[Setup] CacheFu - Varnish

Ricardo Newbery ric at digitalmarbles.com
Wed Mar 5 01:12:52 UTC 2008


On Mar 4, 2008, at 3:18 PM, Ricardo Newbery wrote:

>
> On Mar 4, 2008, at 3:06 PM, g.sharpe wrote:
>
>> Should I be running running varnish as root?  I'm not finding much by
>> way of documentation on the varnish website.  I noticed in the  
>> CacheFu
>> deploy scripts, a "varnish_user" is given appropriate privelages to
>> the vcl, etc.  However, I don't see where this "varnish_user" is
>> created or defined (no reference in makeconfig.cfg).
>>
>> Gary Sharpe
>
>
>
> In the makeconfig.cfg, the "varnish_user" is called just "user".   
> Now that you brought this up, it occurs to me that the makeconfig  
> script probably shouldn't change the name during processing as it  
> may be a bit confusing if you're trying to figure out what's  
> happening in the templates.
>
> In the Squid configs, we do something similar.  The makeconfig.cfg  
> allows you to set a value for "user" but processing renames this to  
> "squid_user".
>
> With regard to what value should be used for "user", this depends on  
> what port you need Varnish to bind to.  In order to bind to ports  
> lower than 1024, Unix systems require the process to run as  
> "root" (this is not the case for Windows systems -- which results in  
> some serious security implications).  So if you wish your Varnish to  
> respond to requests on the standard HTTP port 80, you need to start  
> it up as root.  However, again for security reasons, Varnish will  
> attempt to drop privileges as soon as the port has been bound.   
> That's what the "user" field is for -- after binding to port 80, the  
> Varnish child process will then continue on running with the  
> permissions of this other, hopefully less-privileged, user.
>
> If instead Varnish is bound to a less-privileged port like port  
> 8000, which might be the case for a Zope-Varnish-Apache setup, then  
> this is less important.  But makeconfig still needs to know the  
> "user" that will launch Varnish to make sure that Varnish has the  
> proper read/write privileges for the configs and cache storage.
>
> The Squid install works the same way.  And so does Zope, where this  
> is governed by the "effective-user" directive in zope.conf.
>
> Ric



Forgot to mention that in both cases, if user is not specified, Squid  
and Varnish will default to "nobody" as the user to switch to after  
starting up as root.

Ric





More information about the Setup mailing list