Varnish is an open source “web accelerator” which you can use to speed up your website.
The traditional guides will tell you to move your webserver to another port, perhaps 81,8080 or just bind to localhost, configure Varnish to listen to port 80 and use the web server as backend, the server where Varnish will forward requests not found in his cache.
This is the “normal” configuration and it works fine, but sometimes you just want to make a quick Test or perhaps you are using a Control Panel, such as Cpanel, Kloxo or ISPConfig and in my experience change the standard listening ports of Apache is not a decision to be taken lightly with these tools.
So in a VPS (with Kloxo) I’ve used a different approach: iptables.
In my approach I’ve left the webserver (Apache for me) sitting on port 80, so no change at all on this side.
I’ve configured varnish to listen on port 8080 and set as backend the Apache on port 80.
I started Varnish and, as expected, going to the port 8080 I’ve seen the site correctly (provided by Apache).
And now some iptables “magic”, all request that goes to port 80 of the server are silently redirected to port 8080, and so Varnish becomes our front-end server with no change on Apache configuration.
How to do it
As you have probably guessed the only “trick” is to use one of the many iptables features, iptables is a user space application that allows to configure the tables provided by the Linux kernel firewall, and in particular I’ve used the
nat table with the
PREROUTING chain using the action
From the iptables man page:
This table is consulted when a packet that creates a new connection is encountered. It consists of three
built-ins: PREROUTING (for altering packets as soon as they come in), OUTPUT (for altering locally-generated
packets before routing), and POSTROUTING (for altering packets as they are about to go out).
So as soon as a packet enters the “firewall”, iptables, checks if it has a destination port of 80 if so it apply an action, in my case
redirect, so the packet is redirected to port 8080 where Varnish is listening.
Iptables Rules and Alias
To put the rules that redirect all the traffic from port 80 to 8080 open a terminal as root and use the command:
#iptables -t nat -A PREROUTING -i eth0 -p tcp -m tcp --dport 80 -j REDIRECT --to-ports 8080
If you want to remove Varnish as Front end server you can simply remove that rule with the command:
#iptables -t nat -D PREROUTING -i eth0 -p tcp -m tcp --dport 80 -j REDIRECT --to-ports 8080
And to check if the redirect is active, just ask it to iptables with:
#iptables -L -t nat
If you see a line like the following, it means that the redirect is active, if there is nothing in the output it means that it’s inactive.
Chain PREROUTING (policy ACCEPT) target prot opt source destination REDIRECT tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:80 redir ports 8080
But there is an easier way to use these commands, as root just add in your
~/.bashrc file these 3 alias:
alias varnishon='iptables -t nat -A PREROUTING -i eth0 -p tcp -m tcp --dport 80 -j REDIRECT --to-ports 8080' alias varnishoff='iptables -t nat -D PREROUTING -i eth0 -p tcp -m tcp --dport 80 -j REDIRECT --to-ports 8080' alias varnishstatus='iptables -L -t nat |grep -q 8080; if [ "test$?" = "test0" ]; then echo "Varnish On"; else echo "Varnish Off"; fi'
And now you can turn on and off Varnish with just 1 command.
I’ve not tested with a benchmark how worst perform this configuration in comparison of a traditional solution, probably not much as iptables is a kernel service and is really light, anyway if you have a site with a lot of traffic use this configuration just to test varnish, and if you like it do a traditional installation.
- Linux Security: How to hide processes from other users
- Productivity boosting with open source applications
- 8 Simple To Follow Tips To Secure Your Apache Web Server
- The Humble “Open Source” Bundle
- Linux Games: FTL Advanced Edition expansion
Find me on Google+