GRSEC and Varnish
Bernardf FRIT
bernard at frit.net
Fri Feb 5 12:01:23 CET 2010
Kristian Lyngstol a écrit :
> On Tue, Feb 02, 2010 at 04:44:48PM +0100, Bernardf FRIT wrote:
>> Hi,
>>
>> I'am running :
>> - varnishd (varnish-2.0.4)
>
> Why not 2.0.6?
When a server is running well, I'm a bit reluctant to upgrade. Now, I'm
ok to upgrade as an attempt to fix this.
>> and it appears that the grsec Kernel repeatedly and unexpectedly sends
>> signal 11 to the varnishd child.
>
> grsec seems to just report that a segfault occurred. SIGSEG would be a
> strange signal to send in any event. You want to fetch yourself a core-dump
> of this. However, before we get into that, I'd like to know what parameters
> you start Varnish with, and the general setup. VCL too, if possible.
>
Ok, I just misunderstood the grsec report. I can't find any core dump
file in the system.
I start varnishd using /etc/init.d/varnishd with the following parameters :
# cat /etc/conf.d/varnishd
# /etc/conf.d/varnishd
# options passed to varnish on startup
# please see the varnishd man page for more options
VARNISHD_OPTS="-a 87.98.137.117:80 -f /etc/varnish/yourimmo.vcl -n
/home/varnish/yourimmo -s file,/home/varnish/cache/yourimmo,1G -T
127.0.0.1:7777"
# arguments passed to varnishncsa
# please see the varnishncsa man page for more options
VARNISHNCSA_ARGS="-c -a -n /home/varnish/yourimmo -w
/var/log/varnish/access.log"
-----------------------------------------------------------------------------------------------
# cat /etc/varnish/yourimmo.vcl
### define backends:
# ha proxy
backend ha_proxy {
.host = "127.0.0.1";
.port = "80";
}
acl purge {
"localhost";
"111.111.111.111";
}
### Called when a client request is received
sub vcl_recv {
### if there is a purge make sure its coming from $localhost
if (req.request == "PURGE") {
if (!client.ip ~ purge) {
error 405 "Not allowed.";
}
lookup;
}
# Add a unique header containing the client address
remove req.http.X-Forwarded-For;
set req.http.X-Forwarded-For = client.ip;
# set req.http.X-Forwarded-For = req.http.rlnclientipaddr;
# grace settings, note this is also set in vcl_fetch,
set req.grace = 600s;
if (req.http.host ~ "^(www.)?your-immo.fr$") {
set req.backend = ha_proxy;
}
### ne pas mettre en cache:
if (req.request == "GET" && req.url ~ "\.(php|html)$") {
pass;
}
if (req.request == "GET" && req.url ~ "\.(your-immo\.fr)$") {
pass;
}
### toujours mettre en cache:
if (req.request == "GET" && req.url ~ "\.(js)") {
lookup;
}
## images
if (req.request == "GET" && req.url ~
"\.(gif|jpg|jpeg|bmp|png|tiff|tif|ico|img|tga|wmf)$") {
lookup;
}
## pages statiques
if (req.request == "GET" && req.url ~ "\.(css|pdf|exe)$") {
lookup;
}
## multimedia
if (req.request == "GET" && req.url ~
"\.(svg|swf|ico|mp3|mp4|m4a|ogg|mov|avi|wmv)$") {
lookup;
}
## xml
if (req.request == "GET" && req.url ~ "\.(xml)$") {
lookup;
}
### regles a ne pas mettre en cache:
if (req.request == "GET" && req.url ~ "\/stats") {
pipe;
}
if (req.request != "GET" && req.request != "HEAD") {
pipe;
}
if (req.http.Authenticate || req.http.Authorization) {
pass;
}
### ne pas mettre en cache les sessions d'authenticfication
if (req.http.Cookie && req.http.Cookie ~ "authtoken=") {
pipe;
}
### parse accept encoding rulesets to make it look nice
if (req.http.Accept-Encoding) {
if (req.http.Accept-Encoding ~ "gzip") {
set req.http.Accept-Encoding = "gzip";
} elsif (req.http.Accept-Encoding ~ "deflate") {
set req.http.Accept-Encoding = "deflate";
} else {
# unkown algorithm
remove req.http.Accept-Encoding;
}
}
### Modif suite a segfault
pass;
### if it passes all these tests, do a lookup anyway;
### lookup;
### end of vcl_recv
}
### Called when an object is in the cache, its a hit.
sub vcl_hit {
if (req.request == "PURGE") {
set obj.ttl = 0s;
error 200 "Purged.";
}
if (!obj.cacheable) {
pass;
}
deliver;
}
### Called when the requested object was not found in the cache
sub vcl_miss {
if (req.request == "PURGE") {
error 404 "Not in cache.";
}
}
### Called when the requested object has been retrieved from the
backend, or the request to the backend has failed
sub vcl_fetch {
## If the request to the backend returns a code other than 200, restart
the loop
## If the number of restarts reaches the value of the parameter
max_restarts,
## the request will be error'ed. max_restarts defaults to 4. This
prevents
## an eternal loop in the event that, e.g., the object does not exist
at all.
## this rule also allows for 301's and 302's redirects...
if (obj.status != 200 && obj.status != 403 && obj.status != 404
&& obj.status != 301 && obj.status != 302) {
restart;
}
# if i cant connect to the backend, ill set the grace period to
be 600 seconds to hold onto content
set obj.ttl = 0s;
set obj.grace = 600s;
if (obj.status == 404) {
set obj.ttl = 0s;
}
if (obj.status >= 500) {
set obj.ttl = 0s;
}
if (req.request == "GET" && req.url ~
"\.(gif|jpg|jpeg|bmp|png|tiff|tif|ico|img|tga|wmf)$") {
set obj.ttl = 24h;
}
## various other content pages
if (req.request == "GET" && req.url ~ "\.(css|pdf|exe)$") {
set obj.ttl = 24h;
}
if (req.request == "GET" && req.url ~ "\.(js)$") {
set obj.ttl = 24h;
}
## xml
if (req.request == "GET" && req.url ~ "\.(xml)$") {
set obj.ttl = 24h;
}
## multimedia
if (req.request == "GET" && req.url ~
"\.(svg|swf|ico|mp3|mp4|m4a|ogg|mov|avi|wmv)$") {
set obj.ttl = 24h;
}
if (!obj.cacheable) {
set obj.http.X-Cacheable = "NO:Not-Cacheable";
pass;
}
if (obj.http.Set-Cookie) {
pass;
}
if (req.request == "HEAD") {
set obj.http.head = "yes";
}
set obj.http.X-Cacheable = "YES";
deliver;
}
#
#
## Called before a cached object is delivered to the client
#
sub vcl_deliver {
set resp.http.X-Served-By = "Server 203";
if (obj.hits > 0) {
set resp.http.X-Cache = "HIT";
set resp.http.X-Cache-Hits = obj.hits;
} else {
set resp.http.X-Cache = "MISS";
}
remove resp.http.X-Powered-By;
set resp.http.Server="Apache-NSCA";
deliver;
}
More information about the varnish-misc
mailing list