SearchVarnish Controller
The following components of Varnish Controller must be installed before installation of the GUI.
sudo apt install varnish-controller-ui
sudo dnf -y install varnish-controller-ui
The UI server can be started with various configurations. Since the ui-server is running as varnish-controller user it will
not be able to start on a privileged port(< 1024), such as port 80. This can be instead handled by iptables, authbind or setcap.
Example using setcap:
setcap 'cap_net_bind_service=+ep' /usr/bin/varnish-controller-ui
Arguments that takes a duration value, such as -timeout, uses Go time Duration format.
Valid time units are “ns”, “us” (or “µs”), “ms”, “s”, “m”, “h”. A combination of units can be used
to express a duration, e.g. 1h10m30s.
| Arguments | Default | Description |
|---|---|---|
-http-host |
0.0.0.0 | HTTP Server IP/host to listen on, the UI will be reachable here |
-http-port |
8080 | HTTP Server port to listen on, the UI will be reachable here |
-http-write-timeout |
1m | HTTP read timeout as a duration |
-http-read-timeout |
1m | HTTP write timeout as a duration |
-tls |
false | Use TSL for server |
-cert |
server.cert | TLS public key for server |
-key |
server.key | TLS private key for server |
-hsts |
false | Use Strict-Transport-Security for the server, only enables it for the current domain |
-hsts-max-age |
86400 | When using Strict-Transport-Security for the server we need to set a maximum age, by default 24 hours in case of mis configuration you can try again after that |
-csp |
true | Use Content-Security-Policy header for the server |
-csp-rules |
default-src ’none’; script-src ‘self’ ‘unsafe-eval’; connect-src ‘self’; img-src ‘self’ data:; style-src ‘self’ ‘unsafe-inline’;base-uri ‘self’;form-action ‘self’ | When CSP is enabled it’ll set the rules for the content security policy. By default this policy allows images, scripts, AJAX, form actions, and CSS from the same origin, and does not allow any other resources to load (eg object, frame, media, etc) |
-x-frame-options |
true | Use X-Frame-Options for the server, disables usage in frames |
-csrf |
true | Enable or disable CSRF |
-csrf-secret |
Set the CSRF secret, must be 32 char long | |
-csrf-cookie-ttl |
3600*12 | Set the max age of the CSRF cookie in seconds! |
-cors-allowed-origins |
Set the allowed origins for the application, hostnames according to the cors specification, separated by comma | |
-cookie-domain |
Set the cookie domain for securing cookies | |
-cookie-path |
/ | Set the cookie path for securing cookies |
-cookie-logged-in-name |
vc-logged-in | The name of the cookie for the logged in state |
-cookie-access-name |
vc-at | The name of the cookie for the access token |
-cookie-refresh-name |
vc-rt | The name of the cookie for the refresh token |
-app-log-level |
info | Set the log level, accepted values are: debug, info, warning, error and disabled |
-app-static-path |
/usr/share/varnish-controller-ui/www/ | Path that points to the application where the index.html is located |
-app-index-file |
index.html | Where is the application file located in the -app-static-path and what is the name of the file? |
-api-hosts |
Set single or multiple API hostnames without trailing slash, separated by comma | |
-api-timeout |
1m | Specify a duration for the timeout of the API handlers as a duration |
-user |
varnish-controller | User to run as |
-group |
varnish-controller | Group to run as |
-version |
Show version and exit |
The -http-host and -http-port is used to define where the UI will be reachable, the -api-hosts is used to define to which API-GW the UI talks to.
Minimal setup to run the UI server, the UI server will run with all default values. The UI will be reachable at the server’s IP port 8080.
varnish-controller-ui -api-hosts=http://api-gw:8002
To run the UI server on a different host and port (host: 192.0.0.1 and port: 5050) run the following. Your application can now be reached at 192.0.0.1:5050
varnish-controller-ui -api-hosts=http://api-gw:8002 -http-port 5050 -http-host 192.0.0.1
If you want to run your own UI you can run the service and point to your single page application. The -app-index-file is used to define which file to load within the -app-static-path.
varnish-controller-ui -api-hosts=http://api-gw:8002 -app-static-path=/path/to/your/ui -app-index-file=app.html
It is possible to run the UI behind Varnish. Just make sure that you do not cache the API requests or just do not cache the UI entirely. Here is an example VCL file to run the UI with Varnish:
vcl 4.1;
import std;
backend controller-ui {
.host = "127.0.0.1";
.port = "8080";
}
sub vcl_recv {
# Force https
if (std.port(local.ip) == 80) {
set req.http.Location = "https://" + req.http.host + req.url;
return (synth(301));
}
if (req.http.host == "controller.varnish-software.com") {
set req.backend_hint = controller-ui;
return (pass);
} else {
return(synth(404));
}
}
sub vcl_synth {
# Redirects
if (req.http.location) {
if (resp.status == 301) {
set resp.http.Location = req.http.location;
return (deliver);
}
if (resp.status == 302) {
set resp.http.Location = req.http.location;
return (deliver);
}
}
}