Varnish jails, priv-sep, packaging etc.

Rogier 'DocWilco' Mulhuijzen varnish at
Wed Apr 15 18:20:25 CEST 2015

On Wed, Apr 15, 2015 at 6:18 AM Poul-Henning Kamp <phk at>

> That would make gid=varnish the general restrictor for acces, such that
> it could also be used for VCL files etc.

Yup, I think it's a very reasonable yet safe restriction.

> You can put the secret file wherever you like (and have as many copies
> as you like) this is only about when people do not give a -S.
> I think keeping it in the -n directory makes sense, and giving it the
> same privs (uid/gid) as varnishd was started with is a good place to start.

Yeah, I was thinking it might work well as a default, but if we go with
gid=varnish being needed for the tools, scratch making the default
something else.

So 640 + vadmin:varnish ? (_.vsm)


That would be consistent, but what does everybody else say ?

Quite. Anyone? :)

Dridi's suggestion of "vcache" is better than my "vrun".

I agree. It's way more recognizable as being varnish related than "vrun" or
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <>

More information about the varnish-dev mailing list