Search
varnish-controller7    installation    containers
Varnish Controller 7 Changelog Version 7 Known Issues Upgrading Previous Versions Versioning License Features System Overview Demo Concepts Agent Router RoutingRules Git Tag Files Domain Certificates Roles VCLGroup ACME API Logs Private/Shared Config/ConfigSets Authentication System Admin Regular Users Identity Provider Sessions Examples Authorization Organization Account Permission Examples CLI CLI Examples CLI Manual User Interface API API examples Invalidations Integrations Varnish Statistics Installation Quickstart NATS PostgreSQL Brainz API-GW Agents Routers Containers Identity Provider VCLI Graphical User Interface Mapped Ports Routing Plugins gRPC Examples Deploying VCL files Change a VCL file Purging multiple paths Banning paths Using Labels Certificates HTTP Routing Routing Decisions Private Agents Debugging Multiple Regions OIDC - Microsoft Entra (Azure AD) Drain Traffic Config/ConfigSet Organizations

Containers

Varnish Controller is well-suited for running in containers. The common requirement for Agents, Routers, Brainz and API-GW is that they all need to be able to communicate over NATS. The API-GW needs to be able to expose HTTP(S) port. The Agent needs to reach Varnish secret and administration ports and Varnish needs to read the Agent base directory. If routers are used they need to expose HTTP(S) endpoints to receive traffic.

Docker Images

We provide prebuilt docker images for Varnish Controller. These exists in our quay.io registry. Please see https://docs.varnish-software.com/tutorials/getting-started-with-docker/ to get started.

Docker-Compose Example

Using docker-compose it is possible to run a full Varnish Controller setup with Docker. The following docker-compose is an example and may require modification for your environment. The example uses our official Docker images from quay.io. This requires a valid Varnish Controller license.

The example also shows how to run Varnish with TLS, using existing certificates. This requires a tls.cfg and the certificate files in the Varnish container. Please visit https://docs.varnish-software.com/varnish-enterprise/features/client-ssl/ for more information about TLS.

- /home/user/certificates/:/etc/varnish/certs/
- /home/user/varnish-controller7/tls.cfg:/etc/varnish/tls.cfg

- "VARNISH_EXTRA=-A /etc/varnish/tls.cfg"

To make the example complete, the database is also running in Docker via docker-compose. The data is stored in a mounted Docker volume. However, we recommend to run the database with backups etc. outside of Docker.

The directory named /home/user/varnish-controller7 can be replaced with a directory containing the following files:

  • license.lic - Varnish Controller License file
  • tls.cfg - TLS configuration for Varnish (optional)

Docker volumes used:

  • varnish - mounted to /var/lib/varnish (used by varnish and agent services)
  • vcontroller - mounted to /etc/varnish (used by varnish, agentandrouter` services)
  • dbdata - mounted to /var/lib/postgresql/data (used by db service)

The ports exposed on the host machine are the following:

  • 80 - For HTTP traffic towards Varnish
  • 81 - For HTTP traffic towards the traffic router
  • 443 - For HTTPS traffic towards Varnish
  • 8002 - Varnish Controller API endpoint
  • 8080 - Varnish Controller UI

Use docker-compose up to start the services.

version: '3.6'
services:
  varnish:
     container_name: varnish
     image: "quay.io/varnish-software/varnish-plus:latest"
     hostname: varnish
     restart: always
     volumes:
         - type: "volume"
           source: vcontroller
           target: /etc/varnish
         - type: "volume"
           source: varnish
           target: /var/lib/varnish
         - /home/user/certificates/:/etc/varnish/certs/
         - /home/user/varnish-controller7/tls.cfg:/etc/varnish/tls.cfg
     environment:
       - "VARNISH_ADMIN_LISTEN_ADDRESS=0.0.0.0"
       - "VARNISH_EXTRA=-A /etc/varnish/tls.cfg"
     ports:
       - "80:6081"
       - "443:443"
     networks:
       - external
       - internal

  router:
    container_name: router
    image: 'quay.io/varnish-software/varnish-controller7-router:latest'
    hostname: router
    restart: always
    volumes:
        - type: "volume"
          source: vcontroller
          target: /etc/varnish
    links:
      - nats
    environment:
      - "VARNISH_CONTROLLER_ROUTER_NAME=router1"
      - "VARNISH_CONTROLLER_BASE_DIR=/etc/varnish/router1"
      - "VARNISH_CONTROLLER_NATS_SERVER=nats://nats:4222"
      - "VARNISH_CONTROLLER_LOG=info"
      - "VARNISH_CONTROLLER_TAGS=prod"
    ports:
      - "81:8080"
    depends_on:
      - nats
    networks:
      - external
      - internal

  agent:
    container_name: agent
    image: 'quay.io/varnish-software/varnish-controller7-agent:latest'
    hostname: agent
    restart: always
    volumes:
        - type: "volume"
          source: vcontroller
          target: /etc/varnish
        - type: "volume"
          source: varnish
          target: /var/lib/varnish
    links:
      - varnish
      - nats
    environment:
      - "VARNISH_CONTROLLER_AGENT_NAME=agent1"
      - "VARNISH_CONTROLLER_BASE_DIR=/etc/varnish/agent1"
      - "VARNISH_CONTROLLER_NATS_SERVER=nats://nats:4222"
      - "VARNISH_CONTROLLER_LOG=info"
      - "VARNISH_CONTROLLER_STATS_INTERVAL=60s"
      - "VARNISH_CONTROLLER_VARNISH_NAME=varnish"
      - "VARNISH_CONTROLLER_VARNISH_HOST=varnish"
      - "VARNISH_CONTROLLER_VARNISH_SECRET=/etc/varnish/secret"
      - "VARNISH_CONTROLLER_VARNISH_ADMIN_PORT=6082"
      - "VARNISH_CONTROLLER_TAGS=prod"
      - "VARNISH_CONTROLLER_BASE_URL=http://192.168.99.102"
    depends_on:
      - nats
    networks:
      - internal

  apigw:
    container_name: apigw
    image: 'quay.io/varnish-software/varnish-controller7-api-gw:latest'
    hostname: apigw
    restart: always
    environment:
      - "VARNISH_CONTROLLER_NATS_SERVER=nats://nats:4222"
      - "VARNISH_CONTROLLER_LOG=info"
      - "VARNISH_CONTROLLER_PORT=8002"
    depends_on:
      - nats
      - brainz
    ports:
        - "8002:8002"
    networks:
      - external
      - internal

  brainz:
    container_name: brainz
    image: 'quay.io/varnish-software/varnish-controller7-brainz:latest'
    hostname: brainz
    restart: always
    volumes:
      - /home/user/varnish-controller7/license.lic:/var/lib/varnish-controller7/varnish-controller7-brainz/license.lic
    links:
      - nats
    environment:
      - "VARNISH_CONTROLLER_NATS_SERVER=nats://nats:4222"
      - "VARNISH_CONTROLLER_DB_USER=varnish-controller"
      - "VARNISH_CONTROLLER_DB_PASS=varnish-controller"
      - "VARNISH_CONTROLLER_DB_NAME=varnish-controller"
      - "VARNISH_CONTROLLER_DB_SERVER=db"
      - "VARNISH_CONTROLLER_LOG=info"
      - "VARNISH_CONTROLLER_MOD_ADMIN_USER=true"
      - "VARNISH_CONTROLLER_SYSTEM_ADMIN_USER=test"
      - "VARNISH_CONTROLLER_SYSTEM_ADMIN_PASS=test"
    depends_on:
      - db
      - nats
    networks:
      - internal

  controller-ui:
    container_name: controllerui
    image: 'quay.io/varnish-software/varnish-controller7-ui:latest'
    hostname: ui
    restart: always
    environment:
        - "VARNISH_UI_SERVER_API_HOSTS=http://apigw:8002"
        - "VARNISH_UI_SERVER_CSP=false"
    depends_on:
      - apigw
    ports:
        - "8080:8080"
    networks:
      - external
      - internal

  db:
    container_name: psql
    image: postgres
    hostname: db
    restart: always
    volumes:
      - dbdata:/var/lib/postgresql/data
    environment:
      POSTGRES_USER: varnish-controller
      POSTGRES_PASSWORD: varnish-controller
    networks:
      - internal

  nats:
    container_name: nats
    image: 'quay.io/varnish-software/varnish-controller7-nats:latest'
    hostname: nats
    restart: always
    expose:
      - "4222"
    networks:
      - internal


volumes:
  vcontroller:
  dbdata:
  varnish:

networks:
  internal:
    driver: bridge
    internal: true
  external:
    driver: bridge
Manuals
Varnish Enterprise
Varnish Cloud
Varnish Controller
Varnish High Availability
Varnish Custom Statistics
Varnish WAF
Varnish Broadcaster
Varnish Helm Chart
Packages
Docker
News
Varnish Controller 7.0.0
Varnish Enterprise vulnerability in MSE4 when handling range requests
HTTP/1 client-side desync vulnerability
Varnish Controller 6.6.8
Container images updated to Debian bookworm
News archive
Cookie Settings Privacy Policy Contact Us Press Branding
®Varnish Software, Wallingatan 12, 111 60 Stockholm, Organization nr. 556805-6203