How to Install Varnish + Hitch Cache for Apache on CentOS/RHEL8

Varnish + Hitch cache.md

How to Install Varnish + Hitch Cache for Apache on CentOS/RHEL8

• Varnish Cache is a free open source, modern and high-performance web application accelerator. It is a fast reverse HTTP proxy that caches content to speed up your web server performance, by storing web content in server memory – in a cache. It is configured to run in front of an origin server such as Apache (HTTPD) webserver.

Step 1: Installing Apache Web Server.

	# dnf update
	# dnf install httpd
	# systemctl start httpd
	# systemctl enable httpd
	# systemctl status httpd

Add http in firewalled.

	# firewall-cmd --zone=public --permanent --add-service=http
	# firewall-cmd –reload

Step 2: Installing Varnish Cache 6.4

	# dnf module install varnish
    	# varnishd -V

Start Varnish service.

	# systemctl start varnish
	# systemctl enable varnish
	# systemctl status varnish

Step 3: Configuring Apache to Work with Varnish Cache.

    # vi /etc/httpd/conf.d/flexydial.conf

    <VirtualHost *:8089>
        Protocols h2 http/1.1
        ServerAdmin	[email protected]
        Alias    /static/   /usr/local/src/project/static/
        Alias	/recordings/ /var/spool/project/default/

        WSGIDaemonProcess project python-path=/usr/local/src/project/ python-home=/usr/local/src/project/projectenv display-name=project-app processes=3 threads=85
        WSGIProcessGroup project
      WSGIScriptAlias / /usr/local/src/project/project/wsgi.py

        LogLevel warn
        CustomLog logs/proejct-access.log combined
        ErrorLog logs/project-error.log
    </VirtualHost>

Disable HTTPS for apache permanently.

    # vim /etc/httpd/conf.d/ssl.conf

	#Listen 443 https (Disabled https Listen port on httpd service)
	# httpd -t
	# systemctl restart httpd

Configuring Varnish for Apache.

	# systemctl edit --full varnish

If Centos < 7 version configuration file location is below:

	# vim /etc/sysconfig/vanish

• Look for the ExecStart line, then change the value of the -a switch (which specifies the varnish listen to the address and port) from :6081 to :80 as indicated in the following screenshot.

Importantly, if you do not specify an address, varnishd will listen on all available IPv4 and IPv6 interfaces active on the server.

ExecStart=/usr/sbin/varnishd -a :80 -f /etc/varnish/default.vcl -s malloc,256m
 

Configuring Varnish Backend Servers using VCL.

	# vi /etc/varnish/default.vcl 

vcl 4.0;
import std;
# Default backend definition. Set this to point to your content server.
backend default {
    .host = "127.0.0.1";
    .port = "8089";
}
sub vcl_recv {
    if (std.port(server.ip) != 443) {
        set req.http.location = "https://" + req.http.host + req.url;
        return(synth(301));
    }
}
sub vcl_synth {
        if (resp.status == 301) {
                set resp.http.location = req.http.location;
                  set resp.status = 301;
                return (deliver);
        }
}
 

Save file and restart daemon and varnish service.

	# systemctl daemon-reload
	# systemctl restart varnish

	# ss -tpln ( To check service port running status )

Step 4: Install Hitch.

• The Hitch is a free open source, libev-based, and scalable SSL/TLS proxy designed for Varnish Cache, It supports for TLS1.2 and TLS1.3 and legacy TLS 1.0/1.1, supports ALPN (Application-Layer Protocol Negotiation) and NPN (Next Protocol Negotiation) for HTTP/2, a PROXY protocol to signal client IP/port to a backend, UNIX domain socket connections to the origin, SNI (Server Name Indication), with and without wildcard certificates.

	# dnf install hitch openssl

Step 5: Configuring Varnish Cache for Hitch.

	# systemctl edit --full varnish

ExecStart=/usr/sbin/varnishd -a :80 -a 127.0.0.1:8443,proxy -f /etc/varnish/default.vcl -s malloc,256m

	# systemctl restart varnish

Step 6: Obtaining SSL/TLS Certificates.

	# cd /etc/pki/tls/
		
	# cat certs/localhost.crt private/localhost.key > hitch.pam

Step 7: Configuring and Starting Hitch.

	# vi /etc/hitch/hitch.conf

frontend = {
    host = "*"
    port = "443"
}
backend = "[127.0.0.1]:8443"  # 6086 is the default Varnish PROXY port.
workers = 4                   # number of CPU cores

daemon = on

# We strongly recommend you create a separate non-privileged hitch
# user and group
user = "hitch"
group = "hitch"

# Enable to let clients negotiate HTTP/2 with ALPN. (default off)
# alpn-protos = "h2, http/1.1"

# run Varnish as backend over PROXY; varnishd -a :80 -a localhost:6086,PROXY ..
write-proxy-v2 = on            # Write PROXY header

syslog = on
log-level = 1
# Add pem files to this directory
pem-file = "/etc/pki/tls/hitch.pam"

Save file and restart Hitch service.

	# systemctl enable --now hitch
	# systemctl status hitch
	# firewall-cmd --zone=public --permanent --add-service=https
	# firewall-cmd --reload

Step 8: Testing SSL/TLS Termination with Varnish Cache-Hitch Setup.

• Once the index page of your web application has loaded, check the HTTPs headers to confirm that content is being served via Varnish Cache.

• To do that, right-click on the loaded web page, select Inspect from the list of options to open the developer tools. Then click on the Network tab, and Reload the page, then select a request to view the HTTPs headers, as highlighted in the following screenshot

                            http://<Your Domain IP>/
  
                            or
  
                            https://<Your Domain IP>/
  

Note: If http service not running with 8089 port, need to add 8089 port for http service.

	# yum install -y setroubleshoot-server selinux-policy-devel

Check http ports.

	# semanage port -l | grep -w http_port_t 

To allow the httpd service to run on the 8089 tcp port (-a for add), type:

 	# semanage port -a -t http_port_t -p tcp 8089

Note1: Use the -d option instead of the -a option to remove a port from the list.

Alternatively, you can check the new status of the port (here 8089):

	# sepolicy network -p 8089

Thanks you !

Thank you for a great howto. I understand clearly what you're doing, but for some reason my website gets stuck in a 301 redirect loop, as soon as I enable Hitch. Tried a bunch of configurations, nothing works as of yet.