To install VHA6 on either Debian/Ubuntu or Redhat Enterprise, access to Varnish Enterprise is required. Please get in touch at support@varnish-software.com for more information.
On all platforms, the package is named varnish-plus-ha
and can be installed using the usual package manager:
Debian/Ubuntu:
sudo apt-get install varnish-plus-ha varnish-broadcaster
RHEL/CentOS:
sudo yum install varnish-plus-ha varnish-broadcaster
Note: VHA6 requires the Varnish Broadcaster.
VHA6 retired the use of vha-agent
in favor of Varnish Broadcaster, thus vha-agent
should be disabled to avoid conflicts:
sudo systemctl stop vha-agent
sudo systemctl disable vha-agent
Note: If you’re upgrading, remove the legacy VHA VCL by including vha_40.vcl
or vha_41.vcl
in the above command and remove all vha_opts.set()
calls.
Create a /etc/varnish/nodes.conf
file describing the VHA6 cluster.
Each host in the cluster needs a single entry. The entry name is the hostname.
The entry value is the routable address and port for that host.
This file should be identical across the whole cluster.
Example:
alpha = 1.2.3.4
bravo = [1:2::3]:45
charlie = https://5.6.7.8:90
delta = http://[1::2]
If you’re upgrading, your original nodes.conf
can be reused.*
It’s essential that the names in your nodes.conf
exactly match the hostnames of the nodes. If not, VHA6 will fallback to the public interface. The node name should also be the fully qualified domain name of the node.
If using groups, set the corresponding VHA6 broadcaster_group
setting.
This is done in vcl_init
.
broadcaster
is enabled and running:sudo systemctl enable broadcaster
sudo systemctl start broadcaster
include "vha6/vha_auto.vcl";
sub vcl_init {
vha6_opts.set("token", "secret123");
call vha6_token_init;
}
Change the token
value of secret123
to a unique secret value.
This should be identical across your cluster.
To disable VHA6 on a single node, replace the vha6/vha_auto.vcl
include
with:
include "vha6/vha_disable.vcl";
This will gracefully opt the node out of the VHA6 architecture while allowing other nodes to operate.
To permanently disable VHA6 across an entire architecture, disable each node as described above and then remove all VHA6 VCL from the configuration.
Varnish High Availability 6 requires the use of vcl 4.1
in your parent VCL.
If your VCL is using 4.0, replace the vha6/vha_auto.vcl
include
with:
include "vha6/vha_auto_legacy_40.vcl";
The VHA6 configuration needs to be applied to the parent VCL and all labels that will replicate objects.
When using Total Encryption, include
it before VHA6:
include "total-encryption/random_key.vcl";
include "vha6/vha_auto.vcl";
This applies to both random_key
and secret_key
encryption.
If you’re using the same secret key across your entire cluster, you can skip decryption
during VHA6 transactions by putting the secret_key
include
after VHA6:
include "vha6/vha_auto.vcl";
include "total-encryption/secret_key.vcl";
Note: If you’re using header encryption, contact support for VHA6 usage.
Note: This is not needed for Version 6.0.5
or later.
Version 6.0.4
or earlier:
Add the following line to vcl_init
to allow req.*
bans to update into cache:
vha6_opts.set("force_update", "true");
If using obj.*
bans, force_update
can be left as the default.