Pound / Varnish - In sovyet russia great success for Pandemic-Legion.com!

Ander · 2010-08-22, 15:11

I've done some considerable changes to how Pandemic-Legion.com www frontend works.

Previously everything was hosted on an apache, with fastcgi+php, xcache it would still run slow when the db backend was lagging and use a hefty amount of RAM serving small amount of users.

I've changed this to run "pound" as reverse proxy. Pound is a load-balance and SSL accelerator proxy. SSL serving is now much faster than when apache had to do it. We can now also add more content servers easily when we decide load balancing is needed. Pound supports sticky sessions, round robin and most other load balancing techniques out of the box!

It's configured with a HTTP listener and a HTTPS listener.
The HTTP listener forwards all connections on port 80 to port 433 and the HTTPS listener.

Pound is then serving requests from/to a caching proxy. In this case varnish which in turn is configured with a couple of vcl configs to serve cached content to users that arent logged in.
Varnish passes requests and serves and caches data from apache backend.

User -> Pound (Public 80/443 -> 443) -> Varnish (Local 6081) -> Apache (Local 80)

I had some issues forwarding the real client IP of visitors from pound to varnish to apache.

This is solved by two methods.

Background:
Most proxies set a http header with X-Real_Forwarded-For and Pound is no different.
Problem is when you got a second proxy inbetween. The second proxy will see the client IP being the first proxys IP.

The solution was to define in vcl

Code:

if (req.http.X-Forwarded-For) {
set req.http.X-Forwarded-For = req.http.X-Forwarded-For;
 } else {
    // Simply use the client IP if nothing forwarded in X-Forwarded-For - this should not happen
    set req.http.X-Real-Forwarded-For = regsub(client.ip, ":.*", "");
}

Pound will pass along a http header to varnish with the client IP in x-forwarded .
In varnish the x-forwarded-for value is updated with the already set x-forwarded-for value.

Headers arent editable while in the pipe, so Im not really worried about clients trying to spoof x-forwarded-for. Although this could use some testing.
Worst case scenario, all accesses are also logged with real IP in pound to syslog.

To make apache replace the remote_addr value in header we use an apache mod called mod_rpaf that does this for us.

The result is as following:
Cache hits are served for users who arent logged in. Improving both performance for non logged in and logged in users.

People who are logged in on forums and actively browsing the site will not get served cached results nor will their views get cached and served others.

There's also a grace period if backend (apache) doesnt respond for non logged in users. Which means varnish will serve content out of cache if apache has died for some reason.
Logged in users will still feel a bit sluggish during backups but the anonymous users wont hammer the site anymore.

I will work to improve the vcl config to varnish, adding support for purging cache when a new killmail/comment has been submitted. For now the ttl for cache is 5 minutes.

People are welcome to help improving the vcl (read varnish readme for the different vcl_recv, vcl_fetch, vcl_pipe etc etc)

Code:

# This is a basic VCL configuration file for varnish.  See the vcl(7)
# man page for details on VCL syntax and semantics.
# 
# Default backend definition.  Set this to point to your content
# server.
# 
backend default {
     .host = "127.0.0.1";
     .port = "80";
     .first_byte_timeout = 300s;
}

sub vcl_recv {

  // Rename the incoming XFF header to work around a Varnish bug.
  if (req.http.X-Forwarded-For) {
    // Append the client IP
    //set req.http.X-Real-Forwarded-For = req.http.X-Forwarded-For ", " regsub(client.ip, ":.*", "");
    set req.http.X-Forwarded-For = req.http.X-Forwarded-For;
    // unset req.http.X-Forwarded-For;
  }
  else {
    // Simply use the client IP
    set req.http.X-Real-Forwarded-For = regsub(client.ip, ":.*", "");
  }

# do not cache if user is logged in on vbulletin
if (req.http.cookie && req.http.cookie ~ "auth_user||IDstack") {
    return (pass);
}

	# do not cache wiki
	if ((req.url ~ "show_wiki.php")) {
		return (pass);
	}

	# do not cache register.php
	if ((req.url ~ "register.php")) {
		return (pass);
	}

	# do not cache profile.php
	if ((req.url ~ "profile.php")) {
		return (pass);
	}

	# do not cache manage
	if ((req.url ~ "/manage")) {
		return (pass);
	}

	# do not cache irc
	if ((req.url ~ "/irc")) {
		return (pass);
	}

	# do not cache login.php
	if ((req.url ~ "login.php")) {
		return (pass);
	}

# Properly handle different encoding types
if (req.http.Accept-Encoding) {
	if (req.url ~ "\.(jpg|jpeg|png|gif|gz|tgz|bz2|tbz|mp3|ogg|swf)$") {
	# No point in compressing these
		remove req.http.Accept-Encoding;
	} elsif (req.http.Accept-Encoding ~ "gzip") {
		set req.http.Accept-Encoding = "gzip";
	} elsif (req.http.Accept-Encoding ~ "deflate") {
		set req.http.Accept-Encoding = "deflate";
	} else {
	# unkown algorithm
		remove req.http.Accept-Encoding;
	}
}

# Cache things with these extensions
if (req.url ~ "\.(js|css|jpg|jpeg|png|gif|gz|tgz|bz2|tbz|mp3|ogg|swf)$") {
    return (lookup);
}

# case backend lags
set req.grace = 10m;

if (req.request == "GET")
   {
       return (lookup);
   }
 
   if (req.url ~ "\.(gif|jpg|jpeg|swf|css|js|flv|mp3|mp4|pdf|ico)$")
   {
       return (lookup);
   }
 
   /* Nirvana */
   remove req.http.cookie;

}



sub vcl_deliver {

  # From http://varnish-cache.org/wiki/VCLExampleLongerCaching
  if (resp.http.magicmarker) {
     /* Remove the magic marker */
     unset resp.http.magicmarker;

     /* By definition we have a fresh object */
     set resp.http.age = "0";
   }

   #add cache hit data
   if (obj.hits > 0) {
     #if hit add hit count
     set resp.http.X-Cache = "HIT";
     set resp.http.X-Cache-Hits = obj.hits;
   }
else {
     set resp.http.X-Cache = "MISS";
   }

}

sub vcl_hash {

#vbulletin stuff
if (req.http.cookie && req.http.cookie ~ "auth_user||IDstack") { set req.hash += "auth"; }
    set req.hash += req.url;

 return (hash);
}

sub vcl_fetch
{

# do not cache if user is logged in on vbulletin
if (req.http.cookie && req.http.cookie ~ "bbuserid") {
    return (pass);
}

	# unset cookie for killboard
	if ((req.url ~ "/killboard")) {
		unset beresp.http.set-cookie;
	}


  set beresp.ttl = 600s;
  set beresp.grace = 600s;

   if (  beresp.http.Pragma        ~ "no-cache"
       || beresp.http.Cache-Control ~ "no-cache" 
       || beresp.http.Cache-Control ~ "private") {
       return (pass);
   }


   /**
    *  Strip vbulletin cookies
    */
  // if (beresp.http.Set-Cookie ~ "^bb.*=.*$")
  // {
  //     set beresp.http.X-Cookie = "Cookie removed";
  //     remove beresp.http.Set-Cookie;
  //}
     
}

sub vcl_hit
{
   if (!obj.cacheable)
   {
       return (pass);
   }

   set obj.http.X-Cache = "Cache-Hit";

   return (deliver);
}

//sub vcl_pipe { 
//  set bereq.http.X-Forwarded-For = req.http.X-Forwarded-For;
//  set bereq.http.X-Forwarded-For = regsub(bereq.http.X-Forwarded-For, "$", ", ");
//  set bereq.http.X-Forwarded-For = regsub(bereq.http.X-Forwarded-For, "$", client.ip);
//  set bereq.http.Cookie = req.http.X-Оrig-Cookiе;
//  set bereq.http.connection = "close";
//}

Ander · 2010-08-25, 21:13

Update. I think I've rooted out the quirkѕ.
An updatеd vlc file can be found at http://www.pandemic-legion.com/vcl.txt

Also - we've now separated the the SSL reverseproxy and the caching proxy from the backend.

Basicly we put the backend on a separate VPS on a separate host.
Varnish and pound wont bring down the backend during heavy load and be entirely dedicated to caching/proxying.

We're also going to be able to quite easily add more backends and loadbalance in the future.

Rn Bonnet · 2010-09-07, 15:44

Оnе thing to note is the current forum behaviors consistent when not under load and also when under load. It seems to me that there must be some small set of db quires or scripts that are running for inordinate amounts of time and causing the 503 errors.

Ander · 2010-09-08, 14:20

yeѕ I'vе noticed. I got to setup a second backend vcl so that forums dont go down when killboard responds slowly due to separate killboard db.

Ander · 2010-09-14, 05:10

Upgraded VMWare ESXi from 4.0 to 4.1 (more performance)
PL vpѕ:еs distributed more evenly.

Setup a different backend policy for forums and changed timeouts to be much more lax.
This should allow forums to act as before varnish and just respond slower whenever we get hit hard without going into reinforced and giving guru meditation.

Problem was that when varnish detected forums werent fast enough it would show guru meditation since it wasnt allowed to serve out of cache and didnt leave connections open long enough to still attempt to get data.
Basicly‚ ruleѕ arе now less strict.

2010-08-25, 21:13	#2
Ander OSHIT are drama queens Sniggerdly - Euro Alts: Xyzox, Theodorovik, Novakaine Kills: 4,338,019 (4,514) Losses: 75,813 (153) Epeen Donations: 13M Posts: 4,009 Join Date: 2007 Jan Downloads: 23 Uploads: 2	Update. I think I've rooted out the quirkѕ. An updatеd vlc file can be found at http://www.pandemic-legion.com/vcl.txt Also - we've now separated the the SSL reverseproxy and the caching proxy from the backend. Basicly we put the backend on a separate VPS on a separate host. Varnish and pound wont bring down the backend during heavy load and be entirely dedicated to caching/proxying. We're also going to be able to quite easily add more backends and loadbalance in the future. Last edited by Ander; 2010-08-25 at 21:13.

2010-09-07, 15:44	#3
Rn Bonnet Pandemic Legion Sniggerdly - US Alts: Lady Bonnet, Ms Word Kills: 2,370,177 (1,477) Losses: 35,779 (167) Posts: 1,253 Join Date: 2009 Mar Downloads: 14 Uploads: 1	Оnе thing to note is the current forum behaviors consistent when not under load and also when under load. It seems to me that there must be some small set of db quires or scripts that are running for inordinate amounts of time and causing the 503 errors.
$Add Infraction for Rn Bonnet$

2010-09-08, 14:20	#4
Ander OSHIT are drama queens Sniggerdly - Euro Alts: Xyzox, Theodorovik, Novakaine Kills: 4,338,019 (4,514) Losses: 75,813 (153) Epeen Donations: 13M Posts: 4,009 Join Date: 2007 Jan Downloads: 23 Uploads: 2	yeѕ I'vе noticed. I got to setup a second backend vcl so that forums dont go down when killboard responds slowly due to separate killboard db.

2010-09-14, 05:10	#5
Ander OSHIT are drama queens Sniggerdly - Euro Alts: Xyzox, Theodorovik, Novakaine Kills: 4,338,019 (4,514) Losses: 75,813 (153) Epeen Donations: 13M Posts: 4,009 Join Date: 2007 Jan Downloads: 23 Uploads: 2	Upgraded VMWare ESXi from 4.0 to 4.1 (more performance) PL vpѕ:еs distributed more evenly. Setup a different backend policy for forums and changed timeouts to be much more lax. This should allow forums to act as before varnish and just respond slower whenever we get hit hard without going into reinforced and giving guru meditation. Problem was that when varnish detected forums werent fast enough it would show guru meditation since it wasnt allowed to serve out of cache and didnt leave connections open long enough to still attempt to get data. Basicly‚ ruleѕ arе now less strict.

(View-All) Members who have read this thread : 13
Ander, Captain Thunk, Fintroll, Hubris, Jogyn, Kearl, Lenid Kalkin, MaZ, mazzilliu, Rn Bonnet, Shadoo, Shamis Orzoz, slackjawed

vBulletin Message

Cancel Changes