"There is no other way we can guarantee that secret krypto-bits do not leak anywhere they should not, than by fencing in the code that deals with them in a child process, so the bulk of varnish never gets anywhere near the certificates, not even during a core-dump."
I came across this when looking for https support few weeks ago.
Can anyone who actually understands what the upgrade document states do a how to or a straight modification of a popular vcl, so people who don't have as much experience and pretty much just use these default vcl files?
Here's one that I and a few of my friends use routinely:
I am sure that if you ask nicely, the project members of these efforts might just give you a hand and upgrade to VCL 4.0 syntax a usable Wordpress template. Be willing to test and contribute back with whatever you can though.
Or if I currently don't have the time to do this, I have to either stop using varnish completely or not upgrade.
I get the whole needing to drop backwards compatibility thing, but without an idiot-proof way of upgrading, you're sentencing users like me, who use Varnish as a sprinkle of magic on the server.
Some examples of before/after of actual vcl files are a must in my opinion.
I'm late to this party, but the answer for you is to just not upgrade to Varnish 4.0 yet. Keep using 3.0.5, which is still available and still stable.
The "standard" VCL files for popular apps like Wordpress and Drupal will be updated eventually for Varnish 4.0 by the people who maintain them--which are typically not Varnish staff/volunteers, but people who work with those applications specifically.
When services like Varnish go through major upgrades like this, it is normal for there to be a lag between the main release, and the general availability of updated "recipes" or plugins.
First of all, kudos, Varnish is an amazing piece of kit and hat's off to you sir.
However, I've been where you are and know how you feel, what you've said makes perfect logical sense to you, in your mind these are clear instructions on what should be done, but they still mean very little to someone who's completely new to this (even though they've been using Varnish for a good while now).
I'm a WordPress dev (I know, but it pays the bills), but I have been put between a rock and a hard place, so now I'm also responsible for setting up DO droplets for standalone websites. The reason I use Varnish is simplicity: apt-get install, wget on a WordPress vcl file, change a port and we're saving ram and can serve to 6x-10x concurrent users than before on straight nginx.
Thing is, I'm not alone in this use case, I know several people, who adore the magic and ease of use of Varnish. None of us know the insides, but we're can copy-paste and change a few things.
We respect and understand the need for dropping backwards compatibility, but all believe that the upgrade docs desperately need some examples.
Your docs are great for someone who has the time to read them all and learn all about Varnish, like a book, but (with no disrespect) borderline useless to someone who's got deadlines and a ton of work and simply has no time to learn this system that he's been relying on for a while.
So I've scanned (not read, ain't nobody got time for that) everything inside of the link you gave and while very interesting and comprehensive, if I was a sysadmin on a salary, I'd sink a few days into this and become really good at it, but I'm booked up, so I just need this up and running, so again, it's useless.
It comes down to your resources: do you have the man power to create several default vcl files that people can "just use": like a vcl for a RoR app, vcl for a WordPress site, vcl for a Symfony app etc (depending on actual usage/popularity)...
I know it's a catchy and grabby title and sort of BS if you think about it, but it just works.
It took me an hour to get a DO dropplet running and blitz.io reported numbers that made me happy ($10 DO dropplet, large WP site, 27k+ requests per minute), that's enough for us.
I've got a few other ideas, but I think that if your company does something similar, you'll be able to get a much wider appeal and engage with users a lot more, which is great PR and marketing for your paid service.
Typically you serve up that content separately from the static content. We use it where it doesn't cache for logged in users but is on a rolling cache otherwise. Page updates invalidate the cache immediately as well.
On a dynamic site with user content, you're going to be using some sort of object caching depending on your framework and language of choice, Varnish is great for news sites and things of that nature though.
You can also cache some content on a page, even for logged-in users, and add in the dynamic parts using ESI. For example an ecommerce site could have a category page cached, and have one section at the top that says "Hello, John Doe" generated dynamically and added in using ESI.
I'm not disagreeing.. but lots of people either dislike relying on JS, or would prefer to have the initial page load be a complete page.
If your AJAX is pulling down HTML fragments rather than JSON, then Varnish's ESI gives you the best of both worlds, allowing varnish the gather and assemble the initial page from the same endpoints your JS would hit.
Varnish is extremely configurable regarding that. Not only can you cache certain paths and leave others dynamic, but you can actually cache pages while leaving certain HTML elements on the page dynamic. E.g., let's say you have a mostly static page, but with the username on top ("you are logged in as brunoqc"). You can tell Varnish to cache the page and leave the HTML element containing the username dynamic.
No. This makes dynamic content static, by definition. However, you can exempt certain content from cache, exempt certain people from cache, exempt certain pieces of certain content from cache, or any combination. You can also invalidate cache when content changes (if you're able to do this absolutely, this is effectively dynamic), or set low TTLs to not have new content roll in on a certain time basis.
"Full support for streaming objects through from the backend on a cache miss.
Bytes will be sent to 1..n requesting clients as they come in from the backend
server." is an awesome feature in and of itself. thank you varnish team, this looks like a great release.
Watching that what-is-varnish video, I was surprised that this seems to be a Norwegian company. The narrator had an American (New England?) accent, not a naive/jovial Norwegian accent.
That is correct. We wrote the script and had a native English speaker reading it for us ;-)
Even if we have some colleagues who are from New England, we are a pretty multi-cultural Norwegian headquartered company as you can see in our site:
https://www.varnish-software.com/about-us
The semantics are completely different which has to be reflected in the VCL.
I think keeping compatibility at the cost of sanity is pretty dangerous and disregarding compatibility has been one of the success factors for the Linux kernel.
> disregarding compatibility has been one of the success factors for the Linux kernel
It's actually the other way around. Linus Torvalds dixit[1]:
"One of the core kernel rules has always been that we never ever break any external interfaces. That rule has been there since day one, although it's gotten much more explicit only in the last few years. The fact that we break internal interfaces that are not visible to userland is totally irrelevant, and a total red herring."
Valid point and I clearly was under the misconception that Linux didn't care that much about the external interfaces.
However, VCL is more akin the the kernel modules, relying on the internal APIs which are much less stable. When the semantics on how Varnish operates (with 4.0, the backend threads are completely new) and so the VCL language _needs_ to change in order to reflect this.
The external API, made available through HTTP hasn't changed much.
Backwards compatibility is vastly overrated, especially when the changes are as modest as the ones that I can see for Varnish 4. Sweep away the cruft. Make things better.
How many development hours have been wasted because of Python 3, Perl 6, Lua 5.2, any new Django version, Ruby 1.9, Rails 4, jQuery 1.9, Bootstrap 3, etc. ?
Backwards compatibility is as simple as not wasting everybody's time. It should be high on the priority list, right under security and above performance. I like Linus' stance on the issue and I'm sure every developer dealing with syscalls appreciates it as well.
How much development time has been saved and codebase quality increased by making backwards-incompatible changes that improve things drastically? It's a balance, of course – I'm not suggesting old interfaces should be thrown under a bus at the earliest opportunity. But the super-conservative opposite does nothing for progress and ends up with excess technical debt. Varnish 4.0 is a major version release. 3.x still works and will be used by a lot of people for a long time. I really don't see the issue, certainly in this case.
The biggest impact of these sorts of changes are future users who are trying to get their first configuration going, following various web tutorials. Many of those tutorials are now misleading, but via the nature of accumulated web content it won't be changed any time soon.
Varnish is a nice project, but the lack of SSL significantly restricts its usefulness, especially in the "SSL everywhere" era. I've simply resorted to using nginx' proxy pass as the cache/load balancer.
from http://haproxy.1wt.eu : Update [2012/09/11] : native SSL support was implemented in 1.5-dev12. The points above about CPU usage are still valid though.
Wow, I've been out of the loop for a while then. Last time I used HAProxy I was using stud (https://github.com/bumptech/stud) to terminate.
We see lots of our users and customers adopt nginx for SSL termination and as their webserver, but still use Varnish for HTTP caching and/or routing.
The power and flexibility that VCL offers is pretty much unmatched. Specially with the ability to extend the language through Varnish Modules (VMODs). You can see the VMOD directory on our site: https://www.varnish-cache.org/vmods.
Even better, in Varnish 4.0 all Directors are VMODS and they can be nested, basically allowing for dynamic backends and all kind of Layer 7 load balancing you can dream of.
A lot of the technical tutorials (that also get posted here) are frankly, absolutely terrible.
Tutorials that do not state the required levels of expertise?
Tutorials without version numbers of the components that are described in it?
Tutorials for absolute beginners that feature commands like
echo 'something' | sudo ...
without explaining them?
Tutorials about using debian-installer without explaining whether locale=en_US will set the system locale during installation to en_US.UTF8 or simply en_US?
In the same vein, tutorials about the installation of Postgres that do not mention that your system locale will impact the encoding / locale of your databases?
Check, check, check, check and check.
Something like RapGenius for technical tutorials might be useful here.
https://www.varnish-cache.org/docs/trunk/phk/ssl.html
"There is no other way we can guarantee that secret krypto-bits do not leak anywhere they should not, than by fencing in the code that deals with them in a child process, so the bulk of varnish never gets anywhere near the certificates, not even during a core-dump."
I came across this when looking for https support few weeks ago.