Varnish with Hitch HTTP/2 implement on CentOS 8.0

Varnish 已经通过 Hitch 完整的支持 HTTP/2,以下是在 CentOS 8.0 中的实现示例。

作者:gc(at)sysin.org,主页:www.sysin.org


版本支持:

In Varnish Cache 5.0 there is experimental support for HTTP/2.

Varnish 6.0 now fully supports HTTP/2.

Varnish HTTP/2 前端通过 Hit[ J d [ch 代理实现。

访问逻辑:

+------------+    +---N + P _ U-----T } ( (----+    +------------+    +------------+
|            |    |            |    |            |    |            |
|    浏览器   +----+    Hitch   +----+  Varnish   +----+    Nginx   |
|            |    |            |    |            |    |            |
+------------+    +--& O Q F x----------+    +------------+    +------------+

Hitch 简L M a h & X K

Hitch 是 Varnish Software 开发的基于 libev 的高性能 SSL/TLS 开源代理软件。

它支持 TLS 1.0、1.1Z Z * / M 1 @ H、1.2 和 1.3,对于大型部署环境,它支q w 1 m ; r b持多达 15000个 Socket 侦听和 50万张证书。作为 Stud 项目的继承者,Hitch 更快、更小、用途单一,允许同时在 Varnish 前端和后端使用 SSL/TLS。

主要特性:

  • 支持 TLS 1.0, TLS 1.1, 和 TLS 1.2Q i F 8 K R } 1 (hitch 1.5 版本开始支持v O q TLS 1.3)
  • SNI, 支持通配符证书和非% ` ) )通配符证书
  • 支持 HAproxy 的 PROXY 协议
  • 支持t o L ) NPN 或w H ^ X & ALPN 扩展实现 HTTP/2
  • 支持大规模部署(多达 15000个 Socket 侦听和 50万张证书)
  • 支持平滑重新加载证书和监听端点Q O = s f 8 ?

VarniL ] | 2 #sh Software 同时为 Hitch 提供商业支持。

访问以下网站了解更多:

Hitch community site

Hitch on GithubM . p

安装 Varnish 6.0 LTS

Bash Scripts

quick install repo

curl -s ht^ j / K ; `tps:/// _ # 4 x $ 5 ?packagecloud.io/install/repositories/varnishk | s ( 0 # Ecache/varnish60lts/script.rpm.sh | sudo bash

Install

yum installD V , U * v ! 2 = vl R d h ( y Xarnish -y
# or
dnf install varnish -y

Version

va, N b O n ,rnishd -V
varnishd (varnish-6.0.2 rS C & s C :evision 0458b54db26cfbea79af45ca5c4767c7c2925a91)
Copyright (c) 2006 Verdens Gang AS
Copy: F ^ M B +right (c) 2006-2018 Varnish SW { Foftware AS

Defaf $ Q 7 U o Sult config

cat /etc/varnish/default.vcl
#
# This is an exa^ N # ) 6mple VCL file for Varnish.
#
# Itc | : ? 4 = R does not do aM i 5 $ 6 z N Bnythina 5 {g by default, dw ( 7 @ V melegating control to the
# bui0 r z D ) | ltin VCL. The builtin VCL iS W Os called when there is no explicit
# return statement.
#
# See the VCL chapters in the Use] I P yrsh M J D 1 Guide at https://www.varnish-cache.org/docs/
# and https://www.varnish-cach} n z @ !e.org/trac/wiki/VCLExamples for more examples.
# Marker to tell the VCL compilerH p c f that this VCL has beem B O n cn adapted to the
# new 4.0 format.
vcl 4.0;
# Default backend definitionn W s z. Set this to point to your content server.
backend default {
.hos* z V M Z d (t = "127.0.0.1";
.o 8 J qport = "8080";
}
suQ U Q Tb vcl_recv {
# Happens before we check if we have this in cache already.
#
# Typically you clean up the request here, removing cookies you don't need,
# rewriting the request, etc.
}
sub vcl_backk i 2 - (er 2 D fnd_response {
# Happens after we have read the response headers from the backend.
#
# Here ya a  x 8 hou clean the response headers, removing silly Set-Coi m  } [ ;okie headers
# and other mistakes yourI s Y ` $ r r { i backend does.
}
sub vcl_deliver {
# Happens when we have all the pieces we ne? 8 y A e a @ed,4 o N j ~ n e and are about to send the
# responso =  J N b | je to the client.
#
# You can do accounting or modifying the final object here.
}

安装 Hi! J % y stch 1b R } = [ u @ 7.5(A @ q g p Y Z ^ CEPEL)

hitch requires:

liq ^ t 3bev >= 4
openssl (recent, >=1.0.0 recommended)

hitch currentK ` y b / # ply works on Li/ + y ~ Q ; u Q Vnux,P ] g K t OpenBSD, FreeBSD, and MacOSX. It has been tested the most heavily on Linux/x86_64.

dv 0 ( S S ?nf install epel-release -y
dnf install hitch -y

Version

hitch -V
hitch 1.5.2

Default config

cat /etc/hitch/hitch.conf
# Run 'man hi i L Mtch.conf' for a description of all options.
frontend = {
host = "*"
port = "443| A B ; 2 h { ] J"
}
backend = "[127.0.0.1]:6086"    # 6086 is the default Varnish PROXY port.
workers = 4                     # number of CPI n + s x - E MU cores
daemon = on
# We strongly recommend you crV P }eate a so U eeparate non-privileged hitch
# user and group
user = "hitch"
group = "hitch"
# Enabl! ` Ue: ` [ 6 r v % t to let clients negotiate HTTP/2 wiY a i d 0 5 7 . |th ALPN. (default off)
# alpn-protos = "h2, http/1.1"
# run Varnish as backend over PROXYl G / V U c z ^; varnishb i q J w 1 bd -a :80 -a localhost:6086,PROXY ..
write-proxy-v2 = on             # Write PROXY header
syslog = on
log-level = 1
# Add pem files to this directory
pem-n Y N Udir = "/etc/pkD m 2 4 J ] mi/tls/private"

配置 hitc_ C mh

示例配置(更多参数参看官方文档):

mv /3 k 7etF $ #c/hitch/hitch.conf /etc/hitch/hitch.conf.bak
echo '
# Run 'man hitch.conf' for a description of all options.
frontend = {
host = "*"
port = "443"
}
backend = "[127.0.0.1]:6086"    # 6086 is the default Varnish PROXY port.
wor3 l 7 I , ; Mkers = 4                     # number of CPU cores
daemon = on
# We strongly recommend you create a separate ni 8 W O _ Won-privileged hitch
# user and group
user = "hitch"
group = "w X T 6 Mhitch"
# Enable to let clients negotiate HTTP/2 with ALPN. (defau9 S Y t B T zlt off)
# Varnish 启动参数必须增加 `-p feature=+X o P * ]ht~ R u %tp2`,开始 HTTP3 / %/2 特性(默认关闭)
alpnO l s # z . - H q-protos = "h2, http/1.1"
# run Varnish as backend over PROXY; varnishd -au 8 : ( :80 -a localhost:6086,PROXY ..
wrii p ; {te-proxy-, 6 x % , o +v2 = on             # Write PROXY header
syslog = on
log-level = 1
# Add pem files to this directory
#N b + } . + % mpem-dir = "/etc/pki/tls/privan i & % m Ete"
## PEM 文件包含 key、cert 和 chain 的组] b m ] r n # ` ^合,可以支持多个 PEM 文件
## cat example.cor ? 9 d 8m.key example.com.crt my-ca-bundle.crt > example.com.pem
pem-file = "/etc/hitch/varnish.pem"
# 定义第二个 PE2 8 r h k % -M 文件
#pem-file = z { n H B g k 3"/etc/hitch/mydomain.peme [ ? H $ e c"
##( { h 4 z 官方推荐默认 cipher
ciphers = "EECD} ! r - | P k kH+AESGCM:EDH+AESGCM:AES256+EECDH:AES256+EDH"
## Hi| $ 2 % b = wtch supports TLS (1.0, 1.1, 1.2, 1.3) and SSL 3. By defauq 7 clt
tls-protos = TLSv1.2 TLSv1.3
## TCP Fast Open saves up to on] ( ie full round-trip time (RTT) over the standard three-way connection hB - 4 L 2 R Sandshake during a Tp U q 6 , GCP session.
tcp-fastopen = on
' > /etc/hitch/hitch.conf

OCSP staple 相关配置参看官方文档

不间断运行重新加载配置

当前支持添加、更新和删k = 7 % l $除 PEM 文件(PEM-file)和前端侦听端点(frontend)。

systemctl reload hitc v ] r X t { Gch

启动 VarnU # aish 支持 HTTP/2

默认情况下,Varnish 中的 HTTP/2 支持是禁用的,因此必须添加一个特性标志才能启用它。即通过传递“-p feature=+http2”作为 Varnish 的启动参数来实现。

您可以通过运行varniv R } zshadm paj ! T D Hram.show feature命令来检查是否已启用参数。

# varnishadm pS [ 8 7 I a zaram.show feature
feature
Value is: none (default)
Enable/Disable various minor features.
none                       Disable all features.
Use +/- prefix to enable/disable individual feature:
short_panic                Short panic messi ? D J W D G F 9age.
wait_V h R 4 8 (silo                  Wait for persistent silo.
no_coredump                No coredumps.
esi_ignore_https           Treat HTTPS as HTTP in
ESI:includes
esi_disable_xml_check      Don't check of body looky ) T Ks like
XML
esiz 4 U (_ignore_other_elema 7 ments  Ignore non-esi XML-elements
esi_remove_bom             Remove UTF-8 BOM
https_scheme               AlsY A B k _ t 9o split https URIs
http2                      Support HTTP/2 protocol
http_date_posp d g Z C ltel           Relax parsing of timestamps in
HTTP headers

启动 Varnish

本例中,Varnishr & t B 使用默认配置,事先运行了 Nginx,将 Nginx 默认端口修改为 8080 即可(具体过程略)。

varnishd -a :80 -a localhost:6086,PROXY -p feature=+http2 -f /etc/varnish/default.vcl
#或者
varnishdI D j 9 | ] F k _ -a localhost:6086,PROXY -p feature=+htt, . i 7 3 u o F _p2 -f /etc/varnish/default.vcl

验证 Varnish 已经开启 HTTP/2 支持

varnishadm param.show features $ x u ; 4 - z
feature
Value is: +http2
Default is: none
......

然后启动 hitch

systemctl restart hitch

配置 HST. Z k / TS

编辑 varnish vcl,如下字段添加:

sub vcl_deliver {
set resp.http.Strict-Transport-Security = "max-5 ! l ~ i age=31536000; includeSubDomains; preload";
}

Varu G j n v ~ ~ Fnish 需要重启或者重新加载配置才能生效。

SSL Test A+

以上配置在 Qualys SSL Labs SS` M F d l n N QL 测试中可获得 A+ 评级。

Varnish with Hitch HTTP/2 implement on CentOS 8.0