Varnish with Hitch HTTP/2 implement on CentOS 8.0

Varnish 已经通过 Hitch 完整的支持 HTTP/2,以下是在 CentOS 8.0 中的实现示例。

Posted by sysin on 2020-08-20
Estimated Reading Time 7 Minutes
Words 1.3k In Total
Viewed Times

作者:gc(at)sysin.org,主页:www.sysin.org


版本支持:

In Varnish Cache 5.0 there is experimental support for HTTP/2.

Varnish 6.0 now fully supports HTTP/2.

Varnish HTTP/2 前端通过 Hitch 代理实现。

访问逻辑:

1
2
3
4
5
+------------+    +------------+    +------------+    +------------+
| | | | | | | |
| 浏览器 +----+ Hitch +----+ Varnish +----+ Nginx |
| | | | | | | |
+------------+ +------------+ +------------+ +------------+

Hitch 简介

Hitch 是 Varnish Software 开发的基于 libev 的高性能 SSL/TLS 开源代理软件。

它支持 TLS 1.0、1.1、1.2 和 1.3,对于大型部署环境,它支持多达 15000个 Socket 侦听和 50万张证书。作为 Stud 项目的继承者,Hitch 更快、更小、用途单一,允许同时在 Varnish 前端和后端使用 SSL/TLS。

主要特性:

  • 支持 TLS 1.0, TLS 1.1, 和 TLS 1.2 (hitch 1.5 版本开始支持 TLS 1.3)
  • SNI, 支持通配符证书和非通配符证书
  • 支持 HAproxy 的 PROXY 协议
  • 支持 NPN 或 ALPN 扩展实现 HTTP/2
  • 支持大规模部署(多达 15000个 Socket 侦听和 50万张证书)
  • 支持平滑重新加载证书和监听端点

Varnish Software 同时为 Hitch 提供商业支持。

访问以下网站了解更多:

Hitch community site

Hitch on Github

安装 Varnish 6.0 LTS

Bash Scripts

quick install repo

1
curl -s https://packagecloud.io/install/repositories/varnishcache/varnish60lts/script.rpm.sh | sudo bash

Install

1
2
3
yum install varnish -y
# or
dnf install varnish -y

Version

1
2
3
4
varnishd -V
varnishd (varnish-6.0.2 revision 0458b54db26cfbea79af45ca5c4767c7c2925a91)
Copyright (c) 2006 Verdens Gang AS
Copyright (c) 2006-2018 Varnish Software AS

Default config

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
cat /etc/varnish/default.vcl
#
# This is an example VCL file for Varnish.
#
# It does not do anything by default, delegating control to the
# builtin VCL. The builtin VCL is called when there is no explicit
# return statement.
#
# See the VCL chapters in the Users Guide at https://www.varnish-cache.org/docs/
# and https://www.varnish-cache.org/trac/wiki/VCLExamples for more examples.

# Marker to tell the VCL compiler that this VCL has been adapted to the
# new 4.0 format.
vcl 4.0;

# Default backend definition. Set this to point to your content server.
backend default {
.host = "127.0.0.1";
.port = "8080";
}

sub vcl_recv {
# Happens before we check if we have this in cache already.
#
# Typically you clean up the request here, removing cookies you don't need,
# rewriting the request, etc.
}

sub vcl_backend_response {
# Happens after we have read the response headers from the backend.
#
# Here you clean the response headers, removing silly Set-Cookie headers
# and other mistakes your backend does.
}

sub vcl_deliver {
# Happens when we have all the pieces we need, and are about to send the
# response to the client.
#
# You can do accounting or modifying the final object here.
}

安装 Hitch 1.5(EPEL)

hitch requires:

1
2
libev >= 4
openssl (recent, >=1.0.0 recommended)

hitch currently works on Linux, OpenBSD, FreeBSD, and MacOSX. It has been tested the most heavily on Linux/x86_64.

1
2
dnf install epel-release -y
dnf install hitch -y

Version

1
2
hitch -V
hitch 1.5.2

Default config

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
cat /etc/hitch/hitch.conf
# Run 'man hitch.conf' for a description of all options.


frontend = {
host = "*"
port = "443"
}
backend = "[127.0.0.1]:6086" # 6086 is the default Varnish PROXY port.
workers = 4 # number of CPU cores

daemon = on

# We strongly recommend you create a separate non-privileged hitch
# user and group
user = "hitch"
group = "hitch"

# Enable to let clients negotiate HTTP/2 with ALPN. (default off)
# alpn-protos = "h2, http/1.1"

# run Varnish as backend over PROXY; varnishd -a :80 -a localhost:6086,PROXY ..
write-proxy-v2 = on # Write PROXY header


syslog = on
log-level = 1
# Add pem files to this directory
pem-dir = "/etc/pki/tls/private"

启动 Varnish 支持 HTTP/2

默认情况下,Varnish 中的 HTTP/2 支持是禁用的,因此必须添加一个特性标志才能启用它。即通过传递“-p feature=+http2”作为 Varnish 的启动参数来实现。

您可以通过运行varnishadm param.show feature命令来检查是否已启用参数。

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
# varnishadm param.show feature

feature
Value is: none (default)

Enable/Disable various minor features.
none Disable all features.

Use +/- prefix to enable/disable individual feature:
short_panic Short panic message.
wait_silo Wait for persistent silo.
no_coredump No coredumps.
esi_ignore_https Treat HTTPS as HTTP in
ESI:includes
esi_disable_xml_check Don't check of body looks like
XML
esi_ignore_other_elements Ignore non-esi XML-elements
esi_remove_bom Remove UTF-8 BOM
https_scheme Also split https URIs
http2 Support HTTP/2 protocol
http_date_postel Relax parsing of timestamps in
HTTP headers

启动 Varnish

本例中,Varnish 使用默认配置,事先运行了 Nginx,将 Nginx 默认端口修改为 8080 即可(具体过程略)。

1
2
3
varnishd -a :80 -a localhost:6086,PROXY -p feature=+http2 -f /etc/varnish/default.vcl
#或者
varnishd -a localhost:6086,PROXY -p feature=+http2 -f /etc/varnish/default.vcl

验证 Varnish 已经开启 HTTP/2 支持

1
2
3
4
5
6
varnishadm param.show feature
feature
Value is: +http2
Default is: none

......

然后启动 hitch

1
systemctl restart hitch

配置 HSTS

编辑 varnish vcl,如下字段添加:

1
2
3
sub vcl_deliver {
set resp.http.Strict-Transport-Security = "max-age=31536000; includeSubDomains; preload";
}

Varnish 需要重启或者重新加载配置才能生效。

配置 hitch

示例配置(更多参数参看官方文档):

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
mv /etc/hitch/hitch.conf /etc/hitch/hitch.conf.bak

echo '
# Run 'man hitch.conf' for a description of all options.

frontend = {
host = "*"
port = "443"
}
backend = "[127.0.0.1]:6086" # 6086 is the default Varnish PROXY port.
workers = 4 # number of CPU cores

daemon = on

# We strongly recommend you create a separate non-privileged hitch
# user and group
user = "hitch"
group = "hitch"

# Enable to let clients negotiate HTTP/2 with ALPN. (default off)
# Varnish 启动参数必须增加 `-p feature=+http2`,开启 HTTP/2 特性(默认关闭)
alpn-protos = "h2, http/1.1"

# run Varnish as backend over PROXY; varnishd -a :80 -a localhost:6086,PROXY ..
write-proxy-v2 = on # Write PROXY header

syslog = on
log-level = 1

# Add pem files to this directory
#pem-dir = "/etc/pki/tls/private"

## PEM 文件包含 key、cert 和 chain 的组合,可以支持多个 PEM 文件
## cat example.com.key example.com.crt my-ca-bundle.crt > example.com.pem
pem-file = "/etc/hitch/varnish.pem"
# 定义第二个 PEM 文件
#pem-file = "/etc/hitch/mydomain.pem"
## 官方推荐默认 cipher
ciphers = "EECDH+AESGCM:EDH+AESGCM:AES256+EECDH:AES256+EDH"
## Hitch supports TLS (1.0, 1.1, 1.2, 1.3) and SSL 3. By default
tls-protos = TLSv1.2 TLSv1.3
## TCP Fast Open saves up to one full round-trip time (RTT) over the standard three-way connection handshake during a TCP session.
tcp-fastopen = on
' > /etc/hitch/hitch.conf

OCSP staple 相关配置参看官方文档

不间断运行重新加载配置

当前支持添加、更新和删除 PEM 文件(PEM-file)和前端侦听端点(frontend)。

1
systemctl reload hitch

SSL Test A+

以上配置在 Qualys SSL Labs SSL 测试中可获得 A+ 评级。

Varnish A+




如果文章中使用的内容和图片侵犯了您的版权,请联系作者删除。如果您喜欢这篇文章或者觉得它对您有用,欢迎您发表评论,也欢迎您分享这个网站,或者赞赏一下作者,谢谢!


支付宝打赏 微信打赏

赞赏一下