Skip to main content

Speeding up Apache2 with Varnish; under ISPConfig 3

A virtual hosting requires Apache2 as webserver (due to the need for .htaccess). Hence can't directly replace it with NginX.

Solution in brief:

Setup a Varnish as cache but Varnish does not support SSL

Hence we need to setup an NginX as reverse proxy to listen to port 443 and redirect the request to Varnish.

The last step was to setup http to https re-direction. This could not be done directly under ISPConfig 3 http-to-https switch because this Apache2-based setting will create an infinite loop. This is resolved by creating a redirect within Varnish via its configuration language VCL.

Solution step-by-step:

Source:

1. https://github.com/manoaratefy/ispconfig3-varnish

When performing the steps by following Source 1, also turn off any Apache2 http to https redirect under ISPConfig after re-sync the websites.

Then remove the default NginX vhost:
rm /etc/nginx/sites-enabled/default

Then perform the final steps as directed, i.e. restart the services:
systemctl restart apache2
systemctl restart varnish
systemctl restart nginx
2. https://gist.github.com/section-io-gists/2eb0f267a08734f92003f06d295af22a

In this step, we configure Varnish to direct http to https

Add the code highlighted in red in the corresponding block:

sub vcl_recv {
  if (req.http.X-Forwarded-Proto !~ "https") {
    return (synth(850, "Moved Permanently"));
  }
}

Add the following 2 new blocks at the end of the config file:

sub vcl_synth {
  if(resp.status == 850) {
    set resp.http.Location = "https://" + req.http.host + req.url;
    set resp.status = 301;
    return(deliver);
  }
}

 sub vcl_hash {
  hash_data(req.http.X-Forwarded-Proto);
}

 Then restart Varnish:
systemctl restart varnish

Comments

Post a Comment

Popular posts from this blog

ISPConfig / Pure-FTP / SSL (TLS) setup

ISPConfig comes with LetsEncrypt integrated in its panel for web domains. However, it does not automatically use the SSL cert for FTP service (PureFTP). This post describes the steps to enable the support. 1. We need an FQDN so that Lets Encrypt (LE) will be able to generate SSL under ISPConfig panel. 2. PureFTP TLS support requires a cert in .pem format which can be generated by leveraging the LE cert generated: cat /etc/letsencrypt/live/mydomain.com/privkey.pem /etc/letsencrypt/live/mydomain.com/fullchain.pem > /etc/ssl/private/pure-ftpd.pem 3. Restart PureFTP so that it will not use the new certificate 4. LE certificates need to be renewed regularly so it is necessary to create a cron job to keep the .pem file updated. Setup a crontab 0 6 * * * /etc/letsencrypt/certbot-auto -n renew --quiet --no-self-upgrade && cat /etc/letsencrypt/live/mydomain.com/privkey.pem /etc/letsencrypt/live/mydomain.com/fullchain.pem > /etc/ssl/private/pure-ftpd.pem && se
Post a Comment
Read more

ISPConfig 3 / Mail / Custom mail filter recipe

Recently trying to setup a mail re-direct (or a cc) to an external e-mail address. It is important to first determine if you are running courier or dovecot because the syntax is different. Under dovecot, it should be in sieve syntax. Therefore, under ISPConfig3 -> Email -> Email Mailbox -> Custom Rules, enter: redirect "mail@example.com"; Ensure it is double straight quotes and semi-colon at the end. Wait until the update is done (usually a few minutes) via the cron jobs of ISPConfig3 updating the /var/vmail/domain/username/.sieve
Post a Comment
Read more

Ubuntu 16.04 and ISPConfig 3.1 - stopping ClamAV

ClamAV requires quite a bit of resources to run in the background and this usually slows down the mail delivery. In the ISPConfig 3 (Under Perfect Server setup), clamAV is run within Amavis. Therefore, typical removal of clamAV commands will not remove it. When RAM is really low, Linux kills amavis and this will cause mail not being delivered. Therefore, if we run amavis to manage anti-virus and spam, consider a minimum of 2G or 4G RAM VM/Cloud servers. The steps to disable clamav and amavisd are: (1) edit postfix conf - note amavis uses a special port 10024 and 10026. Therefore, if you are not using these ports, consider closing them in your firewall settings. nano /etc/postfix/main.cf # content_filter = amavis:[127.0.0.1]:10024 # receive_override_options = no_address_mappings (2) Under ISPConfig 3.1, comment additional 2 lines nano /etc/postfix/tag_as_foreign.re # /^/ FILTER amavis:[127.0.0.1]:10024 nano /etc/postfix/tag_as_originating.re # /^/ FILTER amavi
1 comment
Read more