SSL and caching with pound, varnish and apache on Debian
I’m migrating everything to BigV.
BigV, for the uninitiated is a “cloud” hosting service from Bytemark. You build virtual machines using qemu and kvm, assign virtual disks from a pool of RAID-backed disks and add in the networking you need. It’s rather fantastic.
I have building new servers down to a fine art at this point. All new servers follow a very simple standard.
They all have a few common properties:
- Debian (wheezy)
- They’re all web servers
- They’re all going to run an SSL service
- They all need some kind of backup
With this in-mind I’ve been using Salt to push some common configuration to the machines. I can’t take credit for writing most of this, as Rob Myers wrote a lot of it when we migrated Libre.fm to BigV, but this using BigV at a different scale.
I build a typical new machine out by pasting this (from gedit, not Emacs) into a new Terminal:
echo -e "\n\ndeb http://debian.saltstack.com/debian wheezy-saltstack main\n\n" >> /etc/apt/sources.list
wget -q -O- "http://debian.saltstack.com/debian-salt-team-joehealy.gpg.key" | apt-key add -
apt-get update -q
apt-get dist-upgrade -y
apt-get install -y pound varnish php5 rsync htop emacs23-nox apache2 sudo salt-minion php5-mysql dtrx mysql-server exim4
dpkg-reconfigure exim4-config
perl -p -i -e "s/#master: salt/master: example.com/g" /etc/salt/minion
Which with limited prompting sets up a machine with all the things I need: salt, emacs, php, pound, varnish and a new other things, plus the ability to send email.
Pound is configured as such:
/etc/pound/pound.file
A text file containing my SSL crt, SSL key and my intermedia crt (Gandi in my case) in succession.
/etc/pound/pound.cfg
Ripping out the default ‘ListenHTTP’ block and replacing with:
ListenHTTPS
Address public-ip-address
Port 443
Cert "/etc/pound/pound.file"
AddHeader "X-Forwarded-Proto: https"
HeadRemove "X-Forwarded-Proto"
Service
BackEnd
Address 127.0.0.1
Port 80
End
End
End
Varnish is then configured to run on port 80 by editing /etc/default/varnish and Apache runs on port 8080 by editing /etc/apache2/ports.conf and the relevant VirtualHost offering in /etc/apache2/sites-enabled/ – the result is an HTTPS server that passes itself off nicely to varnish and handles caching accordingly.
Annoyingly, GNU social doesn’t work well with this setup, so I reported a bug.