[英]Setting up Varnish Apache2 HTTP & HTTPS Ubuntu 16.04
I have Apache2 with several sites on HTTPS (443, Let's encrypte) and HTTP (80), multiple CMS on Ubuntu 16.04, CPUx16, mem=48G. I have Apache2 with several sites on HTTPS (443, Let's encrypte) and HTTP (80), multiple CMS on Ubuntu 16.04, CPUx16, mem=48G. One of HTTPS (Wordpress) is overloaded - a nonprofit site that shows profiles of orphans with photos/videos and receives donations (up to 10k visitors per day).
HTTPS(Wordpress)中的一个超载 - 一个非营利性网站,显示带有照片/视频的孤儿档案并接收捐款(每天最多 10k 访问者)。 How do i set up Varnish for cache to memory photos/videos requests to reduce disk load?
如何设置清漆缓存到 memory 照片/视频请求以减少磁盘负载?
Here Apache2 ports.conf
:这里 Apache2
ports.conf
:
Listen 80
<IfModule ssl_module>
Listen 443
</IfModule>
<IfModule mod_gnutls.c>
Listen 443
</IfModule>
I would be much appreciated for a detailed answer.非常感谢您提供详细的答案。
Adjust the ports.conf
and turn Listen 80
into Listen 8080
.调整
ports.conf
并将Listen 80
变成Listen 8080
。
In your vhosts , you'll have to turn <VirtualHost *:80>
into <VirtualHost *:8080>
as well.在您的vhosts中,您还必须将
<VirtualHost *:80>
转换为<VirtualHost *:8080>
。
Then you run sudo systemctl restart apache2
to make sure these changes take effect.然后运行
sudo systemctl restart apache2
以确保这些更改生效。
Please run sudo systemctl edit --full varnish
to edit the runtime settings of Varnish.请运行
sudo systemctl edit --full varnish
来编辑 Varnish 的运行时设置。
Please make sure Varnish is running on port 80 for regular HTTP and port 8443 for PROXY protocol .请确保 Varnish 在常规 HTTP 的端口 80和PROXY 协议的端口 8443上运行。
ExecStart=/usr/sbin/varnishd -a :80 -a :8443,PROXY -f /etc/varnish/default.vcl -s malloc,20G
Please create /etc/varnish/letsencrypt.vcl
and add the following code:请创建
/etc/varnish/letsencrypt.vcl
并添加以下代码:
vcl 4.0;
backend certbot {
.host = "127.0.0.1";
.port = "8081";
}
sub vcl_recv {
if (req.url ~ "^/\.well-known/acme-challenge/") {
set req.backend_hint = certbot;
return(pipe);
}
}
sub vcl_pipe {
if (req.backend_hint == certbot) {
set req.http.Connection = "close";
return(pipe);
}
}
Please include this file directly after vcl 4.0;
请在
vcl 4.0;
in your regular /etc/varnish/default.vcl
.在您的常规
/etc/varnish/default.vcl
中。 Here's an example:这是一个例子:
vcl 4.0;
include "/etc/varnish/letsencrypt.vcl";
backend default {
.host = "127.0.0.1";
.port = "8080";
}
As you see, the backend in default.vcl
points to port 8080 , which is Apache.如您所见,
default.vcl
中的后端指向端口 8080 ,即 Apache。
Please restart Varnish to make sure these VCL settings are active.请重新启动 Varnish 以确保这些 VCL 设置处于活动状态。
Hitch is a TLS proxy developed by Varnish Software . Hitch是Varnish Software开发的 TLS 代理。 It's powerful, lightweight and configurable.
它功能强大、轻量级且可配置。
Please run the following command to install it:请运行以下命令进行安装:
sudo apt-get install -y hitch
sudo systemctl enable hitch
Then create /etc/hitch/hitch.conf
and add the following:然后创建
/etc/hitch/hitch.conf
并添加以下内容:
frontend = "[*]:443"
backend = "[localhost]:8443"
write-proxy-v2 = on
pem-file = "/etc/letsencrypt/live/yourdomain.com/hitch-bundle.pem"
ciphers = "ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384"
tls = on
ssl = off
prefer-server-ciphers = false
Please create /usr/local/bin/hitch-deploy-hook
and put the following content in it:请创建
/usr/local/bin/hitch-deploy-hook
并将以下内容放入其中:
#!/bin/bash
# Full path to pre-generated Diffie Hellman Parameters file
dhparams=/etc/hitch/dhparams.pem
if [[ "${RENEWED_LINEAGE}" == "" ]]; then
echo "Error: missing RENEWED_LINEAGE env variable." >&2
exit 1
fi
umask 077
cat ${RENEWED_LINEAGE}/privkey.pem \
${RENEWED_LINEAGE}/fullchain.pem \
${dhparams} > ${RENEWED_LINEAGE}/hitch-bundle.pem
Then run the following commands:然后运行以下命令:
sudo chmod a+x /usr/local/bin/hitch-deploy-hook
openssl dhparam 2048 | sudo tee /etc/hitch/dhparams.pem
Make sure the LetsEncrypt cerbot is installed, by running the following command:通过运行以下命令,确保已安装LetsEncrypt cerbot:
sudo apt-get install -y certbot
Then run the following command to install the certificates:然后运行以下命令来安装证书:
sudo certbot certonly --standalone --preferred-challenges http \
--http-01-port 8081 -d yourdomain.com \
--deploy-hook="/usr/local/bin/hitch-deploy-hook"
After the validation, the certificate will be available at /etc/letsencrypt/live/yourdomain.com/hitch-bundle.pem
, which Hitch will use.验证后,证书将在
/etc/letsencrypt/live/yourdomain.com/hitch-bundle.pem
中可用, Hitch将使用该证书。
Please run sudo systemctl restart hitch
to enable Hitch.请运行
sudo systemctl restart hitch
以启用 Hitch。
LetsEncrypt renewals can also be done using this binary. LetsEncrypt更新也可以使用这个二进制文件来完成。 When renewing, please make sure you reload Hitch as a post renewal hook :
更新时,请确保重新加载 Hitch 作为更新后挂钩:
sudo certbot certonly --standalone --preferred-challenges http \
--http-01-port 8081 -d yourdomain.com \
--deploy-hook="/usr/local/bin/hitch-deploy-hook" \
--post-hook="systemctl reload hitch"
I use
yourdomain.com
as the domain in my examples.在我的示例中,我使用
yourdomain.com
作为域。 Please replace it with the actual value.请用实际值替换。
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.