GRSEC and Varnish

Bernardf FRIT bernard at frit.net
Fri Feb 5 12:01:23 CET 2010


Kristian Lyngstol a écrit :
> On Tue, Feb 02, 2010 at 04:44:48PM +0100, Bernardf FRIT wrote:
>> Hi,
>>
>> I'am running :
>> - varnishd (varnish-2.0.4)
>
> Why not 2.0.6?
When a server is running well, I'm a bit reluctant to upgrade. Now, I'm
ok to upgrade as an attempt to fix this.

>> and it appears that the grsec Kernel repeatedly and unexpectedly sends 
>> signal 11 to the varnishd child.
>
> grsec seems to just report that a segfault occurred. SIGSEG would be a
> strange signal to send in any event. You want to fetch yourself a core-dump
> of this. However, before we get into that, I'd like to know what parameters
> you start Varnish with, and the general setup. VCL too, if possible.
>
Ok, I just misunderstood the grsec report. I can't find any core dump
file in the system.

I start varnishd using /etc/init.d/varnishd with the following parameters :

# cat /etc/conf.d/varnishd
# /etc/conf.d/varnishd

# options passed to varnish on startup
# please see the varnishd man page for more options
VARNISHD_OPTS="-a 87.98.137.117:80 -f /etc/varnish/yourimmo.vcl -n
/home/varnish/yourimmo -s file,/home/varnish/cache/yourimmo,1G -T
127.0.0.1:7777"

# arguments passed to varnishncsa
# please see the varnishncsa man page for more options
VARNISHNCSA_ARGS="-c -a -n /home/varnish/yourimmo -w
/var/log/varnish/access.log"

-----------------------------------------------------------------------------------------------

# cat /etc/varnish/yourimmo.vcl
### define backends:

# ha proxy
backend ha_proxy {
    .host = "127.0.0.1";
    .port = "80";
}

acl purge {
    "localhost";
    "111.111.111.111";
}

### Called when a client request is received

sub vcl_recv {

### if there is a purge make sure its coming from $localhost

        if (req.request == "PURGE") {
            if (!client.ip ~ purge) {
                error 405 "Not allowed.";
                }
            lookup;
        }

# Add a unique header containing the client address
remove req.http.X-Forwarded-For;
set    req.http.X-Forwarded-For = client.ip;

# set    req.http.X-Forwarded-For = req.http.rlnclientipaddr;

# grace settings, note this is also set in vcl_fetch,
set req.grace = 600s;

if (req.http.host ~ "^(www.)?your-immo.fr$") {
        set req.backend = ha_proxy;
}

### ne pas mettre en cache:

        if (req.request == "GET" && req.url ~ "\.(php|html)$") {
                pass;
        }
        if (req.request == "GET" && req.url ~ "\.(your-immo\.fr)$") {
                pass;
        }

### toujours mettre en cache:

     if (req.request == "GET" && req.url ~ "\.(js)") {
                lookup;
        }

        ## images
        if (req.request == "GET" && req.url ~
"\.(gif|jpg|jpeg|bmp|png|tiff|tif|ico|img|tga|wmf)$") {
        lookup;
        }

        ## pages statiques
        if (req.request == "GET" && req.url ~ "\.(css|pdf|exe)$") {
        lookup;
        }

  ## multimedia
        if (req.request == "GET" && req.url ~
"\.(svg|swf|ico|mp3|mp4|m4a|ogg|mov|avi|wmv)$") {
        lookup;
        }

        ## xml

        if (req.request == "GET" && req.url ~ "\.(xml)$") {
        lookup;
        }

### regles a  ne pas mettre en cache:

        if (req.request == "GET" && req.url ~ "\/stats") {
                 pipe;
        }
        if (req.request != "GET" && req.request != "HEAD") {
                pipe;
        }
        if (req.http.Authenticate || req.http.Authorization) {
                pass;
        }

###  ne pas mettre en cache les sessions d'authenticfication
        if (req.http.Cookie && req.http.Cookie ~ "authtoken=") {
                pipe;
        }


### parse accept encoding rulesets to make it look nice
        if (req.http.Accept-Encoding) {
                if (req.http.Accept-Encoding ~ "gzip") {
                        set req.http.Accept-Encoding = "gzip";
                } elsif (req.http.Accept-Encoding ~ "deflate") {
                        set req.http.Accept-Encoding = "deflate";
                } else {
                        # unkown algorithm
                        remove req.http.Accept-Encoding;
                }
        }

### Modif suite a segfault
        pass;

### if it passes all these tests, do a lookup anyway;
###        lookup;

### end of vcl_recv
}

### Called when an object is in the cache, its a hit.
sub vcl_hit {
  if (req.request == "PURGE") {
      set obj.ttl = 0s;
      error 200 "Purged.";
  }
  if (!obj.cacheable) {
      pass;
  }

deliver;
}

### Called when the requested object was not found in the cache

sub vcl_miss {
  if (req.request == "PURGE") {
      error 404 "Not in cache.";
  }
}

### Called when the requested object has been retrieved from the
backend, or the request to the backend has failed

sub vcl_fetch {

## If the request to the backend returns a code other than 200, restart
the loop
## If the number of restarts reaches the value of the parameter
max_restarts,
## the request will be error'ed.  max_restarts defaults to 4.  This
prevents
## an eternal loop in the event that, e.g., the object does not exist
at all.
## this rule also allows for 301's and 302's redirects...

        if (obj.status != 200 && obj.status != 403 && obj.status != 404
&& obj.status != 301 && obj.status != 302) {
           restart;
        }

        # if i cant connect to the backend, ill set the grace period to
be 600 seconds to hold onto content
        set obj.ttl = 0s;
        set obj.grace = 600s;

        if (obj.status == 404) {
        set obj.ttl = 0s;
        }

        if (obj.status >= 500) {
        set obj.ttl = 0s;
        }

        if (req.request == "GET" && req.url ~
"\.(gif|jpg|jpeg|bmp|png|tiff|tif|ico|img|tga|wmf)$") {
        set obj.ttl = 24h;
        }

        ## various other content pages
        if (req.request == "GET" && req.url ~ "\.(css|pdf|exe)$") {
        set obj.ttl = 24h;
        }

        if (req.request == "GET" && req.url ~ "\.(js)$") {
        set obj.ttl = 24h;
        }

        ## xml
        if (req.request == "GET" && req.url ~ "\.(xml)$") {
        set obj.ttl = 24h;
        }

        ## multimedia
        if (req.request == "GET" && req.url ~
"\.(svg|swf|ico|mp3|mp4|m4a|ogg|mov|avi|wmv)$") {
        set obj.ttl = 24h;
        }

        if (!obj.cacheable) {
        set obj.http.X-Cacheable = "NO:Not-Cacheable";
        pass;
        }

        if (obj.http.Set-Cookie) {
        pass;
        }

        if (req.request == "HEAD") {
        set obj.http.head = "yes";
        }

        set obj.http.X-Cacheable = "YES";
        deliver;
}

#
#
## Called before a cached object is delivered to the client
#
sub vcl_deliver {

  set resp.http.X-Served-By = "Server 203";
  if (obj.hits > 0) {
    set resp.http.X-Cache = "HIT";
    set resp.http.X-Cache-Hits = obj.hits;
  } else {
    set resp.http.X-Cache = "MISS";
  }
    remove resp.http.X-Powered-By;
    set resp.http.Server="Apache-NSCA";
  deliver;
}







More information about the varnish-misc mailing list