Varnish High Availability


This page describes the settings that are supported when using Varnish High Availability 6.


Global settings must be configured in vcl_init. Each setting is shown with its default value.

vha6_opts.set("token", "[secret]");

  • HMAC signing key used in all transactions. This key is used for signing and is never exposed in an actual transaction. It must be identical across all nodes.

  • After setting the key, call vha6_token_init; must be used. Not setting a token or calling the init function will prevent Varnish from successfully loading the VCL.

vha6_opts.set("broadcaster_scheme", "http");

  • Scheme to use when connecting to Broadcaster
  • Can be http or https
  • If using https, make sure Broadcaster is configured for HTTPS.

vha6_opts.set("broadcaster_host", "localhost");

  • Host to use when connecting to Broadcaster

vha6_opts.set("broadcaster_port", "8088");

  • Port to use when connecting to Broadcaster

vha6_opts.set("broadcaster_group", "");

  • Group to broadcast to
  • Defined in the nodes.conf
  • Defaults to all nodes in the root configuration

vha6_opts.set("broadcaster_force_sync", "false");

  • If true, immediately attempt to flush the broadcast request to the remote host. Otherwise Broadcast is flushed in the background.

  • Defaults to false.

vha6_opts.set("broadcaster_ssl_verify_peer", "true");

  • If using SSL, validate Broadcaster node’s certificate chain.

vha6_opts.set("broadcaster_ssl_verify_host", "false");

  • If using SSL, verify Broadcaster node’s identity in the SSL certificate.

vha6_opts.set("origin_scheme", "");

  • Scheme for peers to use to connect back to the VHA6 origin node
  • Defaults to the scheme defined in the nodes.conf
  • If no match is found and Varnish or Hitch is listening on port 443, https is used, otherwise http.

vha6_opts.set("origin", "");

  • Hostname or IP of the origin node
  • Defaults to the value defined in the nodes.conf, otherwise server.ip

vha6_opts.set("origin_port", "");

  • Port for peers to use to connect back to the VHA6 origin node
  • Defaults to the port defined in the nodes.conf
  • If no match is found, the listening port for Varnish or Hitch is used.

vha6_opts.set("origin_ssl", "");

  • Enables or disables SSL communication when talking to the VHA6 origin node
  • Defaults to the scheme defined in the nodes.conf
  • origin_scheme overrides this value.

vha6_opts.set("origin_ssl_sni", "true");

  • If using SSL, enable SNI when connecting to the origin node.

vha6_opts.set("origin_ssl_verify_peer", "true");

  • If using SSL, validate the origin node’s certificate chain.

vha6_opts.set("origin_ssl_verify_host", "false");

  • If using SSL, verify the origin node’s identity in the SSL certificate.

vha6_opts.set("allow_locahost", "false");

  • Allows a localhost address for the origin node

vha6_opts.set("allow_stale", "false");

  • Allows stale objects to be transferred

vha6_opts.set("fetch_timeout", "");

  • How long to wait for a VHA_FETCH to complete. This is a VCL duration.

vha6_opts.set("force_fast304", "false");

  • Attempts to use fast_304() on all VHA6 transactions
  • Only applies to objects with 304 origin responses

vha6_opts.set("force_update", "false");

  • Forces all VHA6 transactions to update an existing object in cache
  • Default keeps existing objects in cache when replicating a duplicate

vha6_opts.set("keep_alive", "120s");

  • Once a VHA6 request is validated, sets the session’s timeout_idle to this value
  • Default is twice the default value of backend_idle_timeout to maximize the re-use of connections from other nodes

vha6_opts.set("min_ttl", "3s");

  • If an object has a ttl value equal to or less than this value, the object won’t be replicated.

vha6_opts.set("max_requests_sec", "200");

  • Max number of VHA_BROADCAST requests per second sent by a Varnish node. The error_rate_limited counter is incremented.
  • Max number of VHA_BROADCAST or VHA_FETCH requests per second received by a Varnish node that will be processed by VHA6. The error_rate_limited counter is incremented.
  • Max number of inflight VHA_BROADCAST requests sent by a Varnish node and awaiting completion. The error_max_broadcasts counter is incremented.

See varnishstat on VHA6 monitoring for other noteworthy counters.

Important notes

Setting is an act that is both on the sending and receiving ends. With a value of 200 in a cluster of four Varnish nodes all broadcasting 100 cache insertions per second on average, the result is 300 VHA_BROADCAST requests received by each node per second. That means that 100 of them will be rejected each second, leaving no room for subsequent VHA_FETCH requests. To avoid a stalemate situation in a VHA6 cluster, the setting should be tuned to accommodate the receiving end.

vha6_opts.set("max_bytes", "25000000");

  • If an object has a Content-Length larger than this value, it’s not replicated.
  • Chunked responses cannot be evaluated for this parameter.

vha6_opts.set("peer_stream", "true");

  • Stream objects through the peers

vha6_opts.set("token_ttl", "2m");

  • How long the token HMAC signature is valid on VHA6 transactions.
  • Represents the max clock skew allowed between servers

vha6_opts.set("vcs", "true");

  • Toggles VCS logging

vha6_opts.set("vcs_key", "vcs-key");

  • Changes the VCS key prefix

vha6_opts.set("origin_backend_linger", "10s");

  • Determines how long dynamic backends used for peer fetches should linger before being deleted


Request settings must be configured in vcl_backend_fetch or vcl_backend_response and are shown with the default values.

vha6_request.set("skip", "false");

  • If set to true, this request won’t be replicated.

vha6_request.set("force_update", "false");

  • Forces this VHA6 transaction to update an existing object in cache


Hooks allow for custom VCL code to execute during specific VHA6 states. To set up hooks, run the following commands:

mkdir -p /etc/varnish/vha6/hooks
cp /usr/share/varnish-plus/vcl/vha6/hooks/states.vcl /etc/varnish/vha6/hooks

This implements a default VHA6 hooks file at /etc/varnish/vha6/hooks/states.vcl. Edit this file to add custom VCL to the defined VHA6 hooks.