Varnish Controller

Graphical User Interface


The following components of Varnish Controller must be installed before installation of the GUI.

  • NATS
  • PostgreSQL
  • Brainz
  • API-GW
  • Varnish and Varnish Agent

Debian/Ubuntu Installation

  sudo apt install varnish-controller-ui

RedHat/CentOS Installation

  sudo yum -y install varnish-controller-ui

Configuration options for the UI Server

The UI server can be started with various configurations. Since the ui-server is running as varnish-controller user it will not be able to start on a privileged port(< 1024), such as port 80. This can be instead handled by iptables, authbind or setcap.

Example using setcap: setcap 'cap_net_bind_service=+ep' /usr/bin/varnish-controller-ui

Arguments that takes a duration value, such as -timeout, uses Go time Duration format. Valid time units are “ns”, “us” (or “┬Ás”), “ms”, “s”, “m”, “h”. A combination of units can be used to express a duration, e.g. 1h10m30s.

Arguments Default Description
-http-host HTTP Server IP/host to listen on, the UI will be reachable here
-http-port 8080 HTTP Server port to listen on, the UI will be reachable here
-http-write-timeout 1m HTTP read timeout as a duration
-http-read-timeout 1m HTTP write timeout as a duration
-tls false Use TSL for server
-cert server.cert TLS public key for server
-key server.key TLS private key for server
-hsts false Use Strict-Transport-Security for the server, only enables it for the current domain
-hsts-max-age 86400 When using Strict-Transport-Security for the server we need to set a maximum age, by default 24 hours in case of mis configuration you can try again after that
-csp true Use Content-Security-Policy header for the server
-csp-rules default-src ’none’; script-src ‘self’ ‘unsafe-eval’; connect-src ‘self’; img-src ‘self’ data:; style-src ‘self’ ‘unsafe-inline’;base-uri ‘self’;form-action ‘self’ When CSP is enabled it’ll set the rules for the content security policy. By default this policy allows images, scripts, AJAX, form actions, and CSS from the same origin, and does not allow any other resources to load (eg object, frame, media, etc)
-x-frame-options true Use X-Frame-Options for the server, disables usage in frames
-csrf true Enable or disable CSRF
-csrf-secret Set the CSRF secret, must be 32 char long
-csrf-cookie-ttl 3600*12 Set the max age of the CSRF cookie in seconds!
-cors-allowed-origins Set the allowed origins for the application, hostnames according to the cors specification, separated by comma
-cookie-domain Set the cookie domain for securing cookies
-cookie-path / Set the cookie path for securing cookies
-cookie-logged-in-name vc-logged-in The name of the cookie for the logged in state
-cookie-access-name vc-at The name of the cookie for the access token
-cookie-refresh-name vc-rt The name of the cookie for the refresh token
-app-log-level info Set the log level, accepted values are: debug, info, warning, error and disabled
-app-static-path /usr/share/varnish-controller-ui/www/ Path that points to the application where the index.html is located
-app-index-file index.html Where is the application file located in the -app-static-path and what is the name of the file?
-api-hosts Set single or multiple API hostnames without trailing slash, separated by comma
-api-timeout 1m Specify a duration for the timeout of the API handlers as a duration
-user varnish-controller User to run as
-group varnish-controller Group to run as
-version Show version and exit

The -http-host and -http-port is used to define where the UI will be reachable, the -api-hosts is used to define to which API-GW the UI talks to.

Minimal setup to run the UI server, the UI server will run with all default values. The UI will be reachable at the server’s IP port 8080.

varnish-controller-ui -api-hosts=http://api-gw:8002

To run the UI server on a different host and port (host: and port: 5050) run the following. Your application can now be reached at

varnish-controller-ui -api-hosts=http://api-gw:8002 -http-port 5050 -http-host

If you want to run your own UI you can run the service and point to your single page application. The -app-index-file is used to define which file to load within the -app-static-path.

varnish-controller-ui -api-hosts=http://api-gw:8002 -app-static-path=/path/to/your/ui -app-index-file=app.html

UI behind Varnish

It is possible to run the UI behind Varnish. Just make sure that you do not cache the API requests or just do not cache the UI entirely. Here is an example VCL file to run the UI with Varnish:

vcl 4.1;

import std;

backend controller-ui {
    .host = "";
    .port = "8080";

sub vcl_recv {
    # Force https
    if (std.port(local.ip) == 80) {
        set req.http.Location = "https://" + + req.url;
        return (synth(301));

    if ( == "") {
        set req.backend_hint = controller-ui;
        return (pass);
    } else {

sub vcl_synth {
    # Redirects
    if (req.http.location) {
        if (resp.status == 301) {
            set resp.http.Location = req.http.location;
            return (deliver);
        if (resp.status == 302) {
            set resp.http.Location = req.http.location;
            return (deliver);