From: Martin Zobel-Helas Date: Fri, 25 Jan 2013 22:41:32 +0000 (+0100) Subject: add varnish module X-Git-Url: https://git.adam-barratt.org.uk/?a=commitdiff_plain;h=4c5c4151615376e493908971c838fd4ed397b99a;p=mirror%2Fdsa-puppet.git add varnish module Signed-off-by: Martin Zobel-Helas --- diff --git a/manifests/site.pp b/manifests/site.pp index bdbdb2823..23d8668de 100644 --- a/manifests/site.pp +++ b/manifests/site.pp @@ -96,6 +96,10 @@ node default { include nfs-server } + if $::hostname == 'vieuxtemps' { + include varnish + } + if $::brokenhosts { include hosts } diff --git a/modules/varnish/files/default.vcl b/modules/varnish/files/default.vcl new file mode 100644 index 000000000..cb946cfbc --- /dev/null +++ b/modules/varnish/files/default.vcl @@ -0,0 +1,80 @@ +backend holter { + # holter.debian.org + .host = "194.177.211.202"; + .port = "80"; +} +backend powell { + # powell.debian.org + .host = "87.106.64.223"; + .port = "80"; +} + +sub vcl_recv { + + # Add a unique header containing the client address + remove req.http.X-Forwarded-For; + set req.http.X-Forwarded-For = req.http.rlnclientipaddr; + + ### restart logic, this will redefine the backends if vcl_restart has been triggered + if (req.restarts == 0) { + set req.backend = holter; + } else if (req.restarts == 1) { + set req.backend = powell; + } else if (req.restarts == 2) { + set req.backend = holter; + } else { + set req.backend = holter; + } + + + if (req.request == "GET" && req.url ~ "^/search?") { + return(pass); + } + if (req.request == "GET" && req.url ~ "^/(squeeze|wheezy|sid|experimental|stable|testing|unstable|rc-buggy|squeezy-backports|lenny-backports|Pics)/") { + return(lookup); + } +} + +sub vcl_fetch { + if (beresp.status != 200 && beresp.status != 403 && beresp.status != 404 && beresp.status != 301 && beresp.status != 302) { + return(restart); + } + + # if i cant connect to the backend, ill set the grace period to be 600 seconds to hold onto content + set beresp.ttl = 600s; + set beresp.grace = 600s; + + if (beresp.status == 404) { + set beresp.ttl = 0s; + } + + if (beresp.status >= 500) { + set beresp.ttl = 0s; + } + + if (req.request == "GET" && req.url ~ "^/search?") { + set beresp.ttl = 0s; + } + + if (req.request == "GET" && req.url ~ "^/(squeeze|wheezy|sid|experimental|stable|testing|unstable|rc-buggy|squeezy-backports|lenny-backports|Pics)/") { + set beresp.ttl = 3600s; + } + + + set beresp.http.X-Cacheable = "YES"; + return(deliver); +} + + +sub vcl_deliver { + + set resp.http.X-Served-By = server.hostname; + if (obj.hits > 0) { + set resp.http.X-Cache = "HIT"; + set resp.http.X-Cache-Hits = obj.hits; + } else { + set resp.http.X-Cache = "MISS"; + } + + return(deliver); +} diff --git a/modules/varnish/files/varnish.default b/modules/varnish/files/varnish.default new file mode 100644 index 000000000..16eb39286 --- /dev/null +++ b/modules/varnish/files/varnish.default @@ -0,0 +1,110 @@ +# Configuration file for varnish +# +# /etc/init.d/varnish expects the variables $DAEMON_OPTS, $NFILES and $MEMLOCK +# to be set from this shell script fragment. +# +# Note: If systemd is installed, this file is obsolete and ignored. You will +# need to copy /lib/systemd/system/varnish.service to /etc/systemd/system/ and +# edit that file. + +# Should we start varnishd at boot? Set to "no" to disable. +START=yes + +# Maximum number of open files (for ulimit -n) +NFILES=131072 + +# Maximum locked memory size (for ulimit -l) +# Used for locking the shared memory log in memory. If you increase log size, +# you need to increase this number as well +MEMLOCK=82000 + +# Default varnish instance name is the local nodename. Can be overridden with +# the -n switch, to have more instances on a single server. +# INSTANCE=$(uname -n) + +# This file contains 4 alternatives, please use only one. + +## Alternative 1, Minimal configuration, no VCL +# +# Listen on port 6081, administration on localhost:6082, and forward to +# content server on localhost:8080. Use a 1GB fixed-size cache file. +# +# DAEMON_OPTS="-a :6081 \ +# -T localhost:6082 \ +# -b localhost:8080 \ +# -u varnish -g varnish \ +# -S /etc/varnish/secret \ +# -s file,/var/lib/varnish/$INSTANCE/varnish_storage.bin,1G" + + +## Alternative 2, Configuration with VCL +# +# Listen on port 6081, administration on localhost:6082, and forward to +# one content server selected by the vcl file, based on the request. Use a 1GB +# fixed-size cache file. +# +DAEMON_OPTS="-a :80 \ + -T localhost:6082 \ + -f /etc/varnish/default.vcl \ + -S /etc/varnish/secret \ + -s malloc,1024m" + + +## Alternative 3, Advanced configuration +# +# See varnishd(1) for more information. +# +# # Main configuration file. You probably want to change it :) +# VARNISH_VCL_CONF=/etc/varnish/default.vcl +# +# # Default address and port to bind to +# # Blank address means all IPv4 and IPv6 interfaces, otherwise specify +# # a host name, an IPv4 dotted quad, or an IPv6 address in brackets. +# VARNISH_LISTEN_ADDRESS= +# VARNISH_LISTEN_PORT=6081 +# +# # Telnet admin interface listen address and port +# VARNISH_ADMIN_LISTEN_ADDRESS=127.0.0.1 +# VARNISH_ADMIN_LISTEN_PORT=6082 +# +# # The minimum number of worker threads to start +# VARNISH_MIN_THREADS=1 +# +# # The Maximum number of worker threads to start +# VARNISH_MAX_THREADS=1000 +# +# # Idle timeout for worker threads +# VARNISH_THREAD_TIMEOUT=120 +# +# # Cache file location +# VARNISH_STORAGE_FILE=/var/lib/varnish/$INSTANCE/varnish_storage.bin +# +# # Cache file size: in bytes, optionally using k / M / G / T suffix, +# # or in percentage of available disk space using the % suffix. +# VARNISH_STORAGE_SIZE=1G +# +# # File containing administration secret +# VARNISH_SECRET_FILE=/etc/varnish/secret +# +# # Backend storage specification +# VARNISH_STORAGE="file,${VARNISH_STORAGE_FILE},${VARNISH_STORAGE_SIZE}" +# +# # Default TTL used when the backend does not specify one +# VARNISH_TTL=120 +# +# # DAEMON_OPTS is used by the init script. If you add or remove options, make +# # sure you update this section, too. +# DAEMON_OPTS="-a ${VARNISH_LISTEN_ADDRESS}:${VARNISH_LISTEN_PORT} \ +# -f ${VARNISH_VCL_CONF} \ +# -T ${VARNISH_ADMIN_LISTEN_ADDRESS}:${VARNISH_ADMIN_LISTEN_PORT} \ +# -t ${VARNISH_TTL} \ +# -w ${VARNISH_MIN_THREADS},${VARNISH_MAX_THREADS},${VARNISH_THREAD_TIMEOUT} \ +# -S ${VARNISH_SECRET_FILE} \ +# -s ${VARNISH_STORAGE}" +# + + +## Alternative 4, Do It Yourself +# +# DAEMON_OPTS="" + diff --git a/modules/varnish/manifests/init.pp b/modules/varnish/manifests/init.pp new file mode 100644 index 000000000..1560c65ec --- /dev/null +++ b/modules/varnish/manifests/init.pp @@ -0,0 +1,25 @@ +class varnish { + + package { 'varnish': + ensure => installed + } + + service { 'varnish': + ensure => running, + } + + @ferm::rule { 'dsa-varnish': + domain => '(ip ip6)', + description => 'Allow http access', + rule => '&TCP_SERVICE(80)' + } + + file { '/etc/default/varnish': + source => 'puppet:///modules/varnish/files/varnish.default' + } + + file { '/etc/varnish/default.vcl': + source => 'puppet:///modules/varnish/files/default.vcl' + } +} +