apachevarnishvarnish-vclapache2.4centos7
Varnish (4.0.1) fail to access website often request timeout
I have install Varnish 4.0.1 on Centos along with Apache 2.4.6. The problem is why I can't access the website. Have a look at the netstat below
What else to check to make it run as usual. Here is more config from httpd.conf
#
# Listen: Allows you to bind Apache to specific IP addresses and/or
# ports, instead of the default. See also the <VirtualHost>
# directive.
#
# Change this to Listen on specific IP addresses as shown below to
# prevent Apache from glomming onto all bound IP addresses.
#
#Listen 12.34.56.78:80
Listen 127.0.0.1:8080
#
# ServerName gives the name and port that the server uses to identify itself.
# This can often be determined automatically, but we recommend you specify
# it explicitly to prevent problems during startup.
#
# If your host doesn't have a registered DNS name, enter its IP address here.
#
ServerName example.my:8080
I follow a step-by-step from this website modify the SELinux but i have undo to previous value which is disabled
# This file controls the state of SELinux on the system.
# SELINUX= can take one of these three values:
# enforcing - SELinux security policy is enforced.
# permissive - SELinux prints warnings instead of enforcing.
# disabled - No SELinux policy is loaded.
SELINUX=disabled
# SELINUXTYPE= can take one of these two values:
# targeted - Targeted processes are protected,
# minimum - Modification of targeted policy. Only selected processes are protected.
# mls - Multi Level Security protection.
SELINUXTYPE=targeted
and the tutorial also make me to modify the iptables, and same above i have it revert to original
# sample configuration for iptables service
# you can edit this manually or use system-config-firewall
# please do not ask us to add additional ports/services to this default configuration
*filter
:INPUT ACCEPT [0:0]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
-A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
-A INPUT -p icmp -j ACCEPT
-A INPUT -i lo -j ACCEPT
-A INPUT -p tcp -m state --state NEW -m tcp --dport 22 -j ACCEPT
-A INPUT -j REJECT --reject-with icmp-host-prohibited
-A FORWARD -j REJECT --reject-with icmp-host-prohibited
COMMIT
and here is my default.vcl
# Default backend definition. Set this to point to your content server.
backend default {
.host = "127.0.0.1";
.port = "8080";
.max_connections = 15;
.connect_timeout = 4.0s;
.first_byte_timeout = 600s;
.between_bytes_timeout = 600s;
}
and varnish.params
# Varnish environment configuration description. This was derived from
# the old style sysconfig/defaults settings
# Set this to 1 to make systemd reload try to switch vcl without restart.
RELOAD_VCL=1
# Main configuration file. You probably want to change it.
VARNISH_VCL_CONF=/etc/varnish/default.vcl
# Default address and port to bind to. Blank address means all IPv4
# and IPv6 interfaces, otherwise specify a host name, an IPv4 dotted
# quad, or an IPv6 address in brackets.
#VARNISH_LISTEN_ADDRESS=127.0.0.1
VARNISH_LISTEN_PORT=80
# Admin interface listen address and port
VARNISH_ADMIN_LISTEN_ADDRESS=127.0.0.1
VARNISH_ADMIN_LISTEN_PORT=6082
# Shared secret file for admin interface
VARNISH_SECRET_FILE=/etc/varnish/secret
# Backend storage specification, see Storage Types in the varnishd(5)
# man page for details.
#VARNISH_STORAGE="file,/var/lib/varnish/varnish_storage.bin,1G"
VARNISH_STORAGE="malloc,256m"
# Default TTL used when the backend does not specify one
VARNISH_TTL=120
# User and group for the varnishd worker processes
VARNISH_USER=varnish
VARNISH_GROUP=varnish
# Other options, see the man page varnishd(1)
#DAEMON_OPTS="-a :80 -p thread_pool_min=5 -p thread_pool_max=500 -p thread_pool_timeout=300"
access_log in httpd folder
127.0.0.1 - - [19/Dec/2014:10:10:29 +0800] "OPTIONS * HTTP/1.0" 200 - "-" "Apache/2.4.6 (CentOS) (internal dummy connection)"
127.0.0.1 - - [19/Dec/2014:10:10:29 +0800] "OPTIONS * HTTP/1.0" 200 - "-" "Apache/2.4.6 (CentOS) (internal dummy connection)"
127.0.0.1 - - [19/Dec/2014:10:10:29 +0800] "OPTIONS * HTTP/1.0" 200 - "-" "Apache/2.4.6 (CentOS) (internal dummy connection)"
127.0.0.1 - - [19/Dec/2014:11:08:39 +0800] "OPTIONS * HTTP/1.0" 200 - "-" "Apache/2.4.6 (CentOS) (internal dummy connection)"
127.0.0.1 - - [19/Dec/2014:11:08:39 +0800] "OPTIONS * HTTP/1.0" 200 - "-" "Apache/2.4.6 (CentOS) (internal dummy connection)"
127.0.0.1 - - [19/Dec/2014:11:08:39 +0800] "OPTIONS * HTTP/1.0" 200 - "-" "Apache/2.4.6 (CentOS) (internal dummy connection)"
127.0.0.1 - - [19/Dec/2014:11:08:39 +0800] "OPTIONS * HTTP/1.0" 200 - "-" "Apache/2.4.6 (CentOS) (internal dummy connection)"
127.0.0.1 - - [19/Dec/2014:11:08:39 +0800] "OPTIONS * HTTP/1.0" 200 - "-" "Apache/2.4.6 (CentOS) (internal dummy connection)"
127.0.0.1 - - [19/Dec/2014:11:24:16 +0800] "OPTIONS * HTTP/1.0" 200 - "-" "Apache/2.4.6 (CentOS) (internal dummy connection)"
127.0.0.1 - - [19/Dec/2014:11:24:16 +0800] "OPTIONS * HTTP/1.0" 200 - "-" "Apache/2.4.6 (CentOS) (internal dummy connection)"
127.0.0.1 - - [19/Dec/2014:11:24:16 +0800] "OPTIONS * HTTP/1.0" 200 - "-" "Apache/2.4.6 (CentOS) (internal dummy connection)"
and here what I found on error_log
[Fri Dec 19 11:50:38.318727 2014] [mpm_prefork:notice] [pid 8182] AH00170: caught SIGWINCH, shutting down gracefully
[Fri Dec 19 11:50:39.495826 2014] [suexec:notice] [pid 8610] AH01232: suEXEC mechanism enabled (wrapper: /usr/sbin/suexec)
[Fri Dec 19 11:50:39.587231 2014] [mpm_prefork:notice] [pid 8610] AH00163: Apache/2.4.6 (CentOS) configured -- resuming normal operations
[Fri Dec 19 11:50:39.587286 2014] [core:notice] [pid 8610] AH00094: Command line: '/usr/sbin/httpd -D FOREGROUND'
here the varnishstat
Uptime mgt: 0+00:25:46
Uptime child: 0+00:25:46
NAME CURRENT CHANGE AVERAGE AVG_10 AVG_100 AVG_1000
MAIN.uptime 1546 1.00 1.00 1.00 1.00 1.00
MAIN.pools 2 0.00 . 2.00 2.00 2.00
MAIN.threads 200 0.00 . 200.00 200.00 200.00
MAIN.threads_created 200 0.00 . 0.00 0.00 0.00
MAIN.n_backend 1 0.00 . 1.00 1.00 1.00
MAIN.n_vcl 1 0.00 . 0.00 0.00 0.00
MAIN.bans 1 0.00 . 1.00 1.00 1.00
MGT.uptime 1546 1.00 1.00 1.00 1.00 1.00
SMA.s0.g_space 268435456 0.00 . 268435456.00 268435456.00 268435456.00
what else have I to check. Apreciate your help on this. Thanks
Solution
You need to allow traffic from the Internet to port 80. Edit the iptables config as follows:
# sample configuration for iptables service
# you can edit this manually or use system-config-firewall
# please do not ask us to add additional ports/services to this default configuration
*filter
:INPUT ACCEPT [0:0]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
-A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
-A INPUT -p icmp -j ACCEPT
-A INPUT -i lo -j ACCEPT
-A INPUT -p tcp -m state --state NEW -m tcp --dport 22 -j ACCEPT
-A INPUT -p tcp -m state --state NEW -m tcp --dport 80 -j ACCEPT
-A INPUT -j REJECT --reject-with icmp-host-prohibited
-A FORWARD -j REJECT --reject-with icmp-host-prohibited
COMMIT
That is, add
-A INPUT -p tcp -m state --state NEW -m tcp --dport 80 -j ACCEPT
below the line
-A INPUT -p tcp -m state --state NEW -m tcp --dport 22 -j ACCEPT
Then restart iptables or reload the config.