fix: ansible varnish service

author: Ole Mathias Heggem <olemathias.aa.heggem@gmail.com> 2023-03-21 15:50:00 +0100
committer: Ole Mathias Heggem <olemathias.aa.heggem@gmail.com> 2023-03-21 15:50:00 +0100
commit: 5a289819ecdcb762d0377a9fd5536b5a852f049a (patch)
tree: fcab16a2ac8a0d859bd2aba04349e82bb7b766b4
parent: b3008251641f372d7101dac769de3022f3bf69bb (diff)
3 files changed, 25 insertions, 24 deletions
diff --git a/INSTALLING.rst b/INSTALLING.rst
index 5770c9f..5a7b5bd 100644
--- a/INSTALLING.rst
+++ b/INSTALLING.rst
@@ -4,8 +4,8 @@ Installing Gondul
 Requirements
 ------------
 
-- Debian Stable (stretch) with backports (possibly newer)
-- Ansible v2.7 or newer (recommended: from backports)
+- Debian Stable
+- Ansible v2.7 or newer
 - A harddrive of some size. Recommended: SSD. 200GB should be sufficient
   for almost any party.
 - CPU: Depends on client-load. Most semi-modern cpu's will be more than
@@ -27,15 +27,14 @@ As root:
         # YOURUSER=kly
         # apt-get install sudo git
         # echo ${YOURUSER} ALL=NOPASSWD: ALL >> /etc/sudoers
-        # echo  deb http://http.debian.net/debian stretch-backports main non-free contrib > /etc/apt/sources.list.d/bp.list
         # apt-get update
-        # apt-get install ansible/stretch-backports
+        # apt-get install ansible
 
 As ``$YOURUSER``::
 
         $ git clone https://github.com/gathering/gondul.git
         $ cd gondul/ansible
-        $ ansible-playbook -i inventory-localhost site.yml
+        $ cd 
 
 Then visit http://ip-your-boxen/
 
@@ -61,7 +60,7 @@ req.http.Authorization != "Basic dGVjaDpydWxlcw=="
 Securing InfluxDB
 -----------------
 
-Default InfluxDB is wide open, to limit this a little we need to configure a few users
+Default InfluxDB is wide open, to limit this we need to configure a few users
 
 Create the users needed:
 
diff --git a/ansible/roles/web/files/varnish.service b/ansible/roles/web/files/varnish.service
index 41e311c..66ae044 100644
--- a/ansible/roles/web/files/varnish.service
+++ b/ansible/roles/web/files/varnish.service
@@ -1,3 +1,3 @@
 [Service]
 ExecStart=
-ExecStart=/usr/sbin/varnishd -a :80 -T localhost:6082 -f /etc/varnish/default.vcl -s default,256m
+ExecStart=/usr/sbin/varnishd -j unix,user=vcache -F -a :80 -a [::1]:6085,PROXY -T localhost:6082 -f /etc/varnish/default.vcl -S /etc/varnish/secret -s malloc,256m
+\ No newline at end of file
diff --git a/ansible/roles/web/files/varnish.vcl b/ansible/roles/web/files/varnish.vcl
index 00a3325..d8b4c91 100644
--- a/ansible/roles/web/files/varnish.vcl
+++ b/ansible/roles/web/files/varnish.vcl
@@ -48,13 +48,13 @@ sub vcl_recv {
        return(pass);
     }
 
-    # Redirect to https - note that this does NOT happen for 
+    # Redirect to https - note that this does NOT happen for
     # "whitelisted" stuff - e.g., templating engine.
-    #disabled as we haven't fixd hitch for ssl termination
-    #if (std.port(local.ip) == 80 && client.ip !~ white) {
-    #    set req.http.x-redir = "https://" + req.http.host + req.url;
-    #    return(synth(301));
-    #}
+    # disabled as we haven't fixd hitch for ssl termination
+    # if (std.port(local.ip) == 80 && client.ip !~ white) {
+    #     set req.http.x-redir = "https://" + req.http.host + req.url;
+    #     return(synth(301));
+    # }
 
     # Basic authentication ....
     # We include the following from /etc/varnish/auth.vcl, to keep passwords
@@ -64,11 +64,11 @@ sub vcl_recv {
     # where AAAA is the result of:
     # echo -n user:password | base64.
     # Example:
-    # kly@jade:~$ echo -n tech:rules | base64 
+    # kly@jade:~$ echo -n tech:rules | base64
     # dGVjaDpydWxlcw==
-    # # cat /etc/varnish/auth.vcl 
+    # # cat /etc/varnish/auth.vcl
     # req.http.Authorization != "Basic dGVjaDpydWxlcw=="
-    if (client.ip !~ white && 
+    if (client.ip !~ white &&
             include "/etc/varnish/auth.vcl";) {
         return(synth(401));
     } else {
@@ -78,18 +78,20 @@ sub vcl_recv {
 
     if (req.url ~ "^/api/templates") {
         set req.url = regsub(req.url,"^/api/templates","");
+        set req.url = regsub(req.url, "magic.conf/", "magic.conf?");
         set req.backend_hint = templating;
     }
-    
+
     if (req.url ~ "^/query") {
-        set req.backend_hint = influx;
+	set req.backend_hint = influx;
+	# set req.http.Authorization = "Basic";
     }
 
     # More human-typable URL
     if (req.url ~ "^/where" || req.url ~ "^/location") {
         set req.url = "/api/public/location";
     }
-    
+
     # Fairly standard filtering. Default VCL will do "pipe", which is
     # pointless for us.
     if (req.method != "GET" &&
@@ -159,9 +161,9 @@ sub vcl_backend_response {
     if (beresp.http.x-ban) {
         ban("obj.http.x-url ~ " + beresp.http.x-ban);
     }
-    
+
     # Force gzip on text-based content so we don't have to
-    # rely on Apache. 
+    # rely on Apache.
     if (beresp.http.content-type ~ "text") {
         set beresp.do_gzip = true;
     }
@@ -175,9 +177,9 @@ sub vcl_backend_response {
         set beresp.grace = 10s;
         set beresp.ttl = 5s;
     }
-    
+
     # Wait, nvm, we catch non-200 here and make them actually cacheable for 5
-    # seconds - we don't want to nuke a backend just because it has ...issues. 
+    # seconds - we don't want to nuke a backend just because it has ...issues.
     if (beresp.status != 200) {
         set beresp.uncacheable = false;
         set beresp.ttl = 5s;
@@ -188,4 +190,4 @@ sub vcl_backend_response {
     if (bereq.url ~ "\.(html|css|js)" || bereq.url ~ "^/[^/.]*") {
         set beresp.ttl = 10s;
     }
-}
+}
+\ No newline at end of file
author	Ole Mathias Heggem <olemathias.aa.heggem@gmail.com>	2023-03-21 15:50:00 +0100
committer	Ole Mathias Heggem <olemathias.aa.heggem@gmail.com>	2023-03-21 15:50:00 +0100
commit	5a289819ecdcb762d0377a9fd5536b5a852f049a (patch)
tree	fcab16a2ac8a0d859bd2aba04349e82bb7b766b4
parent	b3008251641f372d7101dac769de3022f3bf69bb (diff)