1. I have a licensed VAC installed and it is running but I do not see any stats. Is some other configuration needed?

In order for the VAC to work you need to install the Varnish agent in each instance of Varnish you want to connect to the VAC. VAC is typically installed on a separate server to varnishd/varnish-agent; to register the varnish-agent with VAC, the -z flag needs to be set either on the command line or in /etc/defaults/varnish-agent, in the form

DAEMON_OPTS="-z http://vac-server-name/api/rest/register"

If this is successful, the varnish-cache instance should be listed in the VAC UI under the Configure tab. To associate the cache with a cache group and start using it, drag and drop the instance from the list on the left-hand side to the group entry.

2. Does VAC has support for Varnish 4.x?

Since 3.0.3 the VAC supports both Varnish 3.x and 4.x. A Varnish agent is needed to match the Varnish version. So for varnish 4.x the there is a Varnish agent 4.x The only thing they should be aware is that you cannot group different versions of varnish in the same group.

3. All the cache nodes are shown by the IP only. How can we configure agent to return an instance ID to the VAC?

If you are running a single instance per server and you are not specifying the instance name to varnishd using the -n parameter (default behavior), adding -n to the DAEMON_OPTS parameter in /etc/sysconfig/varnish-agent will add the hostname to the VAC UI. If you are specifying the instance name to varnishd you will need to use the same value for the agent.

4. Can we specify a ban on a single cache through the web ui or api? Or we should create a group first, add the cache and then apply the ban?

To specify a ban via the VAC or the API you need to have a group. You could, however, apply a ban to a single cache accessing the Varnish CLI via the VAC. To do this go to the Configure tab and click on the instance. This will take you to the CLI. After you are done type quit to close the session.

5. Is it also possible to manage both VCP3 and VCP4 instances from that same VAC environment?

It is possible to manage both as long the correct agent version is installed in each Varnish version. Please note that different Varnish versions can not be deployed to the same VAC group.

6. What is the relationship between the VCLs on disk on the Varnish servers, and the VCL in the VAC console?

In a Varnish server all the VCL’s are kept in the agent, if you go to the agent and you issue vcl.list you can see that one is active and other(s) there. VAC connect to the agents and makes sure that there is coherence between Varnish instances that belong to the same group of caches. It is important to change Varnish to use boot.vcl instead of default.vcl by default. So if the Varnish instance reboots we will have a valid vcl that works for you. You can find the boot.vcl at /var/lib/varnish-agent

7. If I start the Varnish servers with their default VCLs, can I display this in VAC?

At this time the VAC doesn’t display the default VCL(boot.vcl) . What the VAC can do is to make sure that the VCL in the VAC in a specific group will be active in the Varnish instance. So if the instance is restarted the VAC will make sure the active VCL in the VAC will be deployed to all the Varnish instances that belong to that group.

8. What is correlation between the CLI and the VAC GUI with VCL files?

Once the VAC is deployed and you started managing your VCL files with it, the VAC takes over the CLI. If you do changes in the CLI they won’t be seen by the VAC and vice versa. The only exception is when you deploy a VCL from the VAC (as you would expect). There is a 1-to-1 correlation between Varnish instances and agents - if you want to run multiple instances you will need one agent per instance. With that said, what’s the reason to have multiple instances? Varnish can handle several websites with just one without issues.

9. How do I setup VAC with HTTPS?

The VAC supports HTTPS when used together with an SSL terminator. If VAC is configured with an SSL terminator in front, it is important that this SSL terminator sets the X-FORWARDED-PROTO request header properly. VAC will use this header to auto configure the communications channel from the varnish-agent to the VAC. You can read more about the X-FORWARDED-PROTO header in rfc7239

The following is an example of the X-Forwarded-Proto setup with nginx:

server {
  listen 443;
  ssl on;

  # Certificate configuration goes here

  location / {
      proxy_pass  http://localhost:8080;
      proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
      proxy_set_header X-Forwarded-Proto https;

10. How the JVM looks when you try to run the vac?

In order to provide that log, in vac default file set


and then restart the VAC. From /var/opt/vac/log check :

  • vac-stdout.log
  • vac-stderror.log

Please note that jvmLogEnabled is set to false by default.

The JVM log tends to grow in size quit fast so it is recommended to keep it to false unless you would like to debug an issue in JVM.