varnish: Installs and configures Varnish.varnish::controller::agent: Installs and manages Varnish Controller Agentvarnish::firewall: Usespuppetlabs/firewallmodule to open varnish listen portvarnish::hitch: Installs Hitch the SSL Offloading Proxy of Varnish Enterprisevarnish::install: Installs Varnishvarnish::ncsa: Allows setup of varnishncsavarnish::repo: This class installs aditional repos for varnishvarnish::shmlog: Mounts shmlog as tempfsvarnish::vcl: Manages the Varnish VCL configuration
varnish::service: Manages the Varnish service
varnish::vcl::acl: Defines an ACL Type of Varnish. Defined ACL's must be used in VCLvarnish::vcl::acl_membervarnish::vcl::backend: Defines a Backend for VCLvarnish::vcl::director: Defines a backend director in varnish vclvarnish::vcl::probe: Defines a VCL Probe, that can be used for healthchecks for backendsvarnish::vcl::selector: Adds a selector to handle multiple backends
varnish::vcl::includefile: Used by vcl.pp to create the config files with header sections
Varnish::Controller::Agent_name: Type for supported Agent Name of Controller AgentVarnish::Vcl::Ressource: Type for supported VCL VersionsVarnish::Vclversion: Type for supported VCL Versions
Installs and configures Varnish.
# enables Varnish service
# uses default VCL '/etc/varnish/default.vcl'
include varnish# sets Varnish to listen on port 80
# storage size is set to 2 GB
# vcl file is '/etc/varnish/my-vcl.vcl'
class { 'varnish':
varnish_listen_port => 80,
varnish_storage_size => '2G',
varnish_vcl_conf => '/etc/varnish/my-vcl.vcl',
}The following parameters are available in the varnish class:
service_ensureservice_enablereload_vclnfilesmemlockstorage_typevarnish_vcl_confvarnish_uservarnish_jail_uservarnish_groupvarnish_listen_addressvarnish_listen_portvarnish_proxy_listen_addressvarnish_proxy_listen_portvarnish_proxy_listen_socketvarnish_proxy_listen_socket_modevarnish_admin_listen_addressvarnish_admin_listen_portvarnish_min_threadsvarnish_max_threadsvarnish_thread_timeoutvarnish_storage_sizevarnish_secret_filevarnish_storage_filemse_configmse_config_filevarnish_ttlvarnish_enterprisevarnish_enterprise_vmods_extravcl_dirshmlog_dirshmlog_tempfsversionadd_repomanage_firewallvarnish_conf_templateconf_file_pathadditional_parametersdefault_versionadd_hitchadd_ncsa
Data type: Stdlib::Ensure::Service
Ensure for varnishservice
Default value: 'running'
Data type: Boolean
If Service should be enabled
Default value: true
Data type: Boolean
V4 paramter if Varnish will be reloaded - deprecated Will be removed when support for RHEL7 is dropped
Default value: true
Data type: String
passed to varnish conf-file
Default value: '131072'
Data type: String
passed to varnish conf-file
Default value: '100M'
Data type: String
which storage will be used for varnish - default malloc
Default value: 'malloc'
Data type: Stdlib::Absolutepath
path to main vcl file
Default value: '/etc/varnish/default.vcl'
Data type: String
passed to varnish-conf
Default value: 'varnish'
Data type: Optional[String]
passed to varnish-conf
Default value: undef
Data type: String
passed to varnish-conf
Default value: 'varnish'
Data type: Optional[String[1]]
Address varnish will bind to - default ''
Default value: undef
Data type: Stdlib::Port
port varnish wil bind to
Default value: 6081
Data type: String
address varnish binds to in proxy mode
Default value: '127.0.0.1'
Data type: Optional[Stdlib::Port]
port varnish binds to in proxy mode
Default value: undef
Data type: Optional[Stdlib::Absolutepath]
socket varnish binds to in proxy mode
Default value: undef
Data type: Stdlib::Filemode
Filemode for socket varnish binds to in proxy mode
Default value: '666'
Data type: String
address varnish binds to in admin mode
Default value: 'localhost'
Data type: Stdlib::Port
port varnish binds to in admin mode
Default value: 6082
Data type: String
minumum no of varnish worker threads
Default value: '5'
Data type: String
maximum no of varnish worker threads
Default value: '500'
Data type: String
Default value: '300'
Data type: String
defines the size of storage (depending of storage_type)
Default value: '1G'
Data type: Stdlib::Absolutepath
path to varnish secret file
Default value: '/etc/varnish/secret'
Data type: Stdlib::Absolutepath
defines the filepath of storage (depending of storage_type)
Default value: '/var/lib/varnish-storage/varnish_storage.bin'
Data type: Optional[String[1]]
MSE Config, see https://docs.varnish-software.com/varnish-cache-plus/features/mse/
Default value: undef
Data type: Stdlib::Absolutepath
filepath where mse config file will be stored
Default value: '/etc/varnish/mse.conf'
Data type: String
default ttl for items
Default value: '120'
Data type: Boolean
passed to varnish::install
Default value: false
Data type: Boolean
passed to varnish::install
Default value: false
Data type: Optional[Stdlib::Absolutepath]
dir where varnish vcl will be stored
Default value: undef
Data type: Stdlib::Absolutepath
location for shmlog
Default value: '/var/lib/varnish'
Data type: Boolean
mounts shmlog directory as tmpfs
Default value: true
Data type: String[1]
passed to puppet type 'package', attribute 'ensure'
Default value: present
Data type: Boolean
if set to false (defaults to true), the yum/apt repo is not added
Default value: false
Data type: Boolean
passed to varnish::firewall
Default value: false
Data type: String[1]
Template that will be used for varnish conf
Default value: 'varnish/varnish-conf.erb'
Data type: Stdlib::Absolutepath
path where varnish conf will be stored
Default value: '/etc/varnish/varnish.params'
Data type: Hash
additional parameters that will be passed to varnishd with -p
Default value: {}
Data type: Integer
Default major version of Varnish for that OS release
Default value: 6
Data type: Boolean
Add varnish::hitch class to install hitch
Default value: false
Data type: Boolean
Add varnish::ncsa class to install varnishncsa Service
Default value: false
Installs and manages Varnish Controller Agent
include varnish::controller::agentThe following parameters are available in the varnish::controller::agent class:
base_urlnats_servernats_server_portnats_server_usernats_server_passwordagent_nameinvalidation_hostpackage_namepackage_ensureservice_ensure
Data type: Stdlib::HTTPUrl
see https://docs.varnish-software.com/varnish-controller/installation/agents/#base-url
Data type: Stdlib::Host
Server for NATS Connection
Data type: Stdlib::Port
Port for Nats Connection
Default value: 4222
Data type: Optional[String]
User for Nats Connection
Default value: undef
Data type: Optional[Variant[Sensitive[String],String]]
Password for Nats Connection
Default value: undef
Data type: Varnish::Controller::Agent_name
see https://docs.varnish-software.com/varnish-controller/installation/agents/#setting-the-agent-name
Default value: $facts['networking']['hostname']
Data type: String[1]
see https://docs.varnish-software.com/varnish-controller/installation/agents/#varnish-interaction
Default value: '127.0.0.1:80'
Data type: String[1]
Name of the Package used for installation
Default value: 'varnish-controller-agent'
Data type: String[1]
Ensure of the Package
Default value: 'present'
Data type: Stdlib::Ensure::Service
Ensure of Agent Service
Default value: 'running'
Uses puppetlabs/firewall module to open varnish listen port
The following parameters are available in the varnish::firewall class:
Data type: Boolean
Manage firewall
Default value: false
Data type: Stdlib::Port
Port where varnish listens to
Default value: 6081
Installs Hitch the SSL Offloading Proxy of Varnish Enterprise
include varnish::hitchThe following parameters are available in the varnish::hitch class:
package_namepackage_ensureservice_ensureservice_nameconfig_pathconfig_templatefrontendsbackendpem_filesssl_enginetls_protosciphersciphersuitesworkersbacklogkeepalivechrootusergrouplog_levelsyslogsyslog_facilitydaemonwrite_proxysni_nomatch_aborttcp_fastopenalpn_protosadditional_parameters
Data type: String[1]
Define used package name
Default value: 'varnish-plus-addon-ssl'
Data type: String[1]
Ensure package
Default value: 'present'
Data type: Stdlib::Ensure::Service
Ensure Service status
Default value: 'running'
Data type: String[1]
Service name for hitch (must match installed)
Default value: 'hitch'
Data type: Stdlib::Absolutepath
Path for hitch config
Default value: '/etc/hitch/hitch.conf'
Data type: String[1]
Used EPP Config template
Default value: 'varnish/hitch.conf.epp'
Data type: Array[Struct[{ host => String[1],port => Stdlib::Port }],1]
Define Frontends for hitch
Default value: [{ 'host'=> '*', 'port'=> 443, }]
Data type: String[1]
Define Backend
Default value: '[127.0.0.1]:8443'
Data type: Array[Stdlib::Absolutepath,1]
PEM Files that will be loaded
Data type: Optional[String[1]]
Set the ssl-engine
Default value: undef
Data type: String[1]
allowed TLS Protos
Default value: 'TLSv1.2 TLSv1.3'
Data type: String[1]
allowed ciphers
Default value: 'EECDH+AESGCM:EDH+AESGCM'
Data type: String[1]
allowd cipersuites for TLS1.3+
Default value: 'TLS_AES_256_GCM_SHA384:TLS_CHACHA20_POLY1305_SHA256:TLS_AES_128_GCM_SHA256'
Data type: Variant[Enum['auto'],Integer[1,1024]]
number of workers
Default value: 'auto'
Data type: Integer[1]
Listen backlog size
Default value: 200
Data type: Integer[1]
Number of seconds a TCP socket is kept alive
Default value: 3600
Data type: Optional[Stdlib::Absolutepath]
Chroot directory
Default value: undef
Data type: String[1]
User to run as. If Hitch is started as root, it will insist on changing to a user with lower rights after binding to sockets.
Default value: 'hitch'
Data type: String[1]
If given, Hitch will change to this group after binding to listen sockets.
Default value: 'hitch'
Data type: Integer[0,2]
Log chattiness. 0=silence, 1=errors, 2=info/debug. This setting can also be changed at run-time by editing the configuration file followed by a reload (SIGHUP).
Default value: 1
Data type: Boolean
Send messages to syslog.
Default value: true
Data type: Stdlib::Syslogfacility
Set the syslog facility.
Default value: 'daemon'
Data type: Boolean
Run as daemon
Default value: true
Data type: Enum['ip','v1','v2','proxy']
Which Proxy mode is used
Default value: 'v2'
Data type: Boolean
Abort handshake when the client submits an unrecognized SNI server name.
Default value: false
Data type: Boolean
Enable TCP Fast Open.
Default value: false
Data type: String[1]
Comma separated list of protocols supported by the backend
Default value: 'h2,http/1.1'
Data type: Hash[String[1],Variant[String[1],Integer[1]]]
Add parameters additional as needed
Default value: {}
Installs Varnish
include 'varnish::install'class { 'varnish::install':
version => latest,
}The following parameters are available in the varnish::install class:
add_repomanage_firewallvarnish_listen_portpackage_namevarnish_enterprisevarnish_enterprise_vmods_extraversion
Data type: Boolean
if repo should be added
Default value: true
Data type: Boolean
if firewall should be managed
Default value: false
Data type: Stdlib::Port
port that varnish should listen to
Default value: 6081
Data type: Optional[String]
manually define package name for installation
Default value: undef
Data type: Boolean
If varnish enterprise packages should be installed
Default value: false
Data type: Boolean
if varnish enterprise extra vmods should also be installed
Default value: false
Data type: String
passed to puppet type 'package', attribute 'ensure'
Default value: 'present'
Allows setup of varnishncsa
The following parameters are available in the varnish::ncsa class:
Data type: Boolean
enable service
Default value: true
Data type: Stdlib::Ensure::Service
ensure serice
Default value: 'running'
Data type: String
Options handed to varnishncsa
Default value: '-a -w /var/log/varnish/varnishncsa.log -D -P /run/varnishncsa/varnishncsa.pid'
This class installs aditional repos for varnish
The following parameters are available in the varnish::repo class:
Data type: Optional[String]
Version of varnish for repo
Default value: undef
Data type: Boolean
If repo will be managed
Default value: false
Mounts shmlog as tempfs
class { 'varnish::shmlog':
tempfs => false,
}The following parameters are available in the varnish::shmlog class:
Data type: Stdlib::Absolutepath
directory where Varnish logs
Default value: '/var/lib/varnish'
Data type: Boolean
mount or not shmlog as tmpfs, boolean
Default value: true
Data type: String
size definition of shmlog tmpfs
Default value: '170M'
To change name/location of vcl file, use $varnish_vcl_conf in the main varnish class
NOTE: though you can pass config for backends, directors, acls, probes and selectors as parameters to this class, it is recommended to use existing definitions instead: varnish::backend varnish::director varnish::probe varnish::acl varnish::selector See README for details on how to use those
- Note VCL applies following restictions:
- if you define an acl it must be used
- if you define a probe it must be used
- if you define a backend it must be used
- if you define a director it must be used You cannot define 2 or more backends/directors and not to have selectors Not following above rules will result in VCL compilation failure
The following parameters are available in the varnish::vcl class:
functionsprobesbackendsdirectorsselectorsaclsblockedipsblockedbotsenable_wafpipe_uploadswafexceptionspurgeipsincludedirmanage_includescookiekeepsdefaultgracemin_cache_timestatic_cache_timegziptypestemplatelogrealiphonor_backend_ttlcond_requestsx_forwarded_protohttps_redirectdrop_stat_cookiescond_unset_cookiesunset_headersunset_headers_debugipsvcl_version
Data type: Hash
Hash of additional function definitions
Default value: {}
Data type: Hash
Hash of probes, defined as varnish::vcl::probe
Default value: {}
Data type: Hash
Hash of backends, defined as varnish::vcl::backend
Default value: { 'default' => { host => '127.0.0.1', port => 8080 } }
Data type: Hash
Hash of directors, defined as varnish::vcl::director
Default value: {}
Data type: Hash
Hash of selectors, defined as varnish::vcl::selector
Default value: {}
Data type: Hash
Hash of acls, defined as varnish::vcl::acl
Default value: {}
Data type: Array
Array of IP's that will be blocked with default VCL
Default value: []
Data type: Array
Array of UserAgent Bots that will be blocked
Default value: []
Data type: Boolean
controls VCL WAF component, can be true or false
Default value: false
Data type: Boolean
If the request is a post/put upload (chunked or multipart), pipe the request to the backend.
Default value: false
Data type: Array[String]
Exclude those rules
Default value: ['57' , '56' , '34']
Data type: Array[Stdlib::IP::Address]
source ips which are allowed to send purge requests
Default value: []
Data type: Stdlib::Absolutepath
Dir for includefiles
Default value: '/etc/varnish/includes'
Data type: Boolean
If Includes (and Subtypes like directors, probes,.. ) should be created
Default value: true
Data type: Array[String]
Cookies that should be kept for backend
Default value: ['__ac', '_ZopeId', 'captchasessionid', 'statusmessages', '__cp', 'MoodleSession']
Data type: Optional[String]
Default Grace time for Iptems
Default value: undef
Data type: String
Default Cache time
Default value: '60s'
Data type: String
Cache Time for static Elements like images,..
Default value: '5m'
Data type: Array[String]
Content Types that will be gziped
Default value: ['text/', 'application/xml', 'application/rss', 'application/xhtml', 'application/javascript', 'application/x-javascript']
Data type: Optional[String]
Overwrite Template for VCL
Default value: undef
Data type: Boolean
Create std.log entry with Real IP of client
Default value: false
Data type: Boolean
if Backend TTL will be honored
Default value: false
Data type: Boolean
if condtional requests are allowed
Default value: false
Data type: Boolean
If Header x-forwared-proto should be added to hash
Default value: false
Data type: Boolean
deprecated
Default value: false
Data type: Boolean
depretaced
Default value: true
Data type: Optional[String]
If condtion to unset all coockies
Default value: undef
Data type: Array[String]
Unset the named http headers
Default value: ['Via','X-Powered-By','X-Varnish','Server','Age','X-Cache']
Data type: Array[Stdlib::IP::Address]
Do not unset the named headers for the following IP's
Default value: ['172.0.0.1']
Data type: Varnish::Vclversion
Which version von VCL should be used
Default value: '4'
Defines an ACL Type of Varnish. Defined ACL's must be used in VCL
The following parameters are available in the varnish::vcl::acl defined type:
Data type: Varnish::VCL::Ressource
Name of ACL
Default value: $title
Data type: Array[Stdlib::IP::Address]
Array of defined Hosts
The varnish::vcl::acl_member class.
The following parameters are available in the varnish::vcl::acl_member defined type:
Data type: String[1]
Tag name of the varnish host that is collected
Data type: Varnish::VCL::Ressource
Name of the ACL that should be created
Data type: Stdlib::IP::Address
Host ip that will be inserted
Defines a Backend for VCL
The following parameters are available in the varnish::vcl::backend defined type:
hostportbackend_nameprobeconnect_timeoutfirst_byte_timeoutbetween_bytes_timeoutmax_connectionssslssl_snissl_verify_peerssl_verify_hosthost_headercertificate
Data type: Stdlib::Host
Host that will be defined as backend
Data type: Stdlib::Port
Port of the backend host
Data type: Varnish::VCL::Ressource
The actual backend name
Default value: $title
Data type: Optional[String]
Name of probe that will be used for healthcheck
Default value: undef
Data type: Optional[Variant[String[1],Integer]]
define varnish connect connect_timeout
Default value: undef
Data type: Optional[Variant[String[1],Integer]]
define varnish first_byte_timeout
Default value: undef
Data type: Optional[Variant[String[1],Integer]]
define varnish between_bytes_timeout
Default value: undef
Data type: Optional[Integer]
define varnish maximum number of connections to the backend
Default value: undef
Data type: Optional[Integer[0,1]]
varnish-plus: Set this true (1) to enable SSL/TLS for this backend.
Default value: undef
Data type: Optional[Integer[0,1]]
varnish-plus: Set this to false (0) to disable the use of the Server Name Indication (SNI) extension for backend TLS connections
Default value: undef
Data type: Optional[Integer[0,1]]
varnish-plus: Set this to false (0) to disable verification of the peer’s certificate chain.
Default value: undef
Data type: Optional[Integer[0,1]]
varnish-plus: Set this to true (1) to enable verification of the peer’s certificate identity
Default value: undef
Data type: Optional[String[1]]
varnish-plus: A host header to add to probes and regular backend requests if they have no such header
Default value: undef
Data type: Optional[String[1]]
varnish-plus: Specifies a client certificate to be used
Default value: undef
Defines a backend director in varnish vcl
The following parameters are available in the varnish::vcl::director defined type:
Data type: Varnish::VCL::Ressource
Name of the director
Default value: $title
Data type: String
Type of varnish backend director
Default value: 'round-robin'
Data type: Array[String]
Array of backends for the director, backends need to be defined as varnish::vcl:backend
Default value: []
Data type: Varnish::Vclversion
Version of vcl Language
Default value: $varnish::vcl::vcl_version
Defined probes must be used
The following parameters are available in the varnish::vcl::probe defined type:
Data type: Varnish::VCL::Ressource
Name of the probe
Default value: $title
Data type: String
Paramter as defined from varnish
Default value: '5s'
Data type: String
Paramter as defined from varnish
Default value: '5s'
Data type: String
Paramter as defined from varnish
Default value: '3'
Data type: String
Paramter as defined from varnish
Default value: '8'
Data type: String
The expected HTTP status, defaults to '200'
Default value: '200'
Data type: String
Directory where includefiles will be created
Default value: $varnish::vcl::includedir
Data type: Optional[String]
Paramter as defined from varnish
Default value: undef
Data type: Optional[Variant[String,Array[String]]]
Paramter as defined from varnish
Default value: undef
Depending on the condition, requests will be sent to the correct backend
The following parameters are available in the varnish::vcl::selector defined type:
Data type: String
Condtion under that varnish will redirect to the defined backend Must be valid VCL if conditon
Data type: String
Director that will be used for the requests
Default value: $name
Data type: Optional[String]
Rewrite Header X-Host to this value
Default value: undef
Data type: Optional[String]
rewrite URL to this URL
Default value: undef
Data type: Optional[String]
Instead of backend, sent redirect to this Baseurl
Default value: undef
Data type: Variant[String, Integer]
Order value for selector statements
Default value: '03'
Data type: Stdlib::Absolutepath
Directory for include files
Default value: $varnish::vcl::includedir
Data type: Varnish::Vclversion
Version of VCL Language
Default value: $varnish::vcl::vcl_version
Type for supported Agent Name of Controller Agent
Alias of Pattern[/\A(?i:([-a-z0-9]+))\z/]
Type for supported VCL Versions
Alias of Pattern[/^[A-Za-z0-9_]+$/]
Type for supported VCL Versions
Alias of Pattern[/\A(?i:(4))\z/]