Ever since I started maintaining a free public IP address blocklist listing sources of brute-force attacks I am seeing and putting the list up on the lighttpd web-server for anyone to use, there has been a remarkable growth of traffic that lighttpd is being asked to service.
This blocklist is based on the jail contents of fail2ban, generated hourly from fail2ban jails using a cron job, that I describe here. My fail2ban setup including automated reporting to blocklist.de over email is documented here.
Though lighttpd is not overwhelmed yet, I decided to take some load off it and put a varnish server-side cache before it, working purely off an in-memory cache since all the web-server does is provide a static page and a hourly-updated bloc-klist.
With Varnish cache delivering web pages from memory, a load test via loader.io shows 57 milliseconds average response time with 0.0 % error rate for 100 to 250 clients over 1 minute. The varnishtop screenshot at the top was taken during this test.
It took some effort to configure varnish http cache to get it to work. Here are the configuration files for varnish reverse cache and lighttpd that I am using.
My lighttpd configuration gets lighttpd to bind to and listen on the localhost (127.0.0.1) IP address on port 65481. Varnishd uses this local lighttpd server and port as the backend and serves HTTP requests from external clients on the usual port 80 on the internet-facing interfaces.
The varnish configuration below is generic, i.e. it has no dependency on lighttpd - any httpd will work as the backend of Varnish as long as Varnish knows what IP and Port Number to use as the backend.
I am using varnish version 4.0.3 and lighttpd version 1.4.41.
# varnishd -V
varnishd (varnish-4.0.3 revision b8c4a34)
Copyright (c) 2006 Verdens Gang AS
Copyright (c) 2006-2014 Varnish Software AS
# lighttpd -V
lighttpd/1.4.41 (ssl) - a light and fast webserver
Build-Date: Aug 1 2016 14:19:06
Varnish 4.0 Configuration
/etc/varnish/default.vcl
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| # -- | |
| # /etc/varnish/default.vcl | |
| # Minimal working Varnish 4.0 Configuration to serve static-only website pages from lighttpd backend | |
| # From "Simple Basic Working VARNISH 4.0 Configuration: default.vcl and varnish.params for a functional web server cache" | |
| # http://supratim-sanyal.blogspot.com/2016/09/simple-basic-working-varnish-40.html | |
| # -- | |
| vcl 4.0; | |
| backend default { | |
| .host = "127.0.0.1"; | |
| .port = "65481"; | |
| .connect_timeout = 15s; | |
| .first_byte_timeout = 30s; | |
| .between_bytes_timeout = 5s; | |
| .probe = { | |
| .request = | |
| "HEAD / HTTP/1.1" | |
| "Host: 127.0.0.1:65481" | |
| "Connection: close"; | |
| .interval = 3600s; # probe backend every hour | |
| .timeout = 15s; | |
| .window = 40; | |
| .threshold = 38; | |
| .initial = 38; | |
| } | |
| } | |
| sub vcl_recv { | |
| # Uncomment if Redirecting to https. | |
| #if (req.http.host ~ "^(?i)[wwww\.]?abadcer\.com$" && req.http.X-Forwarded-Proto != "https") { | |
| # set req.http.x-redir = "https://" + req.http.host + req.url; | |
| # return(synth(850, "Moved permanently")); | |
| #} | |
| # do not cache streams or big files for download | |
| if (req.url ~ "^[^?]*\.(mp[34]|iso|rar|tar|tgz|gz|wav|zip|bz2|xz|7z|avi|mov|ogm|mpe?g|mk[av]|webm)(\?.*)?$") { | |
| return (pipe); | |
| } | |
| # Strip off cookies in request for my static website | |
| if (req.url ~ "(?i)\.(?:css|gif|html|ico|jpeg|jpg|js|json|png|swf|txt|woff)(?:\?.*)?$") { | |
| unset req.http.cookie; | |
| } | |
| } | |
| sub vcl_backend_response { | |
| # Strip off cookies in response for my static website | |
| if (bereq.url ~ "(?i)\.(?:css|gif|html|ico|jpeg|jpg|js|json|png|swf|txt|woff)(?:\?.*)?$") { | |
| unset beresp.http.set-cookie; | |
| } | |
| # Enable compression on suitable content types | |
| if (beresp.http.content-type ~ "(text|javascript|json|plain|xml)") { | |
| set beresp.do_gzip = true; | |
| } | |
| # The returned content is browser-agnostic; strip any http vary indicators in the response | |
| if (beresp.http.Vary ~ "User-Agent") { | |
| set beresp.http.Vary = regsuball(beresp.http.Vary, ",? *User-Agent *", ""); | |
| set beresp.http.Vary = regsub(beresp.http.Vary, "^, *", ""); | |
| if (beresp.http.Vary == "") { | |
| unset beresp.http.Vary; | |
| } | |
| } | |
| # Cache expiry after an hour (The blocklist is updated every hour), but only for normal HTTP responses | |
| if (beresp.status < 400 ) { | |
| set beresp.ttl = 60m; | |
| return(deliver); | |
| } | |
| } #end vcl_backend_response | |
| # Corresponding to commented out https redirection condition at top | |
| #sub vcl_synth { | |
| # if (resp.status == 850) { | |
| # set resp.http.Location = req.http.x-redir; | |
| # set resp.status = 302; | |
| # return (deliver); | |
| # } | |
| #} |
/etc/varnish/varnish.params
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| # -- | |
| # /etc/varnish/varnish.params | |
| # Minimal working Varnish 4.0 Configuration to serve static-only website pages from lighttpd backend | |
| # From "Simple Basic Working VARNISH 4.0 Configuration: default.vcl and varnish.params for a functional web server cache" | |
| # http://supratim-sanyal.blogspot.com/2016/09/simple-basic-working-varnish-40.html | |
| # -- | |
| # Varnish environment configuration description. This was derived from | |
| # the old style sysconfig/defaults settings | |
| # Set this to 1 to make systemd reload try to switch vcl without restart. | |
| RELOAD_VCL=1 | |
| # Main configuration file. You probably want to change it. | |
| VARNISH_VCL_CONF=/etc/varnish/default.vcl | |
| # Default address and port to bind to. Blank address means all IPv4 | |
| # and IPv6 interfaces, otherwise specify a host name, an IPv4 dotted | |
| # quad, or an IPv6 address in brackets. | |
| #VARNISH_LISTEN_ADDRESS=192.168.1.5 | |
| #VARNISH_LISTEN_PORT=6081 | |
| VARNISH_LISTEN_ADDRESS=sanyalnet-cloud-vps.freeddns.org | |
| VARNISH_LISTEN_PORT=80 | |
| # Admin interface listen address and port | |
| VARNISH_ADMIN_LISTEN_ADDRESS=127.0.0.1 | |
| VARNISH_ADMIN_LISTEN_PORT=6082 | |
| # Shared secret file for admin interface | |
| VARNISH_SECRET_FILE=/etc/varnish/secret | |
| # Backend storage specification, see Storage Types in the varnishd(5) | |
| # man page for details. | |
| #VARNISH_STORAGE="file,/var/lib/varnish/varnish_storage.bin,1G" | |
| #VARNISH_STORAGE="file,/var/lib/varnish/varnish_storage.bin,1M" | |
| VARNISH_STORAGE="malloc,1M" | |
| # Default TTL used when the backend does not specify one | |
| #VARNISH_TTL=120 | |
| VARNISH_TTL=30 | |
| # User and group for the varnishd worker processes | |
| VARNISH_USER=varnish | |
| VARNISH_GROUP=varnish | |
| # Other options, see the man page varnishd(1) | |
| #DAEMON_OPTS="-p thread_pool_min=5 -p thread_pool_max=500 -p thread_pool_timeout=300" |
Lighttpd Configuration
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| ####################################################################### | |
| ## | |
| ## /etc/lighttpd/lighttpd.conf | |
| ## Minimal working Varnish 4.0 Configuration to serve static-only website pages from lighttpd backend | |
| ## From "Simple Basic Working VARNISH 4.0 Configuration: default.vcl and varnish.params for a functional web server cache" | |
| ## http://supratim-sanyal.blogspot.com/2016/09/simple-basic-working-varnish-40.html | |
| ## | |
| ## check /etc/lighttpd/conf.d/*.conf for the configuration of modules. | |
| ## | |
| ####################################################################### | |
| ####################################################################### | |
| ## | |
| ## Some Variable definition which will make chrooting easier. | |
| ## | |
| ## if you add a variable here. Add the corresponding variable in the | |
| ## chroot example aswell. | |
| ## | |
| var.log_root = "/var/log/lighttpd" | |
| #var.server_root = "/var/www" | |
| var.server_root = "/var/www/lighttpd" | |
| var.state_dir = "/var/run" | |
| var.home_dir = "/var/lib/lighttpd" | |
| var.conf_dir = "/etc/lighttpd" | |
| ## | |
| ## run the server chrooted. | |
| ## | |
| ## This requires root permissions during startup. | |
| ## | |
| ## If you run Chrooted set the the variables to directories relative to | |
| ## the chroot dir. | |
| ## | |
| ## example chroot configuration: | |
| ## | |
| #var.log_root = "/logs" | |
| #var.server_root = "/" | |
| #var.state_dir = "/run" | |
| #var.home_dir = "/lib/lighttpd" | |
| #var.vhosts_dir = "/vhosts" | |
| #var.conf_dir = "/etc" | |
| # | |
| #server.chroot = "/srv/www" | |
| ## | |
| ## Some additional variables to make the configuration easier | |
| ## | |
| ## | |
| ## Base directory for all virtual hosts | |
| ## | |
| ## used in: | |
| ## conf.d/evhost.conf | |
| ## conf.d/simple_vhost.conf | |
| ## vhosts.d/vhosts.template | |
| ## | |
| var.vhosts_dir = server_root + "/vhosts" | |
| ## | |
| ## Cache for mod_compress | |
| ## | |
| ## used in: | |
| ## conf.d/compress.conf | |
| ## | |
| var.cache_dir = "/var/cache/lighttpd" | |
| ## | |
| ## Base directory for sockets. | |
| ## | |
| ## used in: | |
| ## conf.d/fastcgi.conf | |
| ## conf.d/scgi.conf | |
| ## | |
| var.socket_dir = home_dir + "/sockets" | |
| ## | |
| ####################################################################### | |
| ####################################################################### | |
| ## | |
| ## Load the modules. | |
| include "modules.conf" | |
| ## | |
| ####################################################################### | |
| ####################################################################### | |
| ## | |
| ## Basic Configuration | |
| ## --------------------- | |
| ## | |
| #server.port = 80 | |
| # we are varnish backend | |
| server.port = 65481 | |
| ## | |
| ## Use IPv6? | |
| ## | |
| #server.use-ipv6 = "enable" | |
| server.use-ipv6 = "disable" | |
| ## | |
| ## bind to a specific IP | |
| ## | |
| #server.bind = "sanyalnet-cloud-vps.freeddns.org" | |
| # we are varnish backend | |
| server.bind = "127.0.0.1" | |
| ## | |
| ## Run as a different username/groupname. | |
| ## This requires root permissions during startup. | |
| ## | |
| server.username = "lighttpd" | |
| server.groupname = "lighttpd" | |
| ## | |
| ## enable core files. | |
| ## | |
| #server.core-files = "disable" | |
| ## | |
| ## Document root | |
| ## | |
| #server.document-root = server_root + "/htdocs" | |
| server.document-root = server_root | |
| ## | |
| ## The value for the "Server:" response field. | |
| ## | |
| ## It would be nice to keep it at "lighttpd". | |
| ## | |
| #server.tag = "lighttpd" | |
| server.tag = "sanyalnet-cloud-vps.freeddns.org private hobbyist http server" | |
| ## | |
| ## store a pid file | |
| ## | |
| server.pid-file = state_dir + "/lighttpd.pid" | |
| ## | |
| ####################################################################### | |
| ####################################################################### | |
| ## | |
| ## Logging Options | |
| ## ------------------ | |
| ## | |
| ## all logging options can be overwritten per vhost. | |
| ## | |
| ## Path to the error log file | |
| ## | |
| server.errorlog = log_root + "/error.log" | |
| ## | |
| ## If you want to log to syslog you have to unset the | |
| ## server.errorlog setting and uncomment the next line. | |
| ## | |
| #server.errorlog-use-syslog = "enable" | |
| ## | |
| ## Access log config | |
| ## | |
| include "conf.d/access_log.conf" | |
| ## | |
| ## The debug options are moved into their own file. | |
| ## see conf.d/debug.conf for various options for request debugging. | |
| ## | |
| include "conf.d/debug.conf" | |
| ## | |
| ####################################################################### | |
| ####################################################################### | |
| ## | |
| ## Tuning/Performance | |
| ## -------------------- | |
| ## | |
| ## corresponding documentation: | |
| ## http://www.lighttpd.net/documentation/performance.html | |
| ## | |
| ## set the event-handler (read the performance section in the manual) | |
| ## | |
| ## possible options on linux are: | |
| ## | |
| ## select | |
| ## poll | |
| ## linux-sysepoll | |
| ## | |
| ## linux-sysepoll is recommended on kernel 2.6. | |
| ## | |
| server.event-handler = "linux-sysepoll" | |
| ## | |
| ## The basic network interface for all platforms at the syscalls read() | |
| ## and write(). Every modern OS provides its own syscall to help network | |
| ## servers transfer files as fast as possible | |
| ## | |
| ## sendfile - is recommended for small files. | |
| ## writev - is recommended for sending many large files | |
| ## | |
| server.network-backend = "sendfile" | |
| ## | |
| ## As lighttpd is a single-threaded server, its main resource limit is | |
| ## the number of file descriptors, which is set to 1024 by default (on | |
| ## most systems). | |
| ## | |
| ## If you are running a high-traffic site you might want to increase this | |
| ## limit by setting server.max-fds. | |
| ## | |
| ## Changing this setting requires root permissions on startup. see | |
| ## server.username/server.groupname. | |
| ## | |
| ## By default lighttpd would not change the operation system default. | |
| ## But setting it to 2048 is a better default for busy servers. | |
| ## | |
| ## With SELinux enabled, this is denied by default and needs to be allowed | |
| ## by running the following once : setsebool -P httpd_setrlimit on | |
| server.max-fds = 2048 | |
| ## | |
| ## Stat() call caching. | |
| ## | |
| ## lighttpd can utilize FAM/Gamin to cache stat call. | |
| ## | |
| ## possible values are: | |
| ## disable, simple or fam. | |
| ## | |
| server.stat-cache-engine = "simple" | |
| ## | |
| ## Fine tuning for the request handling | |
| ## | |
| ## max-connections == max-fds/2 (maybe /3) | |
| ## means the other file handles are used for fastcgi/files | |
| ## | |
| server.max-connections = 1024 | |
| ## | |
| ## How many seconds to keep a keep-alive connection open, | |
| ## until we consider it idle. | |
| ## | |
| ## Default: 5 | |
| ## | |
| #server.max-keep-alive-idle = 5 | |
| ## | |
| ## How many keep-alive requests until closing the connection. | |
| ## | |
| ## Default: 16 | |
| ## | |
| #server.max-keep-alive-requests = 16 | |
| ## | |
| ## Maximum size of a request in kilobytes. | |
| ## By default it is unlimited (0). | |
| ## | |
| ## Uploads to your server cant be larger than this value. | |
| ## | |
| #server.max-request-size = 0 | |
| ## | |
| ## Time to read from a socket before we consider it idle. | |
| ## | |
| ## Default: 60 | |
| ## | |
| #server.max-read-idle = 60 | |
| ## | |
| ## Time to write to a socket before we consider it idle. | |
| ## | |
| ## Default: 360 | |
| ## | |
| #server.max-write-idle = 360 | |
| ## | |
| ## Traffic Shaping | |
| ## ----------------- | |
| ## | |
| ## see /usr/share/doc/lighttpd/traffic-shaping.txt | |
| ## | |
| ## Values are in kilobyte per second. | |
| ## | |
| ## Keep in mind that a limit below 32kB/s might actually limit the | |
| ## traffic to 32kB/s. This is caused by the size of the TCP send | |
| ## buffer. | |
| ## | |
| ## per server: | |
| ## | |
| #server.kbytes-per-second = 128 | |
| ## | |
| ## per connection: | |
| ## | |
| #connection.kbytes-per-second = 32 | |
| ## | |
| ####################################################################### | |
| ####################################################################### | |
| ## | |
| ## Filename/File handling | |
| ## ------------------------ | |
| ## | |
| ## files to check for if .../ is requested | |
| ## index-file.names = ( "index.php", "index.rb", "index.html", | |
| ## "index.htm", "default.htm" ) | |
| ## | |
| index-file.names = ("index.html") | |
| ## | |
| ## deny access the file-extensions | |
| ## | |
| ## ~ is for backupfiles from vi, emacs, joe, ... | |
| ## .inc is often used for code includes which should in general not be part | |
| ## of the document-root | |
| url.access-deny = ( "~", ".inc" ) | |
| ## | |
| ## disable range requests for pdf files | |
| ## workaround for a bug in the Acrobat Reader plugin. | |
| ## | |
| $HTTP["url"] =~ "\.pdf$" { | |
| server.range-requests = "disable" | |
| } | |
| ## | |
| ## url handling modules (rewrite, redirect) | |
| ## | |
| #url.rewrite = ( "^/$" => "/server-status" ) | |
| #url.redirect = ( "^/wishlist/(.+)" => "http://www.example.com/$1" ) | |
| ## | |
| ## both rewrite/redirect support back reference to regex conditional using %n | |
| ## | |
| #$HTTP["host"] =~ "^www\.(.*)" { | |
| # url.redirect = ( "^/(.*)" => "http://%1/$1" ) | |
| #} | |
| ## | |
| ## which extensions should not be handle via static-file transfer | |
| ## | |
| ## .php, .pl, .fcgi are most often handled by mod_fastcgi or mod_cgi | |
| ## | |
| #static-file.exclude-extensions = ( ".php", ".pl", ".fcgi", ".scgi" ) | |
| # Static Files Only for this server | |
| static-file.exclude-extensions = () | |
| ## | |
| ## error-handler for status 404 | |
| ## | |
| #server.error-handler-404 = "/error-handler.html" | |
| #server.error-handler-404 = "/error-handler.php" | |
| ## | |
| ## Format: <errorfile-prefix><status-code>.html | |
| ## -> ..../status-404.html for 'File not found' | |
| ## | |
| #server.errorfile-prefix = "/srv/www/htdocs/errors/status-" | |
| ## | |
| ## mimetype mapping | |
| ## | |
| include "conf.d/mime.conf" | |
| ## | |
| ## directory listing configuration | |
| ## | |
| include "conf.d/dirlisting.conf" | |
| ## | |
| ## Should lighttpd follow symlinks? | |
| ## | |
| server.follow-symlink = "enable" | |
| ## | |
| ## force all filenames to be lowercase? | |
| ## | |
| #server.force-lowercase-filenames = "disable" | |
| ## | |
| ## defaults to /var/tmp as we assume it is a local harddisk | |
| ## | |
| server.upload-dirs = ( "/var/tmp" ) | |
| ## | |
| ####################################################################### | |
| ####################################################################### | |
| ## | |
| ## SSL Support | |
| ## ------------- | |
| ## | |
| ## To enable SSL for the whole server you have to provide a valid | |
| ## certificate and have to enable the SSL engine.:: | |
| ## | |
| ## ssl.engine = "enable" | |
| ## ssl.pemfile = "/path/to/server.pem" | |
| ## | |
| ## The HTTPS protocol does not allow you to use name-based virtual | |
| ## hosting with SSL. If you want to run multiple SSL servers with | |
| ## one lighttpd instance you must use IP-based virtual hosting: :: | |
| ## | |
| ## Mitigate CVE-2009-3555 by disabling client triggered renegotation | |
| ## This is enabled by default. | |
| ## | |
| ## IMPORTANT: this setting can only be used in the global scope. | |
| ## It does *not* work inside conditionals | |
| ## | |
| # ssl.disable-client-renegotiation = "enable" | |
| ## | |
| ## $SERVER["socket"] == "10.0.0.1:443" { | |
| ## ssl.engine = "enable" | |
| ## ssl.pemfile = "/etc/ssl/private/www.example.com.pem" | |
| ## # | |
| ## # (Following SSL/TLS Deployment Best Practices 1.3 / 17 September 2013 from: | |
| ## # https://www.ssllabs.com/projects/best-practices/index.html) | |
| ## # - BEAST is considered mitigaed on client side now, and new weaknesses have been found in RC4, | |
| ## # so it is strongly advised to disable RC4 ciphers (HIGH doesn't include RC4) | |
| ## # - It is recommended to disable 3DES too (although disabling RC4 and 3DES breaks IE6+8 on Windows XP, | |
| ## # so you might want to support 3DES for now - just remove the '!3DES' parts below). | |
| ## # - The examples below prefer ciphersuites with "Forward Secrecy" (and ECDHE over DHE (alias EDH)), remove '+kEDH +kRSA' | |
| ## # if you don't want that. | |
| ## # - SRP and PSK are not supported anyway, excluding those ('!kSRP !kPSK') just keeps the list smaller (easier to review) | |
| ## # Check your cipher list with: openssl ciphers -v '...' (use single quotes as your shell won't like ! in double quotes) | |
| ## # | |
| ## # If you know you have RSA keys (standard), you can use: | |
| ## ssl.cipher-list = "PROFILE=SYSTEM" | |
| ## # The more generic version (without the restriction to RSA keys) is | |
| ## # ssl.cipher-list = "HIGH !aNULL !3DES +kEDH +kRSA !kSRP !kPSK" | |
| ## # | |
| ## # Make the server prefer the order of the server side cipher suite instead of the client suite. | |
| ## # This option is enabled by default, but only used if ssl.cipher-list is set. | |
| ## # | |
| ## # ssl.honor-cipher-order = "enable" | |
| ## # | |
| ## server.name = "www.example.com" | |
| ## | |
| ## server.document-root = "/srv/www/vhosts/example.com/www/" | |
| ## } | |
| ## | |
| ## If you have a .crt and a .key file, cat them together into a | |
| ## single PEM file: | |
| ## $ cat /etc/ssl/private/lighttpd.key /etc/ssl/certs/lighttpd.crt \ | |
| ## > /etc/ssl/private/lighttpd.pem | |
| ## | |
| #ssl.pemfile = "/etc/ssl/private/lighttpd.pem" | |
| ## | |
| ## optionally pass the CA certificate here. | |
| ## | |
| ## | |
| #ssl.ca-file = "" | |
| ## | |
| ####################################################################### | |
| ####################################################################### | |
| ## | |
| ## custom includes like vhosts. | |
| ## | |
| #include "conf.d/config.conf" | |
| #include_shell "cat /etc/lighttpd/vhosts.d/*.conf" | |
| ## | |
| ####################################################################### |
No comments:
Post a Comment
"SEO" link builders: move on, your spam link will not get posted.
Note: Only a member of this blog may post a comment.