Putting Varnish In Front Of Apache On Ubuntu/Debian

Version 1.0, 15-10-2010
Follow me on Twitter

Varnish is an open source "web accelerator" which you can use to speed up your website.

It can cache certain static elements, such as images or javascript but you can also use it for other purposes such as Loadbalancing or some additional security.

In this tutorial we will focus on the latter one.
In this mode, Varnish will stop incomplete HTTP requests from reaching your Apache webserver.

This tutorial is built on Ubuntu, but will probably also work on Debian.

First of all, make sure you are running Apache2 and have it configured.


Installing Varnish

This is rather easy, since it is in the Ubuntu repository. However, you might want to use the Varnish repository to make sure you have a more recent version. To add this one, execute this:

sudo curl http://repo.varnish-cache.org/debian/GPG-key.txt | apt-key add -

sudo echo "deb http://repo.varnish-cache.org/debian/ $(lsb_release -s -c) varnish-2.1" >> /etc/apt/sources.list

Update APT and install Varnish:

sudo apt-get update
sudo apt-get install varnish

Great, now you have Varnish but we still need to configure it.


Changing Varnish settings

First, we have to change the default port. Edit /etc/default/varnish:

vim /etc/default/varnish

Scroll down a bit, until you find an uncommented line starting with "DAEMON_OPTS".
- Change *:6081 to *:80 so it will listen on the default HTTP port.
- edit default.vcl to something else, I took "mysite.vcl".

Save the file.

Edit the VCL file you mentioned in the previous file. In my case, I'll be editing /etc/varnish/mysite.vcl. Paste the following contents:

## Redirect requests to Apache, running on port 8000 on localhost
backend apache {
        .host = "";
        .port = "8000";
## Fetch
sub vcl_fetch {
		## Remove the X-Forwarded-For header if it exists.
        remove req.http.X-Forwarded-For;
		## insert the client IP address as X-Forwarded-For. This is the normal IP address of the user.
        set    req.http.X-Forwarded-For = req.http.rlnclientipaddr;
		## Added security, the "w00tw00t" attacks are pretty annoying so lets block it before it reaches our webserver
        if (req.url ~ "^/w00tw00t") {
                error 403 "Not permitted";
		## Deliver the content

## Deliver
sub vcl_deliver {
		## We'll be hiding some headers added by Varnish. We want to make sure people are not seeing we're using Varnish.
              ## Since we're not caching (yet), why bother telling people we use it?
        remove resp.http.X-Varnish;
        remove resp.http.Via;
        remove resp.http.Age;
		## We'd like to hide the X-Powered-By headers. Nobody has to know we can run PHP and have version xyz of it.
        remove resp.http.X-Powered-By;

Save the file. All right, that was the Varnish part. Do not start it yet.


Changing Apache settings

OK, so we have to let Apache2 listen on localhost. For this, there are a few small changes required.

vim /etc/apache2/ports.conf


NameVirtualHost *:80
Listen 80


NameVirtualHost *:8000

Apache will listen on that port. You will have to edit your vhosts as well. Open your vhost(s) and replace

<VirtualHost *:80>


<VirtualHost *:8000>

So far so good. We now have to install an extra Apache module to make sure the IP address of the user ends up correct. Since Varnish is basically talking with Apache2, you would see as visitor IP.

apt-get install libapache2-mod-rpaf

The RPAF (Reverse Proxy Add Forward) module will make sure the IP of will be replaced with the IP set in X-Forwarded-For set by Varnish.


Restart daemons

Restart Apache:

/etc/init.d/apache2 restart

Check if it is bound to the correct IP/Port by executing:

netstat -lp | grep apache2

If you see:

tcp        0      0 localhost:8000          *:*                     LISTEN      4586/apache2

This is correct. Otherwise, you made a mistake. All right, so now we have to restart Varnish to let it listen on port 80.

/etc/init.d/varnish restart

We check this again by executing:

netstat -lp | grep varnish

The result will be:

tcp        0      0 *:www                   *:*                     LISTEN      4498/varnishd
tcp6       0      0 [::]:www                [::]:*                  LISTEN      4498/varnishd

(Yes, varnish also listens on any IPv6 address).

So.. Now we have placed Varnish in front of Apache2. We can test if the site still works by simply visiting it. You will see the site, just as nothing happened. You can test this further by shutting down apache. You will then see a Varnish error page.


Bonus features

Well, you might want to change the HTTP servername from "Apache" to something else. This can be done by editing your VCL file, located in /etc/varnish. After:

sub vcl_fetch {


## Remove the http.Server header
unset obj.http.Server;
## Change the http.Server header to something else
set obj.http.Server = "Incognito";

Obviously you can make it look like whatever you want. Yourdomain.com for example. Please note that all the domains on this server will use the same servername.

Well, that's all. You now have a reverse proxy in front of your Apache!
With a bit of tweaking, you can let it cache or loadbalance.

Share this page:

Suggested articles

19 Comment(s)

Add comment


By: torstenzenk

This HowTo works like a charm on Debian Lenny. Thank you VERY much for the effort you have put into it!


Best Regards


By: Torsten Zenk

If you ever get a memory locked error like the one below and varnish won't start, have a look at the mysite.vcl file:


myservername:/etc/varnish$ sudo /etc/init.d/varnish restart
Starting HTTP accelerator: varnishd failed!
Running VCC-compiler failed, exit 1
VCL compilation failed
storage_file: filename: /var/lib/varnish/myservername/varnish_storage.bin size 1024 MB.
Message from VCC-compiler:
Variable 'obj.http.Server' not accessible in method 'vcl_fetch'.
At: (input Line 10 Pos 7)
unset obj.http.Server;

uncommenting line 10 and 12 in /etc/varnish/mysite.vcl solved the problem for me. Hope that helps


Best Regards

Torsten Zenk

By: Torsten Zenk

In Addition to the comment before if you still get an Error like this:

Error 503 Service Unavailable

Service Unavailable
Guru Meditation:


Varnish cache server


try to add this in mysite.vcl on line 5:

.connect_timeout = 1s;
.first_byte_timeout = 5s;
.between_bytes_timeout = 2s;


This lets you controll the amount of time untill an varnish timeout happens.

By: Lee Goile

It also works perfectly on Debian Squeeze using apache2.2 with multiple sites.




This would be the correct syntax for removing / adding http headers:



        ## Unset http header
            unset beresp.http.Server;
        ## Set new http header
            set beresp.http.Server = "My Server xxxx";

By: Franklin

If you get varnish failing silently (or saying "Not starting Varnish...[OK]" try starting it with less memory. On my Ubuntu VM this was causing me a problem, I started in debug mode from varnishd like this;

/etc/varnish# varnishd -f /etc/varnish/local.vcl -s malloc,1G -T  -a -d

by default varnish was trying to allocate 5G which my box took exception to

By: Torsten Zenk

Since Varnish 3.0 is out you might want to consider to use it on Ubuntu or Debian. The installation instructions are here:

Installation on Debian: https://www.varnish-cache.org/installation/debian
Installation on Ubuntu: https://www.varnish-cache.org/installation/ubuntu

and you can then use the ongoing information provided here.

By: Anonymous

I have a centos 5.5 installation with directadmin apache and such.

I tryed using varnish infront of apache but all my websites got the message:

Apache is functioning normally

 So is it possible to forward more domains because I sell hosting to customers and it would be bad to have to configure each website through the config.

But I would like to use varnish.

What can I do?

By: yatint


I am planning to configure Varnish on my server to hide me server ip
consider my server ip is and I want to configure varnish in such a way, when anyone tries to locate my server ip using any dns checker tool, it should show
to users. 

can you tell me how  can i do this. I tried alot and alot but no result. 

help needed.


By: Anonymous

If nobody knows your IP address they will not be able to connect to your varnish server - so your request makes no sense.

If you do not want people to view your website then place a firewall in front of it, to deny incoming connections.  If you do want visitors to your site then they need to lookup the IP address to connect.

By: Anonymous

Use Cloudflare.com to hide your ip address.

By: Zillur

Your question has actually no meaning. If you want to hide your ip , then no request come to your server. One solution ( but may be you don't mean it) using  www.cloudflare.com/ . It actually used for speeding up your website.

By: Jukkis

Any point in using apache mod_pagespeed on this setup?

By: Anonymous

I spent over a month trying to get a production server running in EC2 with Varnish and CloudFlare CDN working properly with remote client IP behind a load balancer, until I found this AMI: https://aws.amazon.com/marketplace/pp/B00KSGVT9C, it has everything pre-installed and configured, and it help me get everything up and running in a hour!


By: shobhit

I have a website with a database of >2 Gb. my site is just like youtube etc. but i am not hosting any video rather it is sharing youtube videos. my video pages are most surfed one. I have installed varnish on it. I find that many time varnish gives me guru mediation error. I am not able to understand how to solve this problem. Please let me know. what to do?

By: ebinx

I'm migriting from Debian Wheezy to Jessie. Currently gtmetrix com site (checking form London location) shows 94/91 points for my ebinxdom pl site. I am curently using APC, memcache, but I wonder if varnish could help to achive better performance. I'm after faster server response time which I've been struggling for sometime now (e.g. now I only get 0.30-0.40ms resonse time)

By: momo1240


thank you for this tutorial,that's exactly what I'm looking for.

I juste have 22 questions : 

what if we use both http and https queries on our website should we add 443 port too ? (I'm using debian6 with ispconfig).

will varnish work if we use external CDN to serve static content (css, javascript and images)


than you

By: momo1240


thank you for this tutorial,that's exactly what I'm looking for.

I juste have 22 questions : 

what if we use both http and https queries on our website should we add 443 port too ? (I'm using debian6 with ispconfig).

will varnish work if we use external CDN to serve static content (css, javascript and images)


than you

By: momo1240


thank you for this tutorial,that's exactly what I'm looking for.

I juste have 22 questions : 

what if we use both http and https queries on our website should we add 443 port too ? (I'm using debian6 with ispconfig).

will varnish work if we use external CDN to serve static content (css, javascript and images)


than you