Varnish Caching Proxy

And the FOSHttpCacheBundle

SFUGZH, May 14th 2014
© David Buchmann, Liip AG

Step 1

apt-get update
apt-get install varnish

Step 2

Edit /etc/default/varnish, replace port 6081 by port 80
Edit webserver config to run on port 8080

service apache2 restart
service varnish restart

What could possibly go wrong?

Nothing gets cached (HTTP Headers)
Too much gets cached (also HTTP Headers)
Editors see no changes (cache invalidation)
Caches get mixed up (personal content)

What is a reverse proxy again?

HTTP is simple

GET /path

HTTP/1.1 200 OK
Content-Type: text/html

<html>...</html>

HTTP verbs

GET
HEAD
POST
PUT
DELETE
...

HTTP response codes

1xx hold on
2xx here you go
3xx go away
4xx you fucked up
5xx I fucked up

https://twitter.com/stevelosh/status/372740571749572610

Default Varnish behaviour

Only attempt to cache GET and HEAD request
Never cache request with cookies / authorization
Never cache response with set-cookie
Only cache response with status 200, 203, 300, 301, 302, 307, 404, 410

http://httpstatusdogs.com

Cache control headers

Cache-Control: s-maxage=3600, max-age=900
Expires: Thu, 15 May 2014 08:00:00 GMT

s-maxage
max-age
Expires

Do not cache

Cache-Control: s-maxage=0, private, no-cache

Varnish 3 does not respect no-cache, but s-maxage=0.
Varnish 4 does.

Keep variants apart

Vary: Accept, Cookie

Cache validation (I)

Last-Modified: Tue, 13 May 2014 08:13:20 GMT

If-Modified-Since: Tue, 13 May 2014 08:13:20 GMT

304 Not Modified

Cache validation (II)

ETag: 82901821233

If-None-Match: 82901821233

304 Not Modified

There are dog images too, but I won't show the 304 one.

Know your tools

Follow a link: Use cache if allowed, If-Modified-Since / If-None-Match
ctrl-r or reload button in firefox / chrome: If-Modified-Since / If-None-Match
Force reload: Make sure the browser ignores all local caches
- Firefox: shift-ctrl-R
- Chrome: shift-ctrl-R or shift-F5
- Clear browser cache

Tools and helpers

firebug / chrome network tab in debug toolbar (copy URL as curl!)

                wget -Sq --spider http://localhost/path.html
                curl -o /dev/null -sD - http://cmf.lo/app_dev.php

Default Symfony headers

            HTTP/1.1 200 OK
            Date: Wed, 12 May 2014 08:20:06 GMT
            Cache-Control: no-cache
            Vary: Accept-Language,Accept-Encoding
            Content-Type: text/html; charset=UTF-8

Set Symfony cache headers

// DefaultController::indexAction
$response = $this->render('::index.html.twig');
$response->setMaxAge(600);
$response->setPublic();

return $response;

Add such code to every action that renders a response.
Or annotate every action with @Cache.

FOSHttpCacheBundle

fos_http_cache:
  rules:
    # login must not be cached
    -
      match:
        path: ^/(login|login_check|logout)
      controls:
        private: true
        max_age: 0
    # Cache the homepage for 10 minutes
    -
      match:
        path: ^/$
        vary: Cookie
      controls:
        public: true
        max_age: 600

FOSHttpCacheBundle

# ...
# Cache everything else for 1 hour
-
  match:
    path: ^/
    vary: Cookie
  controls:
    public: true
    max_age: 3600

Clear the Symfony cache whenever you change values here

Lets look into Varnish

Reverse proxy
Domain specific language: VCL
Hook function for each step
Configuration compiled to machine code at Varnish startup
Loadbalance, handle downtimes of webserver

Restart Varnish like a pro

Restart to start with empty cache
Restart to see changed configuration

VCL

            vcl_recv: entry point, lookup or pass
            vcl_pass: request from backend
            vcl_fetch: receive from backend, cache or not
            vcl_deliver: remove headers not for client
            
            vcl_hash: determine cache key
            vcl_hit: found in cache, deliver or pass
            vcl_miss: pass or fetch
            vcl_pipe: do not alter request
            vcl_error: define error page

Warning!

Varnish does what you tell it

Think carefully and test thoroughly

VCL: Remove cookies

sub vcl_recv {
    if (req.http.Cookie) {
        if (req.url ~ "^/static") {
            remove req.http.Cookie;
        }
    }
}

VCL: Debug hit or miss

sub vcl_deliver {
    if (obj.hits > 0) {
        set resp.http.X-Cache = "HIT";
    } else {
        set resp.http.X-Cache = "MISS";
    }
}

VCL: Custom TTL

fos_http_cache:
    rules:
            #...
            reverse_proxy_ttl: 600

sub vcl_fetch {
  ...
  if (beresp.http.X-Reverse-Proxy-TTL) {
    C{
      char *ttl;
      ttl = VRT_GetHdr(sp, HDR_BERESP, "\024X-Reverse-Proxy-TTL:");
      VRT_l_beresp_ttl(sp, atoi(ttl));
    }C
    unset beresp.http.X-Reverse-Proxy-TTL;
  }
  ...

Cache Invalidation

There are only two hard things in computer science:

Cache invalidation
Naming things
Off by one errors

Cache busting

Very long cache lifetime for assets
Append ?version to asset links
Query string to miss the cache

# app/config.yml
framework:
  templating:
    assets_version: v1

<link rel="stylesheet" href="/css/style.css?v1" type="text/css"/>
...
<script src="/js/scripts.js?v1"></script>

Explicit cache invalidation

Long cache lifetime on varnish
Explicitly tell varnish to invalidate cached URLs
When not detectable if content changes: Low lifetime

Invalidation flavors

Purge: URL and all variants
Refresh: Remove cache for this exact request
Ban: Batch invalidation with regular expression

FOSHttpCacheBundle proxy client

// CommentsController::postAction
// the page changed, send a purge request for this url
...
$path = $this->generate('page', array(
    'id' => $post->getPage()->getId())
);
$cacheManager = $container->get('fos_http_cache.cache_manager');
$cacheManager->invalidatePath($path);
...

Configure client

# app/config.yml

fos_http_cache:
    proxy_client:
        varnish:
        servers: 4.4.4.11:80, 4.4.4.22:80
        base_url: yourwebsite.com

Configure Varnish

# default.vcl
sub vcl_recv {
    if (req.request == "PURGE") {
        if (!client.ip ~ invalidators) {
            error 405 "PURGE not allowed";
        }
        return (lookup);
    }
}
sub vcl_hit {
    if (req.request == "PURGE") {
        purge;
        error 200 "Purged";
    }
}
sub vcl_miss { // same as hit

Banning

Regular expression matching
On any request headers, not only path

Refresh

Invalidate exact request
And fetch it again to have warmed up cache
No variants

Cache Tagging

/** @var $cm CacheManageer */
$cm->tagResponse($response, array('comment-42'));
...
$cm->invalidateTags(array('comment-42'));

use FOS\HttpCacheBundle\Configuration\Tag;

class CommentController extends Controller
{
    /**
     * @Tag({"comments", "'comment-'~id"})
     */
    public function commentAction($id)
    {
        // ...

Cache Tagging

ban("obj.http.host ~ " + req.http.x-host
    + " && obj.http.x-url ~ " + req.http.x-url
    + " && obj.http.content-type ~ " + 
                       req.http.x-content-type
    + " && obj.http.x-cache-tags ~ " + 
                         req.http.x-cache-tags
);

Conclusions

Varnish is powerful
Varnish is dangerous
Using FOSHttpCacheBundle makes live easier
KISS VCL!

Outlook: FOSHttpCacheBundle

About to add Nginx support
About to add group based login
Stable release this summer

Outlook: Varnish is a powerful tool

Study Varnish: varnish-cache.org
Personalized sites: Look into Edge Side Includes

Varnish 4

Respond stale content while updating from backend
Cleanups in VCL

Outlook: Where to go from here

Questions / Input / Feedback ?

Twitter: @dbu

Use Edge Side Includes

Symfony creates special links for page elements
Varnish fetches and caches elements separatly
Individual caching rules per element
E.g. only some elements vary on cookie

Enable ESI in Symfony

# app/config/config.yml
framework:
  esi: { enabled: true }
# app/config/routing.yml
_internal:
  resource: "@FrameworkBundle/Resources/config/routing/internal.xml"
  prefix:   /_internal

Make sure either your webserver is only reachable by Varnish or add access restrictions for /_internal

{# index.html.twig #}
{% render 'DbuCoreBundle:Comments:comments' 
      with {}, {'standalone': true} %}

Adjust cache settings

Only have Vary: Cookie where its the case
Exclude _internal from cache rules
Set cache rules for the ESI - exposed actions

fos_http_cache:
  rules:
    # do not apply rules to _internal
    -
      match:
        path: ^/_internal
      # no controls

Fragment controllers

// UserController::showBoxAction
$response = $this->render(
    'DbuCoreBundle:User:box.html.twig');
$response->setVary('Cookie', false);
$response->setMaxAge(0);
$response->setPrivate();
return $response;

// CommentsController::commentsAction
$response = $this->render(
    'DbuCoreBundle:Comments:comments.html.twig',
    array('comments' => $this->getComments()));
$response->setMaxAge(3600);
$response->setPublic();

return $response;

Purge just the comments fragment

$cm = $container->get('fos_http_cache.cache_manager');
$kernel = $this->container->get('http_kernel');
$path = $kernel->generateInternalUri(
    'DbuCoreBundle:Comments:comments'
);
$cm->invalidatePath($path);

Note: generateInternalUri is helpful but does not check if controller exists

ESI response

$ app/console cache:clear --env=prod --no-debug
$ curl -H "Surrogate-Capability: abc=ESI/1.0" \
    http://performance.lo/

...
<esi:include src="/_internal/secure/DbuCoreBundle%3AUser%3AshowLogin/none.html" onerror="continue" />
...
<esi:include src="/_internal/secure/DbuCoreBundle%3AComments%3Acomments/none.html" onerror="continue" />
...

Enable ESI in Varnish

sub vcl_recv {
  set req.http.Surrogate-Capability = "abc=ESI/1.0";
  # try to lookup even if there is a cookie
  return (lookup);
}

sub vcl_fetch {
  if (beresp.http.Surrogate-Control ~ "ESI/1.0") {
    unset beresp.http.Surrogate-Control;
    set beresp.do_esi = true;
  }
  if (beresp.http.Vary) {
    return (pass);
  }
}

Make sure others do not cache

sub vcl_deliver {
  if (! req.url ~ ".*\.(css|js|png)(\?.*)?$") {
    set resp.http.Vary = "Cookie";
    unset resp.http.Last-Modified;
  }
}