Reputation: 1
I am helping an IT department update their current Drupal website and assisting in updating their RedHat webserver. My Linux user account does not have many permissions outside of editing my home folder and the Apache docroot. I have been asked to help patch their current instance of Varnish 4.0.3 by following the instructions in this patch https://varnish-cache.org/security/VSV00001.html#vsv00001. I have to ask their sysadmin to do most things on the server since my account does not have access to most commands.
I asked the sysadmin to set the vcc_allow_inline parameter to true using the instructions in the patch doucmentation. Here is the full command they ran
/opt/rh/rh-varnish4/root/usr/sbin/varnishd -pvcc_allow_inline_c=true -b www-test-cms:80
and now the website is not resolving correctly. Prior to touching varnish Drupal was running with Varnish on port 81
127.0.0.1:81
Here is the current module settings look like Drupal Varnish module IP settings
And here is an output of Netstat before and after
Before
[root@www-test-cms ~]# netstat -tlnp
Active Internet connections (only servers)
Proto Recv-Q Send-Q Local Address Foreign Address State PID/Program name
tcp 0 0 0.0.0.0:10050 0.0.0.0:* LISTEN 1775/zabbix_agentd
tcp 0 0 127.0.0.1:9000 0.0.0.0:* LISTEN 1786/php-fpm: maste
tcp 0 0 0.0.0.0:11211 0.0.0.0:* LISTEN 1762/memcached
tcp 0 0 0.0.0.0:80 0.0.0.0:* LISTEN 117531/varnishd
tcp 0 0 0.0.0.0:8080 0.0.0.0:* LISTEN 1794/httpd
tcp 0 0 127.0.0.1:81 0.0.0.0:* LISTEN 117530/varnishd
tcp 0 0 0.0.0.0:22 0.0.0.0:* LISTEN 1772/sshd
tcp 0 0 127.0.0.1:25 0.0.0.0:* LISTEN 2302/master
tcp 0 0 0.0.0.0:443 0.0.0.0:* LISTEN 1794/httpd
tcp6 0 0 :::10050 :::* LISTEN 1775/zabbix_agentd
tcp6 0 0 :::33060 :::* LISTEN 2096/mysqld
tcp6 0 0 :::3306 :::* LISTEN 2096/mysqld
tcp6 0 0 :::11211 :::* LISTEN 1762/memcached
tcp6 0 0 :::80 :::* LISTEN 117531/varnishd
tcp6 0 0 :::6556 :::* LISTEN 1763/xinetd
After
[root@www-test-cms ~]# netstat -tlnp
Active Internet connections (only servers)
Proto Recv-Q Send-Q Local Address Foreign Address State PID/Program name
tcp 0 0 127.0.0.1:9000 0.0.0.0:* LISTEN 1761/php-fpm: maste
tcp 0 0 0.0.0.0:11211 0.0.0.0:* LISTEN 1777/memcached
tcp 0 0 0.0.0.0:80 0.0.0.0:* LISTEN 6004/varnishd
tcp 0 0 0.0.0.0:8080 0.0.0.0:* LISTEN 1779/httpd
tcp 0 0 0.0.0.0:22 0.0.0.0:* LISTEN 1780/sshd
tcp 0 0 127.0.0.1:25 0.0.0.0:* LISTEN 2292/master
tcp 0 0 0.0.0.0:443 0.0.0.0:* LISTEN 1779/httpd
tcp 0 0 0.0.0.0:10050 0.0.0.0:* LISTEN 1767/zabbix_agentd
tcp 0 0 127.0.0.1:35588 0.0.0.0:* LISTEN 6003/varnishd
tcp6 0 0 :::3306 :::* LISTEN 2031/mysqld
tcp6 0 0 :::11211 :::* LISTEN 1777/memcached
tcp6 0 0 :::80 :::* LISTEN 6004/varnishd
tcp6 0 0 :::6556 :::* LISTEN 1774/xinetd
tcp6 0 0 :::10050 :::* LISTEN 1767/zabbix_agentd
tcp6 0 0 :::33060 :::* LISTEN 2031/mysqld
So obviously this is a port issue. The sysadmin does not know a lot about webservers and I do not know a lot about much outside of the webfolder and we are having a hard time connecting the two! I would love a little more explanation as to what is going on here. Thank you in advance.
Upvotes: 0
Views: 101
Reputation: 4828
In your before setup Varnish was running on port 80
& 81
. In your after setupt that is still the case. In your before setup the httpd
process runs on ports 443
for HTTPS and 8080
for plain HTTP.
The only thing that looks different is the use of the -b
option to configure the backend that Varnish connects to. Currently this is -b www-test-cms:80
.
Based on the netstat
output, the right port is 8080
instead of 80
. However, I'm not a big fan of doing this via a runtime parameter, because the VCL file itself will probably also contain this information.
For reference, here's the out-of-the-box systemd
setup for a RHEL-based Varnish setup: https://www.varnish-software.com/developers/tutorials/installing-varnish-red-hat-enterprise-linux/#systemd-configuration.
As specified on https://www.varnish-software.com/developers/tutorials/installing-varnish-red-hat-enterprise-linux/#modifying-the-listening-port-and-cache-size, you need to set the -a
property to configured listening addresses.
Here's an example that is tailored to the Varnish port setup from your netstat
output:
varnishd \
-a :80 \
-a :81 \
-f /etc/varnish/default.vcl \
-s malloc,2g \
-pvcc_allow_inline_c=true
varnishd
listen on ports 80
& 81
(I don't know why 81
is needed)-f
option-s
option (tune this to your own needs)-pvcc_allow_inline_c=true
(avoid enabling inline C unless it's absolutely necessary)While I can come up with a solution, I strongly advise against the patching process.
While it is important to fix security issues, patching this version of Varnish yourself is not a good idea.
Varnish 4 is end-of-life, so is Varnish 5 and certain versions of Varnish 6.
If you look at https://varnish-cache.org/security/index.html, you'll see that there are more VSVs. And maybe you think your version is not affected by most of them, because Varnish 4 is EOL the security issues aren't fixed for v4 anymore.
I recommend that you upgrade to a more recent version of Varnish. Varnish Cache 6.0 LTS is the one I would recommend. See https://www.varnish-software.com/developers/tutorials/installing-varnish-red-hat-enterprise-linux for an install guide on RHEL.
The compatibility of the VCL file cannot be guaranteed of course, however just add the vcl 4.1;
version marker at the beginning of the VCL file and try to run the VCL code locally to see if it compiles when varnishd
starts.
You could try copying the code from /etc/varnish/default.vcl
on the server to your local system and test it in a local Docker container. See https://www.varnish-software.com/developers/tutorials/running-varnish-docker/ for more info about spinning up the official Varnish Docker image.
Once you know the VCL file works on Varnish 6.0 LTS, you could go further with the upgrade of your Varnish server.
Patching an EOL version of Varnish is just a bad idea, just bite the bullet and upgrade to a modern version that is supported.
Upvotes: 1