SearchVarnish Enterprise 6.0.18r1 is a feature and bug fix release. The
headline change is a new compound-expression purging API in
vmod_ykey, which lets operators invalidate objects that match a
boolean combination of keys in a single call. The release also adds
TLS support for the vmod_ratelimit NATS connection and ships a
batch of stability and operational fixes, including two HTTP/2 panics
on the walk-away path, a use-after-free crash in VSM clients, and
proper log rotation for varnishncsa and friends under systemd.
The new features and notable changes are highlighted below. Please see the changelog for the complete list of changes.
vmod_ykey: compound-expression purgingThe new ykey.purge_expr() function invalidates objects that match a
compound expression built from keys, instead of a single key. The
expression language supports literal keys, n-ary AND and OR,
NOT, and parentheses. ykey.purge() could only invalidate the set
attached to one key, so an OR over several keys took as many
separate purge calls, and AND/NOT combinations had no direct
equivalent and had to be precomputed as synthetic combined keys at
tagging time.
Typical usage:
sub vcl_recv {
if (req.method == "PURGE") {
set req.http.n-purged =
ykey.purge_expr("(product:42 OR product:43) AND NOT region:eu");
return (synth(200, "Purged " + req.http.n-purged));
}
}
The expression is evaluated against the keys attached to each cached object, and only objects whose key set satisfies the expression are invalidated.
See the
vmod_ykey API reference
for the full grammar and operand-ordering guidance.
vmod_ratelimit: NATS over TLSvmod_ratelimit can now be configured to connect to its NATS
coordination server over TLS, removing the need for a separate
plain-text segment between Varnish and the NATS cluster.
ratelimit.set_nats_server() gained a TLS-related set of optional
arguments:
sub vcl_init {
ratelimit.set_nats_server(
"nats.internal:4222",
use_tls = true,
cafile = "/etc/varnish/nats-ca.pem",
// certfile/keyfile are optional, for mTLS client auth:
certfile = "/etc/varnish/nats-client.pem",
keyfile = "/etc/varnish/nats-client.key");
}
If cafile is omitted the system trust store is used, expect_hostname
overrides the SNI / certificate-CN match when the connect string differs
from the certificate name, and skip_verify disables peer verification
for development setups. handshake_first toggles between the two NATS
TLS handshake modes and must match the server’s setting.
See the
vmod_ratelimit reference
for the full argument list.
HTTP/2 walk-away panics (VS issue #3232): Fixed two panics on the HTTP/2 walk-away path that could trigger when a stream was reset while parked on a busy-object waiting list. Observed under heavy traffic with frequent client cancellations.
VSM client use-after-free: Fixed a crash in VSM clients
(varnishstat, varnishlog, etc.) that could occur when a full
state resync was triggered after exceeding the incremental update
limit.
Conditional fetch with dying stale objects: Conditional fetch (304) now correctly handles the case where the stale object backing the revalidation is invalidated mid-fetch, by falling back to a regular fetch instead of producing an inconsistent merged object.
vmod_ratelimit reconnect race (VS issue #3180): Fixed a race where a
very fast server-side connection rejection could leave the VMOD
permanently disconnected from NATS and then block any subsequent
VCL reload, leading to a panic.
SIGUSR2 log rotation: varnishncsa, varnishlog, and
varnishlog-json now reopen their -w output file on SIGUSR2,
independent of whether they were started with -D.
Previously the only rotation signal was SIGHUP, and SIGHUP was only
wired up to rotation when running with -D. That made logrotate
integration awkward under process supervisors like systemd, where
you typically do not use -D so that stderr stays attached to
the supervisor’s journal, which is where these tools report client
overruns and varnishd disconnects. Under such a setup SIGHUP
did not rotate; it caused the tool to exit cleanly via its main
loop, so logrotate would terminate the very process it was
trying to keep running.
SIGHUP retains its previous behavior when -D is used. New
deployments should prefer SIGUSR2:
/var/log/varnish/varnishncsa.log {
daily
rotate 7
missingok
postrotate
pkill -USR2 varnishncsa
endscript
}