Search
Varnish Controller
Introduction Changelog Known Issues Upgrading Deprecation Version 6 Version 5 Version 4 Version 3 Version 2 Version 1 Versioning License Features System Overview Demo Concepts Agent Router RoutingRules Tag VCL Domain Deployment Certificates VCLGroup Deployment Types API Logs Private/Shared Config/ConfigSets Authentication System Admin Regular Users Identity Provider Sessions Examples Authorization Organization Account Permission Examples CLI CLI Examples User Interface API API examples Invalidations Varnish Statistics Installation Quickstart NATS PostgreSQL Brainz API-GW Agents Routers Containers Identity Provider VCLI Graphical User Interface Mapped Ports Routing Plugins gRPC FAQ Examples Deploying VCL files Change a VCL file Purging multiple paths Banning paths Using Labels Certificates HTTP Routing Routing Decisions Organizations Private Agents Debugging Multiple Regions Staged Deployment Drain Traffic Config/ConfigSet

Containers

Varnish Controller is well-suited for running in containers. The common requirement for Agents, Routers, Brainz and API-GW is that they all need to be able to communicate over NATS. The API-GW needs to be able to expose HTTP(S) port. The Agent needs to reach Varnish secret and administration ports and Varnish needs to read the Agent base directory. If routers are used they need to expose HTTP(S) endpoints to receive traffic.

Docker Images

We provide prebuilt docker images for Varnish Controller. These exists in our quay.io registry. Please see https://docs.varnish-software.com/tutorials/getting-started-with-docker/ to get started.

Docker-Compose Example

Using docker-compose it is possible to run a full Varnish Controller setup with Docker. The following docker-compose is an example and may require modification for your environment. The example uses our official Docker images from quay.io. This requires a valid Varnish Controller license.

The example also shows how to run Varnish with TLS. This requires a tls.cfg and certificates. Please visit https://docs.varnish-software.com/varnish-enterprise/features/client-ssl/ for more information about TLS.

To use TLS, the TLS certificates requires to be mounted for the varnish service. Replace /home/user/certbot with your TLS certificate directory. This example uses certbot for Letsencrypt certificates. The example is possible to run without TLS by commenting out the following lines from the varnish service:

- /home/user/certbot/letsencrypt/:/etc/varnish/certs/
- /home/user/varnish-controller/tls.cfg:/etc/varnish/tls.cfg

- "VARNISH_EXTRA=-A /etc/varnish/tls.cfg"

To make the example complete, the database is also running in Docker via docker-compose. The data is stored in a mounted Docker volume. However, we recommend to run the database with backups etc. outside of Docker.

The directory named /home/user/varnish-controller can be replaced with a directory containing the following files:

  • license.lic - Varnish Controller License file
  • tls.cfg - TLS configuration for Varnish (optional)

Docker volumes used:

  • varnish - mounted to /var/lib/varnish (used by varnish and agent services)
  • vcontroller - mounted to /etc/varnish (used by varnish, agentandrouter` services)
  • dbdata - mounted to /var/lib/postgresql/data (used by db service)

The ports exposed on the host machine are the following:

  • 80 - For HTTP traffic towards Varnish
  • 81 - For HTTP traffic towards the traffic router
  • 443 - For HTTPS traffic towards Varnish
  • 8002 - Varnish Controller API endpoint
  • 8080 - Varnish Controller UI

Use docker-compose up to start the services.

version: '3.6'
services:
  varnish:
     container_name: varnish
     image: "quay.io/varnish-software/varnish-plus:latest"
     hostname: varnish
     restart: always
     volumes:
         - type: "volume"
           source: vcontroller
           target: /etc/varnish
         - type: "volume"
           source: varnish
           target: /var/lib/varnish
         - /home/user/certbot/letsencrypt/:/etc/varnish/certs/
         - /home/user/varnish-controller/tls.cfg:/etc/varnish/tls.cfg
     environment:
       - "VARNISH_ADMIN_LISTEN_ADDRESS=0.0.0.0"
       - "VARNISH_EXTRA=-A /etc/varnish/tls.cfg"
     ports:
       - "80:6081"
       - "443:443"
     networks:
       - external
       - internal

  router:
    container_name: router
    image: 'quay.io/varnish-software/varnish-controller-router:latest'
    hostname: router
    restart: always
    volumes:
        - type: "volume"
          source: vcontroller
          target: /etc/varnish
    links:
      - nats
    environment:
      - "VARNISH_CONTROLLER_ROUTER_NAME=router1"
      - "VARNISH_CONTROLLER_BASE_DIR=/etc/varnish/router1"
      - "VARNISH_CONTROLLER_NATS_SERVER=nats://nats:4222"
      - "VARNISH_CONTROLLER_LOG=info"
      - "VARNISH_CONTROLLER_TAGS=prod"
    ports:
      - "81:8080"
    depends_on:
      - nats
    networks:
      - external
      - internal

  agent:
    container_name: agent
    image: 'quay.io/varnish-software/varnish-controller-agent:latest'
    hostname: agent
    restart: always
    volumes:
        - type: "volume"
          source: vcontroller
          target: /etc/varnish
        - type: "volume"
          source: varnish
          target: /var/lib/varnish
    links:
      - varnish
      - nats
    environment:
      - "VARNISH_CONTROLLER_AGENT_NAME=agent1"
      - "VARNISH_CONTROLLER_BASE_DIR=/etc/varnish/agent1"
      - "VARNISH_CONTROLLER_NATS_SERVER=nats://nats:4222"
      - "VARNISH_CONTROLLER_LOG=info"
      - "VARNISH_CONTROLLER_STATS_INTERVAL=60s"
      - "VARNISH_CONTROLLER_VARNISH_NAME=varnish"
      - "VARNISH_CONTROLLER_VARNISH_HOST=varnish"
      - "VARNISH_CONTROLLER_VARNISH_SECRET=/etc/varnish/secret"
      - "VARNISH_CONTROLLER_VARNISH_ADMIN_PORT=6082"
      - "VARNISH_CONTROLLER_TAGS=prod"
      - "VARNISH_CONTROLLER_BASE_URL=http://192.168.99.102"
    depends_on:
      - nats
    networks:
      - internal

  apigw:
    container_name: apigw
    image: 'quay.io/varnish-software/varnish-controller-api-gw:latest'
    hostname: apigw
    restart: always
    environment:
      - "VARNISH_CONTROLLER_NATS_SERVER=nats://nats:4222"
      - "VARNISH_CONTROLLER_LOG=info"
      - "VARNISH_CONTROLLER_PORT=8002"
    depends_on:
      - nats
      - brainz
    ports:
        - "8002:8002"
    networks:
      - external
      - internal

  brainz:
    container_name: brainz
    image: 'quay.io/varnish-software/varnish-controller-brainz:latest'
    hostname: brainz
    restart: always
    volumes:
      - /home/user/varnish-controller/license.lic:/var/lib/varnish-controller/varnish-controller-brainz/license.lic
    links:
      - nats
    environment:
      - "VARNISH_CONTROLLER_NATS_SERVER=nats://nats:4222"
      - "VARNISH_CONTROLLER_DB_USER=varnish-controller"
      - "VARNISH_CONTROLLER_DB_PASS=varnish-controller"
      - "VARNISH_CONTROLLER_DB_NAME=varnish-controller"
      - "VARNISH_CONTROLLER_DB_SERVER=db"
      - "VARNISH_CONTROLLER_LOG=info"
      - "VARNISH_CONTROLLER_MOD_ADMIN_USER=true"
      - "VARNISH_CONTROLLER_SYSTEM_ADMIN_USER=test"
      - "VARNISH_CONTROLLER_SYSTEM_ADMIN_PASS=test"
    depends_on:
      - db
      - nats
    networks:
      - internal

  controller-ui:
    container_name: controllerui
    image: 'quay.io/varnish-software/varnish-controller-ui:latest'
    hostname: ui
    restart: always
    environment:
        - "VARNISH_UI_SERVER_API_HOSTS=http://apigw:8002"
        - "VARNISH_UI_SERVER_CSP=false"
    depends_on:
      - apigw
    ports:
        - "8080:8080"
    networks:
      - external
      - internal

  db:
    container_name: psql
    image: postgres
    hostname: db
    restart: always
    volumes:
      - dbdata:/var/lib/postgresql/data
    environment:
      POSTGRES_USER: varnish-controller
      POSTGRES_PASSWORD: varnish-controller
    networks:
      - internal

  nats:
    container_name: nats
    image: 'quay.io/varnish-software/varnish-controller-nats:latest'
    hostname: nats
    restart: always
    expose:
      - "4222"
    networks:
      - internal
        

volumes:
  vcontroller:
  dbdata:
  varnish:

networks:
  internal:
    driver: bridge
    internal: true
  external:
    driver: bridge

To get the latest updated images, run docker-compose pull.

Manuals
Varnish Enterprise
Varnish Cloud
Varnish Controller
Varnish High Availability
Varnish Custom Statistics
Varnish WAF
Varnish Broadcaster
Varnish Helm Chart
News
Varnish Enterprise 6.0.12r8
Varnish Helm Chart 1.3.0
A note on how Varnish handles an HTTP/2 CONTINUATION flood
Varnish Enterprise 6.0.12r7
Varnish Controller 6.0.2
News archive