIDE 10
slide-11
SLIDE 11

Purging content (1/2)

sub vcl_recv { if (req.method == "PURGE") { return (purge); } }

slide-12
SLIDE 12

Purging content (2/2)

acl purge { "localhost"; "192.168.55.0"/24; } sub vcl_recv { if (req.method == "PURGE") { if (!client.ip ~ purge) { return(synth(405,"Not allowed.")); } return (purge); } }

slide-13
SLIDE 13

Adding a “feature” to Varnish

slide-14
SLIDE 14

Throttling hot linking

  • Hotlinking is unlawfully using resources

from other servers in your own content

  • In this example we put a cap on the

number of times per minute this can happen

  • Leverages a

VMOD - “vsthrottle” to add throttling

slide-15
SLIDE 15

import vsthrottle; (..) if (req.url ~ "^/assets/" && (req.http.referer !~ “^http://www.example.com/“) && vsthrottle.is_denied(req.url, 10, 60s) { return(error(403,“Hotlinking prohibited”); }

slide-16
SLIDE 16

Things you should know

  • Varnish will not cache content requested

with cookies

  • Solution: Strip the cookie
  • Tip: The cookie

VMOD makes this easy

slide-17
SLIDE 17

import cookie; sub vcl_recv { cookie.parse("cookie1: value1; cookie2: value2"); cookie.filter_except("cookie1"); // get_string() will now yield // "cookie1: cookie2: value2;"; }

slide-18
SLIDE 18

More things to know

  • Set-Cookie headers deactivate cookies
  • Solution: Remove Set-Cookie or fix the

backend

slide-19
SLIDE 19

Grace mode

slide-20
SLIDE 20

Grace mode

  • Allows

Varnish to server outdated content if new content isn’t available

  • Content will be refreshed asynchronously

from the backend increasing performance

slide-21
SLIDE 21

sub vcl_backend_response { set beresp.grace = 2m; }

slide-22
SLIDE 22

Opening the hood

slide-23
SLIDE 23

sub vcl_hit { if (obj.ttl >= 0s) { // A pure unadultered hit, deliver it return (deliver); } if (obj.ttl + obj.grace > 0s) { // Object is in grace, deliver it // Automatically triggers a background fetch return (deliver); } // fetch & deliver once we get the result return (fetch); }

slide-24
SLIDE 24

Modifying grace semantics

slide-25
SLIDE 25

sub vcl_hit { if (obj.ttl >= 0s) { // A pure unadultered hit, deliver it return (deliver); } if (!std.healthy(req.backend_hint) && (obj.ttl + obj.grace > 0s)) { return (deliver); } // fetch & deliver once we get the result return (fetch); }

slide-26
SLIDE 26

A couple of things you might wonder about…

slide-27
SLIDE 27

What’s beresp?

  • req is the request object - use in vcl_recv
  • bereq is the backend request object - use in

vcl_backed_fetch

  • beresp is the backend response - use in

vcl_backend_response

  • resp is the response object - use in vcl_deliver
  • bj is the original object in memory - use in vcl_hit
  • “man(7) vcl” for details
slide-28
SLIDE 28

The state machine

slide-29
SLIDE 29

receive hit backend response miss backend fetch deliver synth backend error

slide-30
SLIDE 30

What about tuning?

slide-31
SLIDE 31

Quick guide to tuning

  • n Linux
  • Up somaxconn and tcp_max_syn_backlog
  • Don’t mess with tcp_tw_recycle
  • Be aware of workspaces
  • Don’t do connection tracking
  • Up the threads - 1req/sec per thread
slide-32
SLIDE 32

Bonus content

slide-33
SLIDE 33

Redirection

sub vcl_synth { if (resp.status == 750) { set resp.http.Location = "http://" + req.http.host + req.url; set resp.status = 301; return(deliver); } }

slide-34
SLIDE 34

# invoking a redirection sub vcl_recv { if (req.http.host == "dev.example.com") { if (req.url ~ "^/archives/") { set req.url = regsub(req.url, "^/old/(.*)", "/archive/\1"); set req.http.host = “example.com"; return(synth(750, "Moved permanently")); } } }

slide-35
SLIDE 35

Ideas not covered in this talk

  • shared memory logging in

Varnish

  • bans: asynchronous filter expressions to

mass-invalidate based on arbitrary input

  • “soft bans”: invalidate object but retain in

memory

  • auth/authz in

VCL - cryptography

  • playing with hashing vs

Vary

slide-36
SLIDE 36

zoo baz bar foo

service directory

slide-37
SLIDE 37

quux zoo baz bar foo

varnish

slide-38
SLIDE 38

Thanks!

@perbu @varnishcache