Setting up Varnish on CentOS 7, Nginx and PHP-FPM with SSL

Question

I've not used Varnish before but I need to install it on our Magento site to help speed things up.

I've found lots of articles on how to set up Varnish on Centos 7, PHP-FPM etc but none that runs with CentOS7, Nginx, PHP-FPM AND SSL. As I understand it, Varnish doesn't natievly work with SSL so you need to do some Nginx jiggery-pokery to get things working. This is also a multi-store Magento site so that adds another layer of complication.

Does anybody have any information to help with this?

Answer 1

I will show you my own Nginx config files to make this works. This is Debian 9 not Centos 7, but Nginx should works in the same way.

If someone have a better configuration, or advices, i will listen carfully... I am a Magento dev not a system admin. I have a lot to learn about Nginx & Varnish.

Here, Varnish is listening port 6081.

1. I created a Varnish Proxy to redirect HTTPS requests to HTTP varnish. In /etc/nginx/sites-available/proxy.website.com :

## HTTPS termination & Varnish proxy
server {

  server_name en.website.com fr.website.com es.website.com de.website.com;

  listen 443 ssl http2;


  access_log /var/www/log/varnish-proxy.log;
  error_log /var/www/log/varnish-proxy.error.log;

  include /etc/nginx/conf/ssl.conf;

  keepalive_timeout 300s;

  location / {
    #BYPASS VARNISH
    #proxy_pass http://127.0.0.1:611;
    #VARNISH ENABLED
    proxy_pass http://127.0.0.1:6081;

    proxy_set_header Host $http_host;
    proxy_set_header X-Forwarded-Host $http_host;
    proxy_set_header X-Real-IP  $remote_addr;
    proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
    proxy_set_header X-Forwarded-Proto $scheme;
    proxy_set_header X-Forwarded-Port 443;
    proxy_set_header X-Secure on;
    proxy_set_header X-Magento-Debug 1;
  }
}

2. Then, my vhost in /etc/nginx/sites-available/website.com :

upstream fastcgi_backend { # USE YOUR OWN CONFIG HERE
   # use tcp connection
   # server  127.0.0.1:9000;
   # or socket
   server   unix:/var/run/php7.1-fpm.sock; 
}
map $http_host $MAGE_RUN_CODE_GLOBAL { # USE YOUR OWN CONFIG HERE
    en.website.com en;
    fr.website.com fr;
    es.website.com es;
    de.website.com de;
}

# Redirect to https
server {
  server_name en.website.com fr.website.com es.website.com de.website.com;
  listen 80;

  location ~ /.well-known {
    allow all;
  }

  return 301 https://$http_host$request_uri;
}

# Redirect to https
server {
  server_name _;
  listen 611;

  set $MAGE_ROOT /var/www/magento;
  set $MAGE_MODE developer;
  set $MAGE_RUN_TYPE store;
  set $MAGE_RUN_CODE $MAGE_RUN_CODE_GLOBAL;

  set $HTTPS_FORWARD on;
  set $FPM_USER www-data;

  access_log /var/www/log/website.com.access.log;
  error_log /var/www/log/website.com.error.log error;

  include /var/www/magento/nginx.conf.sample;
}

3. Enable your vhosts

sudo ln -s /etc/nginx/sites-available/proxy.website.com /etc/nginx/sites-enabled/
sudo ln -s /etc/nginx/sites-available/website.com /etc/nginx/sites-enabled/

4. Restart nginx. -t will test your configuration files, -s reload will reload Nginx config without interupting the service :

nginx -t && nginx -s reload

EDIT :

5. Edit Varnish startup config :

   • CentOS 6: /etc/sysconfig/varnish

   • CentOS 7: /etc/varnish/varnish.params

   • Debian/Ubuntu: /etc/default/varnish

...
## Alternative 2, Configuration with VCL
DAEMON_OPTS="-a :6081 \
             -T localhost:6082 \
             -f /etc/varnish/default.vcl \
             -S /etc/varnish/secret \
             -s malloc,1024m \
             -p workspace_backend=256 \
             -p http_resp_hdr_len=42000"
...

6. In Magento admin :

   • set Stores > Configuration > Advanced > System > Full Page Cache > Caching Application to Varnish Cache

   • Now clic on the new "Varnish Configuration" Filed

   • Set Access list and Backend host to localhost. I don't know what are the other options.

   • Save configuration changes

   • Clic Export VCL according to your Varnish's version

7. Upload the Magento VCL

   • Backup the default varnish VCL /etc/varnish/default.vcl to /etc/varnish/default.vcl.bkp

   • Put the magento VCL in a new /etc/varnish/default.vcl file.

   • Edit the first lines :

vcl 4.0; import std;

backend default {
    .host = "127.0.0.1";
    .port = "404";
}

backend mywebsite {
    .host = "127.0.0.1";
    .port = "611";
}

acl purge {
    "localhost";
}

sub vcl_recv {

    if (req.http.host ~ "website.com") {
        set req.backend_hint = mywebsite;
    } else {
        set req.backend_hint = default;
    }

...

8. Sometimes, you will have to handle special cases like disabling Varnish for some URLs.

   • Go to your /etc/varnish/default.vcl and edit this like you need. It's quite obscur the first time you see the VCL, but in the end it's not that hard to understand.

   • Or edit your varnish proxy that way :

## HTTPS termination & Varnish proxy
server {
...
  location ^~ /sitemap {
    #BYPASS VARNISH
    proxy_pass http://127.0.0.1:611;

    proxy_set_header Host $http_host;
    proxy_set_header X-Forwarded-Host $http_host;
    proxy_set_header X-Real-IP  $remote_addr;
    proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
    proxy_set_header X-Forwarded-Proto $scheme;
    proxy_set_header X-Forwarded-Port 443;
    proxy_set_header X-Secure on;
  }
...
}