Matt Lee

I'm Matt Lee, one of the folks behind behind Foo Communications, a company/experiment in music and social media, including Libre.fm, a new social media platform that offers musicians exclusive promotion and play in exchange for licensing their music under a free culture license, and GNU social, a federated social networking project.

SSL and caching with pound, varnish and apache on Debian

I’m migrating everything to BigV.

BigV, for the uninitiated is a “cloud” hosting service from Bytemark. You build virtual machines using qemu and kvm, assign virtual disks from a pool of RAID-backed disks and add in the networking you need. It’s rather fantastic.

I have building new servers down to a fine art at this point. All new servers follow a very simple standard.

They all have a few common properties:

  • Debian (wheezy)
  • They’re all web servers
  • They’re all going to run an SSL service
  • They all need some kind of backup

With this in-mind I’ve been using Salt to push some common configuration to the machines. I can’t take credit for writing most of this, as Rob Myers wrote a lot of it when we migrated Libre.fm to BigV, but this using BigV at a different scale.

I build a typical new machine out by pasting this (from gedit, not Emacs) into a new Terminal:

echo -e "\n\ndeb http://debian.saltstack.com/debian wheezy-saltstack main\n\n" >> /etc/apt/sources.list
wget -q -O- "http://debian.saltstack.com/debian-salt-team-joehealy.gpg.key" | apt-key add -

apt-get update -q
apt-get dist-upgrade -y
apt-get install -y pound varnish php5 rsync htop emacs23-nox apache2 sudo salt-minion php5-mysql dtrx mysql-server exim4

dpkg-reconfigure exim4-config

perl -p -i -e "s/#master: salt/master: example.com/g" /etc/salt/minion

Which with limited prompting sets up a machine with all the things I need: salt, emacs, php, pound, varnish and a new other things, plus the ability to send email.

Pound is configured as such:

/etc/pound/pound.file

A text file containing my SSL crt, SSL key and my intermedia crt (Gandi in my case) in succession.

/etc/pound/pound.cfg

Ripping out the default ‘ListenHTTP’ block and replacing with:

ListenHTTPS
    Address public-ip-address
    Port    443

    Cert "/etc/pound/pound.file"
    AddHeader "X-Forwarded-Proto: https"
    HeadRemove "X-Forwarded-Proto"
    Service
         BackEnd
                 Address 127.0.0.1
                         Port 80
         End
    End
End

Varnish is then configured to run on port 80 by editing /etc/default/varnish and Apache runs on port 8080 by editing /etc/apache2/ports.conf and the relevant VirtualHost offering in /etc/apache2/sites-enabled/ – the result is an HTTPS server that passes itself off nicely to varnish and handles caching accordingly.

Annoyingly, GNU social doesn’t work well with this setup, so I reported a bug.

Creative Commons License
Except where otherwise noted, content on this site is licensed under a Creative Commons Attribution-ShareAlike 4.0 International License.