Varnish with Hitch HTTP/2 implement on CentOS 8.0

Varnish 已经通过 Hitch 完整的支持 HTTP/2，以下是在 CentOS 8.0 中的实现示例。

作者：gc(at)sysin.org，主页：www.sysin.org

---

版本支持：

In Varnish Cache 5.0 there is experimental support for HTTP/2.

Varnish 6.0 now fully supports HTTP/2.

Varnish HTTP/2 前端通过 Hitch 代理实现。

访问逻辑：

+------------+    +------------+    +------------+    +------------+
|            |    |            |    |            |    |            |
|    浏览器   +----+    Hitch   +----+  Varnish   +----+    Nginx   |
|            |    |            |    |            |    |            |
+------------+    +------------+    +------------+    +------------+

Hitch 简介

Hitch 是 Varnish Software 开发的基于 libev 的高性能 SSL/TLS 开源代理软件。

它支持 TLS 1.0、1.1、1.2 和 1.3，对于大型部署环境，它支持多达 15000个 Socket 侦听和 50万张证书。作为 Stud 项目的继承者，Hitch 更快、更小、用途单一，允许同时在 Varnish 前端和后端使用 SSL/TLS。

主要特性：

• 支持 TLS 1.0, TLS 1.1, 和 TLS 1.2 (hitch 1.5 版本开始支持 TLS 1.3)
• SNI, 支持通配符证书和非通配符证书
• 支持 HAproxy 的 PROXY 协议
• 支持 NPN 或 ALPN 扩展实现 HTTP/2
• 支持大规模部署（多达 15000个 Socket 侦听和 50万张证书）
• 支持平滑重新加载证书和监听端点

Varnish Software 同时为 Hitch 提供商业支持。

访问以下网站了解更多：

Hitch community site

Hitch on Github

安装 Varnish 6.0 LTS

Bash Scripts

quick install repo

curl -s https://packagecloud.io/install/repositories/varnishcache/varnish60lts/script.rpm.sh | sudo bash

Install

yum install varnish -y
# or
dnf install varnish -y

Version

varnishd -V
varnishd (varnish-6.0.2 revision 0458b54db26cfbea79af45ca5c4767c7c2925a91)
Copyright (c) 2006 Verdens Gang AS
Copyright (c) 2006-2018 Varnish Software AS

Default config

cat /etc/varnish/default.vcl
#
# This is an example VCL file for Varnish.
#
# It does not do anything by default, delegating control to the
# builtin VCL. The builtin VCL is called when there is no explicit
# return statement.
#
# See the VCL chapters in the Users Guide at https://www.varnish-cache.org/docs/
# and https://www.varnish-cache.org/trac/wiki/VCLExamples for more examples.

# Marker to tell the VCL compiler that this VCL has been adapted to the
# new 4.0 format.
vcl 4.0;

# Default backend definition. Set this to point to your content server.
backend default {
    .host = "127.0.0.1";
    .port = "8080";
}

sub vcl_recv {
    # Happens before we check if we have this in cache already.
    #
    # Typically you clean up the request here, removing cookies you don't need,
    # rewriting the request, etc.
}

sub vcl_backend_response {
    # Happens after we have read the response headers from the backend.
    #
    # Here you clean the response headers, removing silly Set-Cookie headers
    # and other mistakes your backend does.
}

sub vcl_deliver {
    # Happens when we have all the pieces we need, and are about to send the
    # response to the client.
    #
    # You can do accounting or modifying the final object here.
}

安装 Hitch 1.5（EPEL）

hitch requires:

libev >= 4
openssl (recent, >=1.0.0 recommended)

hitch currently works on Linux, OpenBSD, FreeBSD, and MacOSX. It has been tested the most heavily on Linux/x86_64.

dnf install epel-release -y
dnf install hitch -y

Version

hitch -V
hitch 1.5.2

Default config

cat /etc/hitch/hitch.conf
# Run 'man hitch.conf' for a description of all options.

frontend = {
    host = "*"
    port = "443"
}
backend = "[127.0.0.1]:6086"    # 6086 is the default Varnish PROXY port.
workers = 4                     # number of CPU cores

daemon = on

# We strongly recommend you create a separate non-privileged hitch
# user and group
user = "hitch"
group = "hitch"

# Enable to let clients negotiate HTTP/2 with ALPN. (default off)
# alpn-protos = "h2, http/1.1"

# run Varnish as backend over PROXY; varnishd -a :80 -a localhost:6086,PROXY ..
write-proxy-v2 = on             # Write PROXY header

syslog = on
log-level = 1
# Add pem files to this directory
pem-dir = "/etc/pki/tls/private"

配置 hitch

示例配置（更多参数参看官方文档）：

mv /etc/hitch/hitch.conf /etc/hitch/hitch.conf.bak

echo '
# Run 'man hitch.conf' for a description of all options.

frontend = {
    host = "*"
    port = "443"
}
backend = "[127.0.0.1]:6086"    # 6086 is the default Varnish PROXY port.
workers = 4                     # number of CPU cores

daemon = on

# We strongly recommend you create a separate non-privileged hitch
# user and group
user = "hitch"
group = "hitch"

# Enable to let clients negotiate HTTP/2 with ALPN. (default off)
# Varnish 启动参数必须增加 `-p feature=+http2`，开始 HTTP/2 特性（默认关闭）
alpn-protos = "h2, http/1.1"

# run Varnish as backend over PROXY; varnishd -a :80 -a localhost:6086,PROXY ..
write-proxy-v2 = on             # Write PROXY header

syslog = on
log-level = 1

# Add pem files to this directory
#pem-dir = "/etc/pki/tls/private"

## PEM 文件包含 key、cert 和 chain 的组合，可以支持多个 PEM 文件
## cat example.com.key example.com.crt my-ca-bundle.crt > example.com.pem
pem-file = "/etc/hitch/varnish.pem"
# 定义第二个 PEM 文件
#pem-file = "/etc/hitch/mydomain.pem"
## 官方推荐默认 cipher
ciphers = "EECDH+AESGCM:EDH+AESGCM:AES256+EECDH:AES256+EDH"
## Hitch supports TLS (1.0, 1.1, 1.2, 1.3) and SSL 3. By default
tls-protos = TLSv1.2 TLSv1.3
## TCP Fast Open saves up to one full round-trip time (RTT) over the standard three-way connection handshake during a TCP session.
tcp-fastopen = on
' > /etc/hitch/hitch.conf

OCSP staple 相关配置参看官方文档

不间断运行重新加载配置

当前支持添加、更新和删除 PEM 文件（PEM-file）和前端侦听端点（frontend）。

systemctl reload hitch

启动 Varnish 支持 HTTP/2

默认情况下，Varnish 中的 HTTP/2 支持是禁用的，因此必须添加一个特性标志才能启用它。即通过传递“-p feature=+http2”作为 Varnish 的启动参数来实现。

您可以通过运行varnishadm param.show feature命令来检查是否已启用参数。

# varnishadm param.show feature

feature
        Value is: none (default)

        Enable/Disable various minor features.
           none                       Disable all features.

        Use +/- prefix to enable/disable individual feature:
           short_panic                Short panic message.
           wait_silo                  Wait for persistent silo.
           no_coredump                No coredumps.
           esi_ignore_https           Treat HTTPS as HTTP in
                                      ESI:includes
           esi_disable_xml_check      Don't check of body looks like
                                      XML
           esi_ignore_other_elements  Ignore non-esi XML-elements
           esi_remove_bom             Remove UTF-8 BOM
           https_scheme               Also split https URIs
           http2                      Support HTTP/2 protocol
           http_date_postel           Relax parsing of timestamps in
                                      HTTP headers

启动 Varnish

本例中，Varnish 使用默认配置，事先运行了 Nginx，将 Nginx 默认端口修改为 8080 即可（具体过程略）。

varnishd -a :80 -a localhost:6086,PROXY -p feature=+http2 -f /etc/varnish/default.vcl
#或者
varnishd -a localhost:6086,PROXY -p feature=+http2 -f /etc/varnish/default.vcl

验证 Varnish 已经开启 HTTP/2 支持

varnishadm param.show feature
feature
        Value is: +http2
        Default is: none

        ......

然后启动 hitch

systemctl restart hitch

配置 HSTS

编辑 varnish vcl，如下字段添加：

sub vcl_deliver {
    set resp.http.Strict-Transport-Security = "max-age=31536000; includeSubDomains; preload";
}

Varnish 需要重启或者重新加载配置才能生效。

SSL Test A+

以上配置在 Qualys SSL Labs SSL 测试中可获得 A+ 评级。