Question
How to configure varnish cache for a domain in Plesk?
Answer
This can be achieved using Docker.
Refer to the following steps in order to configure Varnish on the Plesk server using the official varnish docker image.
-
Navigate to Docker in Plesk, find and the official varnish image in the catalog, click
and select the stable(6.6.2) version to run a varnish containre:
-
Setup Manual Mapping for the docker container. At Docker > varnish > Settings uncheck the "Automatic Port Mapping" function and apply the following manual mappings:
80 -> 32780
8443 -> 32781 (we're not going to use this one) -
Disable the "Permanent SEO-safe 301 redirect from HTTP to HTTPS" option on the domain at Domains > example.com > Hosting Settings
-
Create a Docker Proxy Rule on the domain at Domains > example.com > Docker Proxy Rules:
URL: example.com/
Container: varnish
Port: 80 -> 32780
\ -
Permit connections to the apache2 port 7080 from the docker subnet via iptables:
6.1 Connect to the server via SSH
6.2 Apply the rule using the next command: \# iptables -I INPUT -p tcp --dport 7080 -s 172.17.0.0/24 -j ACCEPT
Note: The rule added via command line would be reset on the system reboot, or after applying a custom firewall script/configuration. In order to make it persistent, rather include it in your iptables configuration, or consider scheduling a server-wide cron task.
-
In case there is a Plesk Firewall extension in use, navigate to Tools & Settings > Security(Firewall) > Add Custom Rule:
7.1 Once the rule is saved, click the "Apply Changes" and "Activate" buttons.Note: make sure the docker container was restarted once the Firewall Rules were applied via extension.
7.2 (Optional) if Fail2ban is used, add the docker network to a trusted list.
Navigate to Tools & Settings > IP Address Banning (Fail2Ban) > Trusted IP Addresses and click Add trusted IP: 172.17.0.0/24 -
Using the next two commands, adjust the Varnish configuration file to use the IP and port of the apache2:
Warning: The domain's IP address should be specified instead of 203.0.113.2, otherwise you will break the docker container. Also, if the container's name was changed from "varnish" to a custom one, don't forget to adjust it within the commands below:
# docker ps | grep varnish | awk {'print $1'} | xargs -i docker exec -t {} sed -i '/.port/c\ .port = "7080";' /etc/varnish/default.vcl
# docker ps | grep varnish | awk {'print $1'} | xargs -i docker exec -t {} sed -i '/.host/c\ .host = "203.0.113.2";' /etc/varnish/default.vcl
-
Restart the varnish container:
# docker ps | grep varnish | awk {'print $1'} | xargs -i docker restart {}
-
Test the header of the page using browsers dev tools. It should return the varnish output.
Once the WordPress application is installed on the domain, apply the next steps:
-
Configure the container:
1.1 Download and copy the pre-configured WordPress varnish config template in the container: \# curl -o /tmp/default.vcl --silent https://support.plesk.com/hc/article_attachments/4446947540498/default.vcl && docker ps | grep varnish | awk {'print $1'} | xargs -i docker cp /tmp/default.vcl {}:/etc/varnish/
1.2 Adjust the configuration to match the domain's IP Address:
Warning: The domain's IP address should be specified instead of 203.0.113.2, otherwise you will break the docker container. Also, if the container's name was changed from "varnish" to a custom one, don't forget to adjust it within the command below:
# docker ps | grep varnish | awk {'print $1'} | xargs -i docker exec -t {} sed -i 's/XXX.XXX.XXX.XXX/203.0.113.2/g' default.vcl
-
Warning: Mare sure the option Permanent SEO-safe 301 redirect from HTTP to HTTPS under Domains > example.com > Hosting Settings is disabled, and option SSL/TLS Support is enabled.
Add the following directives to Domains > example.com > Apache & nginx Settings > Additional directives for HTTP field to enable HTTPS redirect and avoid possible mixed content issue:
CONFIG_TEXT: SetEnvIf X-Forwarded-Proto "https" HTTPS=on
Header append Vary: X-Forwarded-Proto
<IfModule mod_rewrite.c>
RewriteEngine on
RewriteCond %{HTTPS} !=on
RewriteCond %{HTTP:X-Forwarded-Proto} !https [NC]
RewriteRule ^ https://%{HTTP_HOST}%{REQUEST_URI} [L,R=301]
</IfModule> -
Restart the varnish container:
# docker ps | grep varnish | awk {'print $1'} | xargs -i docker restart {}
-
Open the WordPress website using the browser's developer's tools (Network tab) and verify that the varnish cache is being loaded:
Comments
21 comments
In the second option (Wordpress config), in step 1.1 the wrong url is posted. It should be https://support.plesk.com/hc/en-us/article_attachments/4446947540498/default.vcl instead of https://support.plesk.com/hc/en-us/article_attachments/4405703421586/default.vcl the post id is wrong which results in a 404. Therefor the wordpress varnish configuration will not be downloaded.
Stefan Yakubov
Thank you for the post,
Could you provide us with the instructions for a Magento 2 website?
I can provide a staging server with a working Magento 2 if needed.
Hello,
Lanthopus X
Thank you, the link was redacted.
SamParis
You can use the official Magento tools to export and adapt the varnish configuration:
https://devdocs.magento.com/guides/v2.4/config-guide/varnish/config-varnish-magento.html
Weird.... I am getting the following error when starting Varnish:
Though I have set all ports correctly:
I have no clue what I am doing wrong. I double checked everything and on my test server it worked. This is a new / fresh Plesk server. Grrrrr..... Going crazy here.
//edit
Well... I found the issue! It's was caused by Varnsh v7.1. That issue is bogus and causes the above issue. I compared the new server with my test server and the test server used "latest" version of Varnish, which is: varnish-7.0.2 (according to the information screen). Weird.
You need to update this article so people can Include Docker IP to IP Address Banning (Fail2Ban)
I had to do this as the server blocked the IP 172.17.0.0/24
Hello, Bragi Austfjörð
Thank you for your input. The article was updated.
Sorry if this is a stupid question, but do you have to set up a docker for each domain you want to use varnish for? Or can you use a single docker container to cache multiple domains?
Hello, Michael Pratt
Single docker container can serve multiple websites, as long as the subscriptions to which domains belong are using the IP Address specified in part 1 step 8.
Thanks Stefan,
So if I have 2 IP addresses I use on my server for my websites, then I would need 2 Varnish docker containers? Or is there a way to have 2 or more IP addresses?
Also, this does not seem to be working properly, as in the headers I do not see X-Cache object under "via". I do see "via: 1.1 varnish (Varnish/6.6) though. Not sure if it matters. If it is working, it is not faster than Hummingbird with just Memcached.
Hello, Michael Pratt
> So if I have 2 IP addresses I use on my server for my websites, then I would need 2 Varnish docker containers?
Correct.
> as in the headers I do not see X-Cache object under "via".
That's expected. The header is not supplied.
Regardless of what I do, I cannot get ANY plugin, to purge cache from WordPress... I have tried all user comment suggestions, opened ports, and tried targeting every single IP address and port associated with this... It is caching fine, and I can see that I got a hit. But purging cache from plugin or from SSH (curl -X PURGE domain.com) gives:
<!DOCTYPE html>
<html>
<head>
<title>200 Purged</title>
</head>
<body>
<h1>Error 200 Purged</h1>
<p>Purged</p>
<h3>Guru Meditation:</h3>
<p>XID: 186</p>
<hr>
<p>Varnish cache server</p>
</body>
</html>
I saw somewhere that meant that the cache was purged but when I refresh the page, I get a hit (when first refresh should be a miss) and the same cached ID. Until I restart the docker container. Many plugins for this ask for the IP address of the varnish server (usually localhost 127.0.0.1 etc. but that doesnt work) and some request a port, I tried every port associated with this functionality as well, local IP's and ports for the container, server, website, private, public.... checked iptables, firewalls (including fail2ban, immunify360, aws external, etc.)...
Really frustrated. This has a ton of support on the suggestions. Plesk really should just implement something.
Hello, Michael Pratt
Meanwhile, you do have an option to purge cache by restarting the container, you can also do so with curl queries:
https://docs.varnish-software.com/varnish-administration-console/super-fast-purger/usage/
As I can see, you've tried that by now, however the IP Address should be added in the default.vcl acl as allowed first, e.g.
# acl purge {
"localhost";
"127.0.0.1";
"1.2.3.4/32";
}
Yeah, I have every IP address listed, including my office IP. Every public and private IP of the server, every variation of localhost, the docker container IP, all of them. This is an issue for sure with the website sending the purge request being unable to successfully send the container the request. My knowledge of docker, Plesk network, and varnish are relatively limited. SOMETHING is blocking it in Plesk, or docker, based on how they are setup, maybe even the default varnish container, but it must be beyond my ability to figure out because I have tried everything.
It isnt an ACL issue, I opened up ALL IP addresses and it still doesnt work with curl.
Hello, Michael Pratt
In case the curl requests reach the docker container, no other entities could interfere with the requests processing. Neither Plesk nor the docker service itself.
Therefore, that should be further checked with the varnish configuration/docs.
Hi,
after following the tutorial, I still have issues connecting the docker to the Apache interface.
I'm getting back a "504 Gateway Time-out" from Ngix.
It seems that point 5. (Create a Docker Proxy Rule), 6. (adding Iptables condition) 7.(configure the firewall) and 7.1 (Failtoban) aren't working correctly in my case.
I'm doing it on a Lighsails machine on AWS, there is any chance regarding a conflicts with the external firewall?
any help or suggestions?
thank you
allowing "system policy incoming traffic", it start to work in some way but using only the 7. no, why?
I've set this
Hello, Stefano Fiorito
As this setup wasn't tested with AWS, I can recommend you to log in via the docker image itself and perform the network diagnostic steps. The image is debian-based with a small busybox.
I got the "503 Backend fetch failed". But I don't any error log in varnishlog
Thank you for this nice tutorial.
It worked fine until I increased VARNISH_SIZE value : the Varnish Cache server returns error: Error 503 Service Unavailable / Guru Meditation with an XID number !
I had to remove the docker container and make a fresh install :(
If you want to change the default value you have to do it in step #1.3, don't try to update it from Plesk, you can do it inside the container :
$ docker ps | grep varnish | awk {'print $1'} | xargs -i docker exec -t {} export VARNISH_SIZE=2G
@Stefan Yakubov
You have created a great example and guide. But does not work together with Cloudflare Proxy.
How should I enter all IPs from Cloudflare in the config :)
edit://
I add this IP´s under Plesk -> example.com/ Config Apache&nginx / Nginx
set_real_ip_from 103.21.244.0/22;
set_real_ip_from 103.22.200.0/22;
set_real_ip_from 103.31.4.0/22;
set_real_ip_from 104.16.0.0/12;
set_real_ip_from 108.162.192.0/18;
set_real_ip_from 131.0.72.0/22;
set_real_ip_from 141.101.64.0/18;
set_real_ip_from 162.158.0.0/15;
set_real_ip_from 172.64.0.0/13;
set_real_ip_from 173.245.48.0/20;
set_real_ip_from 188.114.96.0/20;
set_real_ip_from 190.93.240.0/20;
set_real_ip_from 197.234.240.0/22;
set_real_ip_from 198.41.128.0/17;
set_real_ip_from 2400:cb00::/32;
set_real_ip_from 2606:4700::/32;
set_real_ip_from 2803:f800::/32;
set_real_ip_from 2405:b500::/32;
set_real_ip_from 2405:8100::/32;
set_real_ip_from 2c0f:f248::/32;
set_real_ip_from 2a06:98c0::/29;
real_ip_header CF-Connecting-IP;
and works :)
thanks in advance
Manu
Hello, @Manuel Kuhn,
Yes that's correct. Meanwhile the virtualhost's IP needs to be specified in the varnish config, the directives to pass the real IP's from CloudFlare should be added on the "nginx additional directives" level.
Please sign in to leave a comment.