SearchVarnish High Availability
To install VHA6 on either Debian/Ubuntu or Redhat Enterprise, access to Varnish Enterprise is required. Please get in touch at support@varnish-software.com for more information.
On all platforms, the package is named varnish-plus-ha and can be installed using the usual package manager:
Debian/Ubuntu:
sudo apt-get install varnish-plus-ha varnish-broadcaster
RHEL/CentOS:
sudo yum install varnish-plus-ha varnish-broadcaster
Note: VHA6 requires the Varnish Broadcaster.
VHA6 retired the use of vha-agent in favor of Varnish Broadcaster, thus vha-agent should be disabled to avoid conflicts:
sudo systemctl stop vha-agent
sudo systemctl disable vha-agent
Note: If you’re upgrading, remove the legacy VHA VCL by including vha_40.vcl or vha_41.vcl in the above command and remove all vha_opts.set() calls.
Create a /etc/varnish/nodes.conf file describing the VHA6 cluster.
Each host in the cluster needs a single entry. The entry name is the hostname.
The entry value is the routable address and port for that host.
This file should be identical across the whole cluster.
Example:
alpha = 1.2.3.4
bravo = [1:2::3]:45
charlie = https://5.6.7.8:90
delta = http://[1::2]
If you’re upgrading, your original nodes.conf can be reused.*
It’s essential that the names in your nodes.conf exactly match the hostnames of the nodes. If not, VHA6 will fallback to the public interface. The node name should also be the fully qualified domain name of the node.
If using groups, set the corresponding VHA6 broadcaster_group
setting.
This is done in vcl_init.
broadcaster is enabled and running:sudo systemctl enable broadcaster
sudo systemctl start broadcaster
include "vha6/vha_auto.vcl";
sub vcl_init {
vha6_opts.set("token", "secret123");
call vha6_token_init;
}
Change the token value of secret123 to a unique secret value.
This should be identical across your cluster.
To disable VHA6 on a single node, replace the vha6/vha_auto.vcl include with:
include "vha6/vha_disable.vcl";
This will gracefully opt the node out of the VHA6 architecture while allowing other nodes to operate.
To permanently disable VHA6 across an entire architecture, disable each node as described above and then remove all VHA6 VCL from the configuration.
Varnish High Availability 6 requires the use of vcl 4.1 in your parent VCL.
If your VCL is using 4.0, replace the vha6/vha_auto.vcl include with:
include "vha6/vha_auto_legacy_40.vcl";
The VHA6 configuration needs to be applied to the parent VCL and all labels that will replicate objects.
When using Total Encryption, include it before VHA6:
include "total-encryption/random_key.vcl";
include "vha6/vha_auto.vcl";
This applies to both random_key and secret_key encryption.
If you’re using the same secret key across your entire cluster, you can skip decryption
during VHA6 transactions by putting the secret_key include after VHA6:
include "vha6/vha_auto.vcl";
include "total-encryption/secret_key.vcl";
Note: If you’re using header encryption, contact support for VHA6 usage.
Note: This is not needed for Version 6.0.5 or later.
Version 6.0.4 or earlier:
Add the following line to vcl_init to allow req.* bans to update into cache:
vha6_opts.set("force_update", "true");
If using obj.* bans, force_update can be left as the default.