Varnish High Availability


To install VHA6 on either Debian/Ubuntu or Redhat Enterprise, access to Varnish Enterprise is required. Please get in touch at for more information.

On all platforms, the package is named varnish-plus-ha and can be installed using the usual package manager:


sudo apt-get install varnish-plus-ha varnish-broadcaster


sudo yum install varnish-plus-ha varnish-broadcaster

Note: VHA6 requires the Varnish Broadcaster.


Disable vha-agent

VHA6 retired the use of vha-agent in favor of Varnish Broadcaster, thus vha-agent should be disabled to avoid conflicts:

sudo systemctl stop vha-agent
sudo systemctl disable vha-agent

Note: If you’re upgrading, remove the legacy VHA VCL by including vha_40.vcl or vha_41.vcl in the above command and remove all vha_opts.set() calls.

Set up the cluster

Create a /etc/varnish/nodes.conf file describing the VHA6 cluster. Each host in the cluster needs a single entry. The entry name is the hostname. The entry value is the routable address and port for that host. This file should be identical across the whole cluster.


alpha =
bravo = [1:2::3]:45
charlie =
delta = http://[1::2]

Important notes

  • If you’re upgrading, your original nodes.conf can be reused.*

  • It’s essential that the names in your nodes.conf exactly match the hostnames of the nodes. If not, VHA6 will fallback to the public interface. The node name should also be the fully qualified domain name of the node.

  • If using groups, set the corresponding VHA6 broadcaster_group setting. This is done in vcl_init.

Varnish configuration

  1. First, make sure the broadcaster is enabled and running:
sudo systemctl enable broadcaster
sudo systemctl start broadcaster
  1. Add the following configuration to the top of your VCL:
include "vha6/vha_auto.vcl";

sub vcl_init {
    vha6_opts.set("token", "secret123");
    call vha6_token_init;

Change the token value of secret123 to a unique secret value. This should be identical across your cluster.

Disabling VHA6

To disable VHA6 on a single node, replace the vha6/vha_auto.vcl include with:

include "vha6/vha_disable.vcl";

This will gracefully opt the node out of the VHA6 architecture while allowing other nodes to operate.

To permanently disable VHA6 across an entire architecture, disable each node as described above and then remove all VHA6 VCL from the configuration.

VCL 4.0

Varnish High Availability 6 requires the use of vcl 4.1 in your parent VCL. If your VCL is using 4.0, replace the vha6/vha_auto.vcl include with:

include "vha6/vha_auto_legacy_40.vcl";

VCL labels

The VHA6 configuration needs to be applied to the parent VCL and all labels that will replicate objects.

Total Encryption

When using Total Encryption, include it before VHA6:

include "total-encryption/random_key.vcl";
include "vha6/vha_auto.vcl";

This applies to both random_key and secret_key encryption.

If you’re using the same secret key across your entire cluster, you can skip decryption during VHA6 transactions by putting the secret_key include after VHA6:

include "vha6/vha_auto.vcl";
include "total-encryption/secret_key.vcl";

Note: If you’re using header encryption, contact support for VHA6 usage.

req.* bans

Note: This is not needed for Version 6.0.5 or later.

Version 6.0.4 or earlier:

Add the following line to vcl_init to allow req.* bans to update into cache:

vha6_opts.set("force_update", "true");

If using obj.* bans, force_update can be left as the default.