Reza NaghibiSenior Developer / Presales US

Per BuerCTO

Varnish Cache 4.0

Feel free to ask questions

About Varnish Software

• Company behind Varnish Cache

• Sells Varnish Plus

• Tools for stats, management and more

• Support

• Development

What is Varnish?

Varnish Cache

ClientWeb

server

VCL

• DSL

• Allows semantics not easily expressed in K/V structures

• Fast

if (req.url ~ "^/buzzy/" &&(req.http.referer && req.http.referer !~

"^http://www.example.com/")) {error 403 "No hotlinking please";

}

Logging

• Logs insane amounts of data

• Always runs with “full debug”

One step back…

Varnish 3.0

• Released in 2011

• gzip

• basic streaming capabilities

• Added modules…

Modules• In essence they can return values

• .. thereby influencing VCL flow

• Can do ~everything but alter the content

• Look up a key in a K/V DB and take action in VCL

• curl

• variables; session, global

Varnish Cache 4.0

Gaining root through CLI

• Change user to root

• restart cache

• upload VCL with inline C code

• …

• profit

Security in V4

• -r for read only parameters

• Locks down CLI

• user, group and cc_command

• Inline C is default off

Attempting root through CLI in V4• Change user to root

• restart cache

• upload VCL with inline C code

• …

• …

Threading

• Backend and frontend separation

• Frontend thread requests backend thread for backend work.

• Per thread pool acceptor threads

Sidestep: Grace

• Allowing Varnish to serve content that is out of date

• In 3.0 it would block the first thread to refresh

Threading in Varnish

Varnish Cache

Client

Web server

Client Thread

Backend Thread

GET /foo GET /foo

Streaming• V3 will add a bit of delay before starting

delivery on cache misses

• From “store and forward” to “cut through”

• Set do_stream = true in V4 (default true)

• Beneficial for large objects and cache hierarchies

• Works with ranged request as long as content-length is present.

Streaming in Varnish

Varnish Cache

Web server

ClientClientthread

ClientClientthread

Client

Clientthread

Backend thread

Logging in V3

• Logging in V3 is limited

• Only regex matching using &&

• No req/bereq relationship

• Performance problems

• Transactions and transactions groups

• Query language

• Output control

• Increased performance (zero copy)

Logging in V4

Log transactions

• One work item for Varnish is a

• client request

• backend request

• ESI sub-request

• session

Transactions groups

• Transactions (work items) can be grouped

• by VXID

• by request

• by session

• raw

varnishlog -g (vxid | request | session | raw )

raw grouping

• Pumps out logs as they are read from memory

• you’ll see the ping-pongs, backend health checks and other internals that don’t have requests attached

VXID grouping

• Group per work item

• Might be confusing

• ESI sub-requests will come before the parent

• bereq before request

Session grouping

• Grouped per session (~TCP connection)

• Useful for debugging pipelining issues

• Probably a lot more useful when HTTP 2.0 arrives

• Suggestions for use?

Request grouping

• Very intuitive

• Request first

• The response

• The ESI subrequests

• Indentation makes it readable

Log query

language

$ varnishlog -g request \-q 'ReqURL eq "/"'

$ varnishlog -g request \-q 'Backend ~ default'

* << Request >> 32770 - Begin req 32769- ReqMethod GET- ReqURL /- ReqProtocol HTTP/1.1- ReqHeader TE: deflate,gzip;q=0.3 ...- Link bereq 32771- VCL_call DELIVER- VCL_return deliver- RespProtocol HTTP/1.1- RespStatus 200- RespResponse OK- ReqEnd 1385330985.979025126 1385330985.978960991 -0.001315594 0.001251459 -0.001315594- End ** << BeReq >> 32771 -- Begin bereq 32770-- VCL_call BACKEND_FETCH-- VCL_return fetch-- BackendOpen 18 default(127.0.0.1,::1,8020) 127.0.0.1 45989 -- Backend 18 default default(127.0.0.1,::1,8020)-- BereqMethod GET-- BereqURL /-- BereqEnd 1385330985.979187250 1385330985.980367422 0.000082792 0.000496101 0.000326045 0.000822146-- End

Examples

• String matching, negation, logical operations

not ((RespProtocol eq “HTTP/1.1”) or (RespProtocol eq “HTTP/1.0”))

• Regular expressions

ReqMethod !~ "GET|POST"

• Integer matching

(RespStatus >= 200 and RespStatus < 300)

• Float matching

Timestamp:Process[2] > 0.5

Output control

• A bit like “grep” for varnishlog

• Applied last, doesn’t affect queries

• -i <taglist> / -I <taglist:regex>

• -x <taglist> / -X <taglist:regex>

• Taglists supports globbing (e.g. Req*)

Content delivery• IMS towards backend now works

• Uses beresp.keep, which is independent of grace

• Default beresp.keep is 0s.

• Copies the old object into a new one when given 304 Not Modified

• Merges the response into the new one

• headers are copied

• Support for large datasets (>1TB) in Varnish Cache Plus Q3

Load balancing• Mostly feature parity… however

• Directors are VMODs now

• Directors typically defined in vcl_init

• Easy to implement new directors

• Directors are now stackable

• Backends can still not be created dynamically

Director example

sub vcl_init { new bar = directors.round_robin(); bar.add_backend(server1); bar.add_backend(server2); }

VCL

VCL 4• New version marker - “vcl 4.0”

• More fine grained control over the flow

• vcl_hash is more prominent

• vcl_fetch is replaced by vcl_backend_fetch and vcl_backend_response

• vcl_error is replaced by vcl_synth and vcl_backend_error

• vcl_purge introduced

Typical flows (hit / miss)

• recv

• hash

• hit

• deliver

• recv

• hash

• miss

• backend_fetch

• backend_response (insert)

• deliver

Documentation changes

• The docs are split into several bits

• Installation docs

• Tutorial - the basics, mostly for rookies

• User guide. Explains the semantics

• Reference. Mostly syntax.

• Migration docs.

Summing up• New mind blowing logging facility

• Backend/frontend threading w/streaming

• IMS towards backend

• Performance increase

• VCL changes

• Reworked documentation (varnish.org/docs)

Dynamic backends

• Problem: DNS entries in VCL get resolved at vcl.load.

• Must-have feature for EC2

• Slated for 2015

Saint mode

• Support is in place in master

• Slated for 4.1

• Is a VMOD now

HTTP 2.0

• HTTP 2.0 is ratified

• We expect to have HTTP 2.0 support in Q1 2016

SSL?

Thank you

Thank you