设置清漆 Apache2 HTTP & HTTPS Z3D945423F8E9496B4629A5D180C.
[英]Setting up Varnish Apache2 HTTP & HTTPS Ubuntu 16.04
问题描述
I have Apache2 with several sites on HTTPS (443, Let's encrypte) and HTTP (80), multiple CMS on Ubuntu 16.04, CPUx16, mem=48G. 
I have Apache2 with several sites on HTTPS (443, Let's encrypte) and HTTP (80), multiple CMS on Ubuntu 16.04, CPUx16, mem=48G. One of HTTPS (Wordpress) is overloaded - a nonprofit site that shows profiles of orphans with photos/videos and receives donations (up to 10k visitors per day). HTTPS(Wordpress)中的一个超载 - 一个非营利性网站,显示带有照片/视频的孤儿档案并接收捐款(每天最多 10k 访问者)。 How do i set up Varnish for cache to memory photos/videos requests to reduce disk load?如何设置清漆缓存到 memory 照片/视频请求以减少磁盘负载?
Here Apache2 ports.conf :这里 Apache2 ports.conf :
Listen 80
<IfModule ssl_module>
Listen 443
</IfModule>
<IfModule mod_gnutls.c>
Listen 443
</IfModule>
I would be much appreciated for a detailed answer.非常感谢您提供详细的答案。
1 个解决方案
解决方案1
2 2020-07-29 08:12:19
Apache port configuration Apache端口配置
Adjust the ports.conf and turn Listen 80 into Listen 8080 .调整ports.conf并将Listen 80变成Listen 8080 。
In your vhosts , you'll have to turn <VirtualHost *:80> into <VirtualHost *:8080> as well.在您的vhosts中,您还必须将<VirtualHost *:80>转换为<VirtualHost *:8080> 。
Then you run sudo systemctl restart apache2 to make sure these changes take effect.然后运行sudo systemctl restart apache2以确保这些更改生效。
Varnish setup清漆设置
Please run sudo systemctl edit --full varnish to edit the runtime settings of Varnish.请运行sudo systemctl edit --full varnish来编辑 Varnish 的运行时设置。
Please make sure Varnish is running on port 80 for regular HTTP and port 8443 for PROXY protocol .请确保 Varnish 在常规 HTTP 的端口 80和PROXY 协议的端口 8443上运行。
ExecStart=/usr/sbin/varnishd -a :80 -a :8443,PROXY -f /etc/varnish/default.vcl -s malloc,20G
VCL setup VCL 设置
Please create /etc/varnish/letsencrypt.vcl and add the following code:请创建/etc/varnish/letsencrypt.vcl并添加以下代码:
vcl 4.0;
backend certbot {
.host = "127.0.0.1";
.port = "8081";
}
sub vcl_recv {
if (req.url ~ "^/\.well-known/acme-challenge/") {
set req.backend_hint = certbot;
return(pipe);
}
}
sub vcl_pipe {
if (req.backend_hint == certbot) {
set req.http.Connection = "close";
return(pipe);
}
}
Please include this file directly after vcl 4.0;请在vcl 4.0; in your regular /etc/varnish/default.vcl .在您的常规/etc/varnish/default.vcl中。 Here's an example:这是一个例子:
vcl 4.0;
include "/etc/varnish/letsencrypt.vcl";
backend default {
.host = "127.0.0.1";
.port = "8080";
}
As you see, the backend in default.vcl points to port 8080 , which is Apache.如您所见, default.vcl中的后端指向端口 8080 ,即 Apache。
Please restart Varnish to make sure these VCL settings are active.请重新启动 Varnish 以确保这些 VCL 设置处于活动状态。
Hitch for TLS termination终止 TLS 的障碍
Hitch is a TLS proxy developed by Varnish Software . Hitch是Varnish Software开发的 TLS 代理。 It's powerful, lightweight and configurable.它功能强大、轻量级且可配置。
Please run the following command to install it:请运行以下命令进行安装:
sudo apt-get install -y hitch
sudo systemctl enable hitch
Then create /etc/hitch/hitch.conf and add the following:然后创建/etc/hitch/hitch.conf并添加以下内容:
frontend = "[*]:443"
backend = "[localhost]:8443"
write-proxy-v2 = on
pem-file = "/etc/letsencrypt/live/yourdomain.com/hitch-bundle.pem"
ciphers = "ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384"
tls = on
ssl = off
prefer-server-ciphers = false
Prepare Hitch for LetsEncrypt为 LetsEncrypt 准备 Hitch
Please create /usr/local/bin/hitch-deploy-hook and put the following content in it:请创建/usr/local/bin/hitch-deploy-hook并将以下内容放入其中:
#!/bin/bash
# Full path to pre-generated Diffie Hellman Parameters file
dhparams=/etc/hitch/dhparams.pem
if [[ "${RENEWED_LINEAGE}" == "" ]]; then
echo "Error: missing RENEWED_LINEAGE env variable." >&2
exit 1
fi
umask 077
cat ${RENEWED_LINEAGE}/privkey.pem \
${RENEWED_LINEAGE}/fullchain.pem \
${dhparams} > ${RENEWED_LINEAGE}/hitch-bundle.pem
Then run the following commands:然后运行以下命令:
sudo chmod a+x /usr/local/bin/hitch-deploy-hook
openssl dhparam 2048 | sudo tee /etc/hitch/dhparams.pem
Running Cerbot运行 Cerbot
Make sure the LetsEncrypt cerbot is installed, by running the following command:通过运行以下命令,确保已安装LetsEncrypt cerbot:
sudo apt-get install -y certbot
Then run the following command to install the certificates:然后运行以下命令来安装证书:
sudo certbot certonly --standalone --preferred-challenges http \
--http-01-port 8081 -d yourdomain.com \
--deploy-hook="/usr/local/bin/hitch-deploy-hook"
After the validation, the certificate will be available at /etc/letsencrypt/live/yourdomain.com/hitch-bundle.pem , which Hitch will use.验证后,证书将在/etc/letsencrypt/live/yourdomain.com/hitch-bundle.pem中可用, Hitch将使用该证书。
Please run sudo systemctl restart hitch to enable Hitch.请运行sudo systemctl restart hitch以启用 Hitch。
LetsEncrypt renewals can also be done using this binary. LetsEncrypt更新也可以使用这个二进制文件来完成。 When renewing, please make sure you reload Hitch as a post renewal hook :更新时,请确保重新加载 Hitch 作为更新后挂钩:
sudo certbot certonly --standalone --preferred-challenges http \
--http-01-port 8081 -d yourdomain.com \
--deploy-hook="/usr/local/bin/hitch-deploy-hook" \
--post-hook="systemctl reload hitch"
I use
yourdomain.comas the domain in my examples.yourdomain.com作为域。 Please replace it with the actual value.
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.