Varnish 已经通过 Hitch 完整的支持 HTTP/2,以下是在 CentOS 8.0 中的实现示例。
作者:gc(at)sysin.org,主页:www.sysin.org
版本支持:
In Varnish Cache 5.0 there is experimental support for HTTP/2.
Varnish 6.0 now fully supports HTTP/2.
Varnish HTTP/2 前端通过 Hitch 代理实现。
访问逻辑:
+------------+ +------------+ +------------+ +------------+
| | | | | | | |
| 浏览器 +----+ Hitch +----+ Varnish +----+ Nginx |
| | | | | | | |
+------------+ +------------+ +------------+ +------------+
Hitch 简介
Hitch 是 Varnish Software 开发的基于 libev 的高性能 SSL/TLS 开源代理软件。
它支持 TLS 1.0、1.1、1.2 和 1.3,对于大型部署环境,它支持多达 15000个 Socket 侦听和 50万张证书。作为 Stud 项目的继承者,Hitch 更快、更小、用途单一,允许同时在 Varnish 前端和后端使用 SSL/TLS。
主要特性:
- 支持 TLS 1.0, TLS 1.1, 和 TLS 1.2 (hitch 1.5 版本开始支持 TLS 1.3)
- SNI, 支持通配符证书和非通配符证书
- 支持 HAproxy 的 PROXY 协议
- 支持 NPN 或 ALPN 扩展实现 HTTP/2
- 支持大规模部署(多达 15000个 Socket 侦听和 50万张证书)
- 支持平滑重新加载证书和监听端点
Varnish Software 同时为 Hitch 提供商业支持。
访问以下网站了解更多:
Hitch community site
Hitch on Github
安装 Varnish 6.0 LTS
Bash Scripts
quick install repo
curl -s https://packagecloud.io/install/repositories/varnishcache/varnish60lts/script.rpm.sh | sudo bash
Install
yum install varnish -y
# or
dnf install varnish -y
Version
varnishd -V
varnishd (varnish-6.0.2 revision 0458b54db26cfbea79af45ca5c4767c7c2925a91)
Copyright (c) 2006 Verdens Gang AS
Copyright (c) 2006-2018 Varnish Software AS
Default config
cat /etc/varnish/default.vcl
#
# This is an example VCL file for Varnish.
#
# It does not do anything by default, delegating control to the
# builtin VCL. The builtin VCL is called when there is no explicit
# return statement.
#
# See the VCL chapters in the Users Guide at https://www.varnish-cache.org/docs/
# and https://www.varnish-cache.org/trac/wiki/VCLExamples for more examples.
# Marker to tell the VCL compiler that this VCL has been adapted to the
# new 4.0 format.
vcl 4.0;
# Default backend definition. Set this to point to your content server.
backend default {
.host = "127.0.0.1";
.port = "8080";
}
sub vcl_recv {
# Happens before we check if we have this in cache already.
#
# Typically you clean up the request here, removing cookies you don't need,
# rewriting the request, etc.
}
sub vcl_backend_response {
# Happens after we have read the response headers from the backend.
#
# Here you clean the response headers, removing silly Set-Cookie headers
# and other mistakes your backend does.
}
sub vcl_deliver {
# Happens when we have all the pieces we need, and are about to send the
# response to the client.
#
# You can do accounting or modifying the final object here.
}
安装 Hitch 1.5(EPEL)
hitch
requires:
libev >= 4
openssl (recent, >=1.0.0 recommended)
hitch currently works on Linux, OpenBSD, FreeBSD, and MacOSX. It has been tested the most heavily on Linux/x86_64.
dnf install epel-release -y
dnf install hitch -y
Version
hitch -V
hitch 1.5.2
Default config
cat /etc/hitch/hitch.conf
# Run 'man hitch.conf' for a description of all options.
frontend = {
host = "*"
port = "443"
}
backend = "[127.0.0.1]:6086" # 6086 is the default Varnish PROXY port.
workers = 4 # number of CPU cores
daemon = on
# We strongly recommend you create a separate non-privileged hitch
# user and group
user = "hitch"
group = "hitch"
# Enable to let clients negotiate HTTP/2 with ALPN. (default off)
# alpn-protos = "h2, http/1.1"
# run Varnish as backend over PROXY; varnishd -a :80 -a localhost:6086,PROXY ..
write-proxy-v2 = on # Write PROXY header
syslog = on
log-level = 1
# Add pem files to this directory
pem-dir = "/etc/pki/tls/private"
配置 hitch
示例配置(更多参数参看官方文档):
mv /etc/hitch/hitch.conf /etc/hitch/hitch.conf.bak
echo '
# Run 'man hitch.conf' for a description of all options.
frontend = {
host = "*"
port = "443"
}
backend = "[127.0.0.1]:6086" # 6086 is the default Varnish PROXY port.
workers = 4 # number of CPU cores
daemon = on
# We strongly recommend you create a separate non-privileged hitch
# user and group
user = "hitch"
group = "hitch"
# Enable to let clients negotiate HTTP/2 with ALPN. (default off)
# Varnish 启动参数必须增加 `-p feature=+http2`,开始 HTTP/2 特性(默认关闭)
alpn-protos = "h2, http/1.1"
# run Varnish as backend over PROXY; varnishd -a :80 -a localhost:6086,PROXY ..
write-proxy-v2 = on # Write PROXY header
syslog = on
log-level = 1
# Add pem files to this directory
#pem-dir = "/etc/pki/tls/private"
## PEM 文件包含 key、cert 和 chain 的组合,可以支持多个 PEM 文件
## cat example.com.key example.com.crt my-ca-bundle.crt > example.com.pem
pem-file = "/etc/hitch/varnish.pem"
# 定义第二个 PEM 文件
#pem-file = "/etc/hitch/mydomain.pem"
## 官方推荐默认 cipher
ciphers = "EECDH+AESGCM:EDH+AESGCM:AES256+EECDH:AES256+EDH"
## Hitch supports TLS (1.0, 1.1, 1.2, 1.3) and SSL 3. By default
tls-protos = TLSv1.2 TLSv1.3
## TCP Fast Open saves up to one full round-trip time (RTT) over the standard three-way connection handshake during a TCP session.
tcp-fastopen = on
' > /etc/hitch/hitch.conf
OCSP staple 相关配置参看官方文档
不间断运行重新加载配置
当前支持添加、更新和删除 PEM 文件(PEM-file
)和前端侦听端点(frontend
)。
systemctl reload hitch
启动 Varnish 支持 HTTP/2
默认情况下,Varnish 中的 HTTP/2 支持是禁用的,因此必须添加一个特性标志才能启用它。即通过传递“-p feature=+http2”作为 Varnish 的启动参数来实现。
您可以通过运行varnishadm param.show feature
命令来检查是否已启用参数。
# varnishadm param.show feature
feature
Value is: none (default)
Enable/Disable various minor features.
none Disable all features.
Use +/- prefix to enable/disable individual feature:
short_panic Short panic message.
wait_silo Wait for persistent silo.
no_coredump No coredumps.
esi_ignore_https Treat HTTPS as HTTP in
ESI:includes
esi_disable_xml_check Don't check of body looks like
XML
esi_ignore_other_elements Ignore non-esi XML-elements
esi_remove_bom Remove UTF-8 BOM
https_scheme Also split https URIs
http2 Support HTTP/2 protocol
http_date_postel Relax parsing of timestamps in
HTTP headers
启动 Varnish
本例中,Varnish 使用默认配置,事先运行了 Nginx,将 Nginx 默认端口修改为 8080 即可(具体过程略)。
varnishd -a :80 -a localhost:6086,PROXY -p feature=+http2 -f /etc/varnish/default.vcl
#或者
varnishd -a localhost:6086,PROXY -p feature=+http2 -f /etc/varnish/default.vcl
验证 Varnish 已经开启 HTTP/2 支持
varnishadm param.show feature
feature
Value is: +http2
Default is: none
......
然后启动 hitch
systemctl restart hitch
配置 HSTS
编辑 varnish vcl,如下字段添加:
sub vcl_deliver {
set resp.http.Strict-Transport-Security = "max-age=31536000; includeSubDomains; preload";
}
Varnish 需要重启或者重新加载配置才能生效。
SSL Test A+
以上配置在 Qualys SSL Labs SSL 测试中可获得 A+ 评级。