Install Varnish Cache with Apache2 on Ubuntu 24.04

Install Varnish Cache dengan Apache2 pada Ubuntu 24.04

  • Install apache2, php, varnish
apt update && apt install apache2 php varnish -y
  • Cek versi varnish
varnishd -V
---<output>---
varnishd (varnish-7.1.1 revision 7cee1c581bead20e88d101ab3d72afb29f14d87a)
Copyright (c) 2006 Verdens Gang AS
Copyright (c) 2006-2022 Varnish Software

  • Setting apache agar bisa berjalan dengan varnish cache, ubah default port 80 apache jadi 8080
sed -i "s/Listen 80/Listen 8080/" /etc/apache2/ports.conf
  • Buat directory untuk domain varnish.sys-ops.id.sideka.my.id
  • Ganti domain sesuai dengan kebutuhan
mkdir -p /var/www/varnish.sys-ops.id.sideka.my.id
  • Download sample file webite dan copy ke folder /var/www/varnish.sys-ops.id.sideka.my.id
git clone https://github.com/sideka-cloud/web-test.git
cp -R web-test/new/* /var/www/varnish.sys-ops.id.sideka.my.id/
chown -R www-data:www-data /var/www/varnish.sys-ops.id.sideka.my.id/
  • Buat virtual host untuk domain varnish.sys-ops.id.sideka.my.id.conf
  • Ganti domain sesuai dengan kebutuhan
nano /etc/apache2/sites-available/varnish.sys-ops.id.sideka.my.id.conf
ServerTokens Prod
ServerSignature Off
<VirtualHost *:8080>
     ServerAdmin [email protected]
     ServerName varnish.sys-ops.id.sideka.my.id
     ServerAlias www.varnish.sys-ops.id.sideka.my.id
     DocumentRoot /var/www/varnish.sys-ops.id.sideka.my.id

     <Directory /var/www/varnish.sys-ops.id.sideka.my.id>
        Options -Indexes +FollowSymLinks
        Require all granted
        DirectoryIndex index.php index.html
        AllowOverride All
        Order allow,deny
        Allow from all
        Header unset X-Powered-By

        Header set Access-Control-Allow-Headers "ORIGIN, X-REQUESTED-WITH, CONTENT-TYPE"
        Header set Access-Control-Allow-Origin "*"
        Header set Access-Control-Allow-Methods "GET, POST, OPTIONS"
        Header set X-XSS-Protection 1;mode=block
        Header set X-Frame-Options SAMEORIGIN
        Header set X-Content-Type-Options nosniff
        Header set Strict-Transport-Security "max-age=15552000; includeSubDomains;preload"
        Header set Referrer-Policy strict-origin-when-cross-origin
        Header set Access-Control-Max-Age 60000
        Header set Permissions-Policy "microphone=(), geolocation=(self), fullscreen=()"
        Header set Content-Security-Policy "default-src 'self' 'unsafe-inline' 'unsafe-eval' http: https:; img-src 'self' data: https:; font-src 'self' data: https:; frame-src 'self' data: https: blob:"
     </Directory>

     <DirectoryMatch "^/.*/\..*/(?!\.well-known/).*$">
        Require all denied
     </DirectoryMatch>

     <FilesMatch "\.(ini|log|conf|txt|bak|old)$">
        Require all denied
     </FilesMatch>

     ErrorLog ${APACHE_LOG_DIR}/error.log
     CustomLog ${APACHE_LOG_DIR}/access.log combined
</VirtualHost>
  • Enable rewrite module, headers module, proxy module, http2 module, virtualhost config
a2enmod rewrite
a2enmod headers
a2ensite varnish.sys-ops.id.sideka.my.id.conf
a2enmod http2
a2enmod proxy
a2enmod proxy_http
a2dissite 000-default
systemctl restart apache2
  • Edit port ExecStart Varnish dari 6081 menjadi 80
systemctl edit --full  varnish
LimitMEMLOCK=85983232
ExecStart=/usr/sbin/varnishd \
          -j unix,user=vcache \
          -F \
          -a :80 \
          -T localhost:6082 \
          -f /etc/varnish/default.vcl \
          -S /etc/varnish/secret \
          -s malloc,256m
ExecReload=/usr/share/varnish/varnishreload
ProtectSystem=full
ProtectHome=true
PrivateTmp=true
PrivateDevices=true
  • Cek varnish proxy, pastikan menggunakan port 8080
nano /etc/varnish/default.vcl 
# Default backend definition. Set this to point to your content server.
backend default {
    .host = "127.0.0.1";
    .port = "8080";
}
  • Restart service apache2 dan varnish
systemctl daemon-reload
systemctl restart apache2
systemctl restart varnish
  • Cek status listen port lewat netstat, pastikan apache2 sudah listen pada port 8080 dan varnish listen pada port 80
netstat -tulpn
---<output>---
Active Internet connections (only servers)
Proto Recv-Q Send-Q Local Address           Foreign Address      State       PID/Program name    
tcp        0      0 127.0.0.1:6082          0.0.0.0:*            LISTEN      3382/varnishd       
tcp        0      0 0.0.0.0:80              0.0.0.0:*            LISTEN      3382/varnishd       
tcp        0      0 127.0.0.54:53           0.0.0.0:*            LISTEN      594/systemd-resolve 
tcp        0      0 127.0.0.53:53           0.0.0.0:*            LISTEN      594/systemd-resolve 
tcp6       0      0 :::22                   :::*                 LISTEN      1/init              
tcp6       0      0 :::80                   :::*                 LISTEN      3382/varnishd       
tcp6       0      0 :::8080                 :::*                 LISTEN      3313/apache2        
udp        0      0 127.0.0.54:53           0.0.0.0:*                        594/systemd-resolve 
udp        0      0 127.0.0.53:53           0.0.0.0:*                        594/systemd-resolve 
udp        0      0 192.168.10.100:68       0.0.0.0:*                        685/systemd-network 
  • Test varnish cache
curl -I http://localhost
---<output>---
HTTP/1.1 200 OK
Date: Thu, 13 Jun 2024 09:36:21 GMT
Server: Apache
Vary: Accept-Encoding
Access-Control-Allow-Headers: ORIGIN, X-REQUESTED-WITH, CONTENT-TYPE
Access-Control-Allow-Origin: *
Access-Control-Allow-Methods: GET, POST, OPTIONS
X-XSS-Protection: 1;mode=block
X-Frame-Options: SAMEORIGIN
X-Content-Type-Options: nosniff
Strict-Transport-Security: max-age=15552000; includeSubDomains;preload
Referrer-Policy: strict-origin-when-cross-origin
Access-Control-Max-Age: 60000
Permissions-Policy: microphone=(), geolocation=(self), fullscreen=()
Content-Security-Policy: default-src 'self' 'unsafe-inline' 'unsafe-eval' http: https:; img-src 'self' data: https:; font-src 'self' data: https:; frame-src 'self' data: https: blob:
Content-Type: text/html; charset=UTF-8
X-Varnish: 32798 32787
Age: 64
Via: 1.1 varnish (Varnish/7.1)
Accept-Ranges: bytes
Content-Length: 1600
Connection: keep-alive
  • Install Let’s Encrypt (Free SSL)
apt install certbot python3-certbot-apache -y
certbot --apache --agree-tos --redirect --http-01-port 8080 -m [email protected] -d varnish.sys-ops.id.sideka.my.id

    Enable Varnish via HTTPS

    • Edit virtual host domain varnish.sys-ops.id.sideka.my.id-le-ssl.conf, tambahkan ProxyPass dan ProxyPassReverse
    • Restart service apache2
    <IfModule mod_ssl.c>
    <VirtualHost *:443>
         ServerAdmin [email protected]
         ServerName varnish.sys-ops.id.sideka.my.id
         ServerAlias www.varnish.sys-ops.id.sideka.my.id
         DocumentRoot /var/www/varnish.sys-ops.id.sideka.my.id
    
         <Directory /var/www/varnish.sys-ops.id.sideka.my.id>
            Options -Indexes +FollowSymLinks
            Require all granted
            DirectoryIndex index.php index.html
            AllowOverride All
            Order allow,deny
            Allow from all
            Header unset X-Powered-By
    
            Header set Access-Control-Allow-Headers "ORIGIN, X-REQUESTED-WITH, CONTENT-TYPE"
            Header set Access-Control-Allow-Origin "*"
            Header set Access-Control-Allow-Methods "GET, POST, OPTIONS"
            Header set X-XSS-Protection 1;mode=block
            Header set X-Frame-Options SAMEORIGIN
            Header set X-Content-Type-Options nosniff
            Header set Strict-Transport-Security "max-age=15552000; includeSubDomains;preload"
            Header set Referrer-Policy strict-origin-when-cross-origin
            Header set Access-Control-Max-Age 60000
            Header set Permissions-Policy "microphone=(), geolocation=(self), fullscreen=()"
            Header set Content-Security-Policy "default-src 'self' 'unsafe-inline' 'unsafe-eval' http: https:; img-src 'self' data: https:; font-src 'self' data: https:; frame-src 'self' data: https: blob:"
         </Directory>
    
         <DirectoryMatch "^/.*/\..*/(?!\.well-known/).*$">
            Require all denied
         </DirectoryMatch>
    
         <FilesMatch "\.(ini|log|conf|txt|bak|old)$">
            Require all denied
         </FilesMatch>
    
         ErrorLog ${APACHE_LOG_DIR}/error.log
         CustomLog ${APACHE_LOG_DIR}/access.log combined
    
    SSLCertificateFile /etc/letsencrypt/live/varnish.sys-ops.id.sideka.my.id/fullchain.pem
    SSLCertificateKeyFile /etc/letsencrypt/live/varnish.sys-ops.id.sideka.my.id/privkey.pem
    Include /etc/letsencrypt/options-ssl-apache.conf
    
          ProxyPass / http://127.0.0.1:80/
          ProxyPassReverse / http://127.0.0.1:80/
    
    </VirtualHost>
    </IfModule>
    systemctl restart apache2
        • Cek varnish cache
        curl -I https://varnish.sys-ops.id.sideka.my.id
        ---<output>---
        HTTP/1.1 200 OK
        Date: Thu, 13 Jun 2024 09:49:08 GMT
        Server: Apache
        Vary: Accept-Encoding
        Access-Control-Allow-Headers: ORIGIN, X-REQUESTED-WITH, CONTENT-TYPE
        Access-Control-Allow-Origin: *
        Access-Control-Allow-Methods: GET, POST, OPTIONS
        X-XSS-Protection: 1;mode=block
        X-Frame-Options: SAMEORIGIN
        X-Content-Type-Options: nosniff
        Strict-Transport-Security: max-age=15552000; includeSubDomains;preload
        Referrer-Policy: strict-origin-when-cross-origin
        Access-Control-Max-Age: 60000
        Permissions-Policy: microphone=(), geolocation=(self), fullscreen=()
        Content-Security-Policy: default-src 'self' 'unsafe-inline' 'unsafe-eval' http: https:; img-src 'self' data: https:; font-src 'self' data: https:; frame-src 'self' data: https: blob:
        Content-Type: text/html; charset=UTF-8
        X-Varnish: 87 64
        Age: 21
        Via: 1.1 varnish (Varnish/7.1)
        Accept-Ranges: bytes
        Content-Length: 1606
        • Varnish cache berjalan dengan normal lewat https
        • Cek varnish status
        varnishstat

        herdiana3389

        A system administrator with skills in system administration, virtualization, linux, windows, networking, cloud computing, container, etc.