[英]Patching varnish 4.0.3 and port configuration
I am helping an IT department update their current Drupal website and assisting in updating their RedHat webserver.我正在帮助 IT 部门更新他们当前的 Drupal 网站并协助更新他们的 RedHat 网络服务器。 My Linux user account does not have many permissions outside of editing my home folder and the Apache docroot.
我的 Linux 用户帐户除了编辑我的主文件夹和 Apache docroot 之外没有很多权限。 I have been asked to help patch their current instance of Varnish 4.0.3 by following the instructions in this patch https://varnish-cache.org/security/VSV00001.html#vsv00001 .
我被要求按照此补丁https://varnish-cache.org/security/VSV00001.html#vsv00001中的说明帮助修补他们当前的 Varnish 4.0.3 实例。 I have to ask their sysadmin to do most things on the server since my account does not have access to most commands.
我必须让他们的系统管理员在服务器上做大部分事情,因为我的帐户无权访问大多数命令。
I asked the sysadmin to set the vcc_allow_inline parameter to true using the instructions in the patch doucmentation .我要求系统管理员使用补丁文档中的说明将 vcc_allow_inline 参数设置为 true。 Here is the full command they ran
这是他们运行的完整命令
/opt/rh/rh-varnish4/root/usr/sbin/varnishd -pvcc_allow_inline_c=true -b www-test-cms:80
and now the website is not resolving correctly.现在该网站无法正确解析。 Prior to touching varnish Drupal was running with Varnish on port 81
在接触 varnish 之前,Drupal 在端口 81 上运行 Varnish
127.0.0.1:81
Here is the current module settings look like Drupal Varnish module IP settings这是当前模块设置Drupal Varnish 模块 IP 设置
And here is an output of Netstat before and after这是前后Netstat的output
Before前
[root@www-test-cms ~]# netstat -tlnp
Active Internet connections (only servers)
Proto Recv-Q Send-Q Local Address Foreign Address State PID/Program name
tcp 0 0 0.0.0.0:10050 0.0.0.0:* LISTEN 1775/zabbix_agentd
tcp 0 0 127.0.0.1:9000 0.0.0.0:* LISTEN 1786/php-fpm: maste
tcp 0 0 0.0.0.0:11211 0.0.0.0:* LISTEN 1762/memcached
tcp 0 0 0.0.0.0:80 0.0.0.0:* LISTEN 117531/varnishd
tcp 0 0 0.0.0.0:8080 0.0.0.0:* LISTEN 1794/httpd
tcp 0 0 127.0.0.1:81 0.0.0.0:* LISTEN 117530/varnishd
tcp 0 0 0.0.0.0:22 0.0.0.0:* LISTEN 1772/sshd
tcp 0 0 127.0.0.1:25 0.0.0.0:* LISTEN 2302/master
tcp 0 0 0.0.0.0:443 0.0.0.0:* LISTEN 1794/httpd
tcp6 0 0 :::10050 :::* LISTEN 1775/zabbix_agentd
tcp6 0 0 :::33060 :::* LISTEN 2096/mysqld
tcp6 0 0 :::3306 :::* LISTEN 2096/mysqld
tcp6 0 0 :::11211 :::* LISTEN 1762/memcached
tcp6 0 0 :::80 :::* LISTEN 117531/varnishd
tcp6 0 0 :::6556 :::* LISTEN 1763/xinetd
After后
[root@www-test-cms ~]# netstat -tlnp
Active Internet connections (only servers)
Proto Recv-Q Send-Q Local Address Foreign Address State PID/Program name
tcp 0 0 127.0.0.1:9000 0.0.0.0:* LISTEN 1761/php-fpm: maste
tcp 0 0 0.0.0.0:11211 0.0.0.0:* LISTEN 1777/memcached
tcp 0 0 0.0.0.0:80 0.0.0.0:* LISTEN 6004/varnishd
tcp 0 0 0.0.0.0:8080 0.0.0.0:* LISTEN 1779/httpd
tcp 0 0 0.0.0.0:22 0.0.0.0:* LISTEN 1780/sshd
tcp 0 0 127.0.0.1:25 0.0.0.0:* LISTEN 2292/master
tcp 0 0 0.0.0.0:443 0.0.0.0:* LISTEN 1779/httpd
tcp 0 0 0.0.0.0:10050 0.0.0.0:* LISTEN 1767/zabbix_agentd
tcp 0 0 127.0.0.1:35588 0.0.0.0:* LISTEN 6003/varnishd
tcp6 0 0 :::3306 :::* LISTEN 2031/mysqld
tcp6 0 0 :::11211 :::* LISTEN 1777/memcached
tcp6 0 0 :::80 :::* LISTEN 6004/varnishd
tcp6 0 0 :::6556 :::* LISTEN 1774/xinetd
tcp6 0 0 :::10050 :::* LISTEN 1767/zabbix_agentd
tcp6 0 0 :::33060 :::* LISTEN 2031/mysqld
So obviously this is a port issue.所以很明显这是一个端口问题。 The sysadmin does not know a lot about webservers and I do not know a lot about much outside of the webfolder and we are having a hard time connecting the two.
系统管理员对网络服务器知之甚少,而我对网络文件夹之外的知识知之甚少,我们很难将两者联系起来。 I would love a little more explanation as to what is going on here.
我希望对这里发生的事情有更多的解释。 Thank you in advance.
先感谢您。
In your before setup Varnish was running on port 80
& 81
.在您之前的设置中,Varnish 在端口
80
和81
上运行。 In your after setupt that is still the case.在您之后的设置中,情况仍然如此。 In your before setup the
httpd
process runs on ports 443
for HTTPS and 8080
for plain HTTP.在您之前的设置中,
httpd
进程在 HTTPS 的端口443
和普通 HTTP 的8080
端口上运行。
The only thing that looks different is the use of the -b
option to configure the backend that Varnish connects to.唯一看起来不同的是使用
-b
选项来配置 Varnish 连接的后端。 Currently this is -b www-test-cms:80
.目前这是
-b www-test-cms:80
。
Based on the netstat
output, the right port is 8080
instead of 80
.基于
netstat
output,正确的端口是8080
而不是80
。 However, I'm not a big fan of doing this via a runtime parameter, because the VCL file itself will probably also contain this information.但是,我不太喜欢通过运行时参数来执行此操作,因为 VCL 文件本身也可能包含此信息。
For reference, here's the out-of-the-box systemd
setup for a RHEL-based Varnish setup: https://www.varnish-software.com/developers/tutorials/installing-varnish-red-hat-enterprise-linux/#systemd-configuration .作为参考,这里是基于 RHEL 的 Varnish 设置的开箱即用的
systemd
设置: https://www.varnish-software.com/developers/tutorials/installing-varnish-red-hat-enterprise-linux/ #systemd 配置。
As specified on https://www.varnish-software.com/developers/tutorials/installing-varnish-red-hat-enterprise-linux/#modifying-the-listening-port-and-cache-size , you need to set the -a
property to configured listening addresses.如https://www.varnish-software.com/developers/tutorials/installing-varnish-red-hat-enterprise-linux/#modifying-the-listening-port-and-cache-size中所指定,您需要设置
-a
属性配置监听地址。
Here's an example that is tailored to the Varnish port setup from your netstat
output:这是一个从您的
netstat
output 为 Varnish 端口设置量身定制的示例:
varnishd \
-a :80 \
-a :81 \
-f /etc/varnish/default.vcl \
-s malloc,2g \
-pvcc_allow_inline_c=true
varnishd
listen on ports 80
& 81
(I don't know why 81
is needed)varnishd
监听80
和81
端口(我不知道为什么需要81
)-f
option-f
选项链接到包含后端定义和缓存规则的 VCL 文件-s
option (tune this to your own needs)-s
选项(根据您自己的需要调整)-pvcc_allow_inline_c=true
(avoid enabling inline C unless it's absolutely necessary)-pvcc_allow_inline_c=true
启用内联 C(除非绝对必要,否则避免启用内联 C)While I can come up with a solution, I strongly advise against the patching process.虽然我可以想出一个解决方案,但我强烈建议不要使用修补程序。
While it is important to fix security issues, patching this version of Varnish yourself is not a good idea.虽然修复安全问题很重要,但自行修补此版本的 Varnish 并不是一个好主意。
Varnish 4 is end-of-life, so is Varnish 5 and certain versions of Varnish 6. Varnish 4 已停产,Varnish 5 和 Varnish 6 的某些版本也是如此。
If you look at https://varnish-cache.org/security/index.html , you'll see that there are more VSVs.如果您查看https://varnish-cache.org/security/index.html ,您会发现有更多的 VSV。 And maybe you think your version is not affected by most of them, because Varnish 4 is EOL the security issues aren't fixed for v4 anymore.
也许你认为你的版本不受其中大多数的影响,因为 Varnish 4 是 EOL,安全问题不再为 v4 修复。
I recommend that you upgrade to a more recent version of Varnish.我建议您升级到更新版本的 Varnish。 Varnish Cache 6.0 LTS is the one I would recommend.
Varnish Cache 6.0 LTS 是我推荐的一款。 See https://www.varnish-software.com/developers/tutorials/installing-varnish-red-hat-enterprise-linux for an install guide on RHEL.
有关 RHEL 的安装指南,请参阅https://www.varnish-software.com/developers/tutorials/installing-varnish-red-hat-enterprise-linux 。
The compatibility of the VCL file cannot be guaranteed of course, however just add the vcl 4.1;
VCL文件的兼容性当然不能保证,不过加上
vcl 4.1;
version marker at the beginning of the VCL file and try to run the VCL code locally to see if it compiles when varnishd
starts. VCL 文件开头的版本标记并尝试在本地运行 VCL 代码以查看它是否在
varnishd
启动时编译。
You could try copying the code from /etc/varnish/default.vcl
on the server to your local system and test it in a local Docker container.您可以尝试将服务器上的
/etc/varnish/default.vcl
中的代码复制到本地系统,并在本地 Docker 容器中进行测试。 See https://www.varnish-software.com/developers/tutorials/running-varnish-docker/ for more info about spinning up the official Varnish Docker image.有关启动官方 Varnish Docker 图像的更多信息,请参见https://www.varnish-software.com/developers/tutorials/running-varnish-docker/ 。
Once you know the VCL file works on Varnish 6.0 LTS, you could go further with the upgrade of your Varnish server.一旦您知道 VCL 文件可以在 Varnish 6.0 LTS 上运行,您就可以 go 进一步升级您的 Varnish 服务器。
Patching an EOL version of Varnish is just a bad idea, just bite the bullet and upgrade to a modern version that is supported.为 Varnish 的 EOL 版本打补丁只是一个坏主意,硬着头皮升级到受支持的现代版本。
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.