Patching varnish 4.0.3 and port configuration

Question

I am helping an IT department update their current Drupal website and assisting in updating their RedHat webserver. My Linux user account does not have many permissions outside of editing my home folder and the Apache docroot. I have been asked to help patch their current instance of Varnish 4.0.3 by following the instructions in this patch https://varnish-cache.org/security/VSV00001.html#vsv00001. I have to ask their sysadmin to do most things on the server since my account does not have access to most commands.

I asked the sysadmin to set the vcc_allow_inline parameter to true using the instructions in the patch doucmentation. Here is the full command they ran

/opt/rh/rh-varnish4/root/usr/sbin/varnishd -pvcc_allow_inline_c=true -b www-test-cms:80

and now the website is not resolving correctly. Prior to touching varnish Drupal was running with Varnish on port 81

127.0.0.1:81

Here is the current module settings look like Drupal Varnish module IP settings

And here is an output of Netstat before and after

Before

[root@www-test-cms ~]# netstat -tlnp
Active Internet connections (only servers)
Proto Recv-Q Send-Q Local Address           Foreign Address         State       PID/Program name
tcp        0      0 0.0.0.0:10050           0.0.0.0:*               LISTEN      1775/zabbix_agentd
tcp        0      0 127.0.0.1:9000          0.0.0.0:*               LISTEN      1786/php-fpm: maste
tcp        0      0 0.0.0.0:11211           0.0.0.0:*               LISTEN      1762/memcached
tcp        0      0 0.0.0.0:80              0.0.0.0:*               LISTEN      117531/varnishd
tcp        0      0 0.0.0.0:8080            0.0.0.0:*               LISTEN      1794/httpd
tcp        0      0 127.0.0.1:81            0.0.0.0:*               LISTEN      117530/varnishd
tcp        0      0 0.0.0.0:22              0.0.0.0:*               LISTEN      1772/sshd
tcp        0      0 127.0.0.1:25            0.0.0.0:*               LISTEN      2302/master
tcp        0      0 0.0.0.0:443             0.0.0.0:*               LISTEN      1794/httpd
tcp6       0      0 :::10050                :::*                    LISTEN      1775/zabbix_agentd
tcp6       0      0 :::33060                :::*                    LISTEN      2096/mysqld
tcp6       0      0 :::3306                 :::*                    LISTEN      2096/mysqld
tcp6       0      0 :::11211                :::*                    LISTEN      1762/memcached
tcp6       0      0 :::80                   :::*                    LISTEN      117531/varnishd
tcp6       0      0 :::6556                 :::*                    LISTEN      1763/xinetd

After

[root@www-test-cms ~]# netstat -tlnp
Active Internet connections (only servers)
Proto Recv-Q Send-Q Local Address           Foreign Address         State       PID/Program name
tcp        0      0 127.0.0.1:9000          0.0.0.0:*               LISTEN      1761/php-fpm: maste
tcp        0      0 0.0.0.0:11211           0.0.0.0:*               LISTEN      1777/memcached
tcp        0      0 0.0.0.0:80              0.0.0.0:*               LISTEN      6004/varnishd
tcp        0      0 0.0.0.0:8080            0.0.0.0:*               LISTEN      1779/httpd
tcp        0      0 0.0.0.0:22              0.0.0.0:*               LISTEN      1780/sshd
tcp        0      0 127.0.0.1:25            0.0.0.0:*               LISTEN      2292/master
tcp        0      0 0.0.0.0:443             0.0.0.0:*               LISTEN      1779/httpd
tcp        0      0 0.0.0.0:10050           0.0.0.0:*               LISTEN      1767/zabbix_agentd
tcp        0      0 127.0.0.1:35588         0.0.0.0:*               LISTEN      6003/varnishd
tcp6       0      0 :::3306                 :::*                    LISTEN      2031/mysqld
tcp6       0      0 :::11211                :::*                    LISTEN      1777/memcached
tcp6       0      0 :::80                   :::*                    LISTEN      6004/varnishd
tcp6       0      0 :::6556                 :::*                    LISTEN      1774/xinetd
tcp6       0      0 :::10050                :::*                    LISTEN      1767/zabbix_agentd
tcp6       0      0 :::33060                :::*                    LISTEN      2031/mysqld

So obviously this is a port issue. The sysadmin does not know a lot about webservers and I do not know a lot about much outside of the webfolder and we are having a hard time connecting the two! I would love a little more explanation as to what is going on here. Thank you in advance.

Answer 1

Analyzing the netstat output

In your before setup Varnish was running on port 80 & 81. In your after setupt that is still the case. In your before setup the httpd process runs on ports 443 for HTTPS and 8080 for plain HTTP.

Looking at your varnishd runtime config

The only thing that looks different is the use of the -b option to configure the backend that Varnish connects to. Currently this is -b www-test-cms:80.

Based on the netstat output, the right port is 8080 instead of 80. However, I'm not a big fan of doing this via a runtime parameter, because the VCL file itself will probably also contain this information.

A better varnishd runtime config

For reference, here's the out-of-the-box systemd setup for a RHEL-based Varnish setup: https://www.varnish-software.com/developers/tutorials/installing-varnish-red-hat-enterprise-linux/#systemd-configuration.

As specified on https://www.varnish-software.com/developers/tutorials/installing-varnish-red-hat-enterprise-linux/#modifying-the-listening-port-and-cache-size, you need to set the -a property to configured listening addresses.

Here's an example that is tailored to the Varnish port setup from your netstat output:

varnishd \
      -a :80 \
      -a :81 \
      -f /etc/varnish/default.vcl \
      -s malloc,2g \
      -pvcc_allow_inline_c=true

• Make varnishd listen on ports 80 & 81 (I don't know why 81 is needed)
• Link to the VCL file that contains the backend definition and caching rules using the -f option
• Set the size of the cache to 2GB. using the -s option (tune this to your own needs)
• Enable inline C by setting -pvcc_allow_inline_c=true (avoid enabling inline C unless it's absolutely necessary)

I strongly advise against this setup

While I can come up with a solution, I strongly advise against the patching process.

While it is important to fix security issues, patching this version of Varnish yourself is not a good idea.

Varnish 4 is end-of-life, so is Varnish 5 and certain versions of Varnish 6.

If you look at https://varnish-cache.org/security/index.html, you'll see that there are more VSVs. And maybe you think your version is not affected by most of them, because Varnish 4 is EOL the security issues aren't fixed for v4 anymore.

Upgrade to Varnish 6.0 LTS

I recommend that you upgrade to a more recent version of Varnish. Varnish Cache 6.0 LTS is the one I would recommend. See https://www.varnish-software.com/developers/tutorials/installing-varnish-red-hat-enterprise-linux for an install guide on RHEL.

What about VCL compatibility?

The compatibility of the VCL file cannot be guaranteed of course, however just add the vcl 4.1; version marker at the beginning of the VCL file and try to run the VCL code locally to see if it compiles when varnishd starts.

You could try copying the code from /etc/varnish/default.vcl on the server to your local system and test it in a local Docker container. See https://www.varnish-software.com/developers/tutorials/running-varnish-docker/ for more info about spinning up the official Varnish Docker image.

End result

Once you know the VCL file works on Varnish 6.0 LTS, you could go further with the upgrade of your Varnish server.

Patching an EOL version of Varnish is just a bad idea, just bite the bullet and upgrade to a modern version that is supported.