Varnish Summit Paris

2. VCL: logic and logistics
Guillaume Quintard
guillaume@varni.sh
Paris Summit - 13/10/16

3. AGENDA
What is VCL?
Compilation
Debugging
Coding practices
Tests

4. What’s VCL?

5. recv
What’s VCL?
lookup
pass
hit
miss
error
fetch
deliver

6. What’s VCL?
Domain Specific Language
Describe a state machine
Imperative
Not Turing-complete, sorry
Very extensible
Super fast
example:
sub vcl_recv {
if (req.url ~ “^/admin/”) {
return (pass);
}
}

7. Compilation

8. Compilation
sub vcl_recv {
if (req.url ~ “^/admin/”) {
return (pass);
}
}
transpiles to:
int VGC_function_vcl_recv(VRT_CTX) {
if (VRT_re_match(ctx, VRT_r_req_url(ctx), VGC_re_1)) {
VRT_handling(ctx, VCL_RET_PASS);
return (1);
}
}

9. Varnish
child
foo.vcl
Varnish
mgt
bar.so

10. Varnish
child
VCCfoo.vcl
Varnish
mgt
bar.sofoo.c

11. Varnish
child
VCC CCfoo.cfoo.vcl foo.so
Varnish
mgt
bar.so

12. Varnish
child
VCC CCfoo.cfoo.vcl foo.so
Varnish
mgt
bar.so

13. Hands on!
Try it!
varnishd -n /tmp -f /etc/default.vcl -C
Check the compilation command:
[sudo] varnishadm param.show cc_command
Load, then use a vcl
[sudo] varnishadm vcl.load foo foo.vcl
[sudo] varnishadm vcl.use foo

14. The “no compiler” policy
No JDK, LUA, JS nor Python, then?
C created by VCC (Varnish Configuration Compiler) is very limited in scope.
VCC can run any compiling command, so you can use a C compiler you trust.
VCC is ran as a normal user, you can narrow the compiler execution right to that user.
And Varnish drops privileges and jails himself to execute the compiled code.

15. Debugging

16. Debugging
One of the most often asked questions:
Why isn’t this object cached?
Let’s check:
● Are the VCL subs returning the right thing?
● Is the builtin VCL being annoying?
● Are we hashing the right stuff?
● Aren’t we being bit by Hit-for-Pass?

17. Coding
practices

18. Coding like a champ
VCL is code, treat it as such:
● Coding guidelines guidelines:
○ Choose tabs OR spaces.
○ Indent properly.
○ Only one inclusion level.
○ All includes/import at the top of the file.
○ Isolate backends into their own file
● Use a syntax highlighter
● Check it compiles, at the very least
● Version it
● Test it

19. Not everything is a nail, use vmods
Regex are super powerful and versatile and deadly.
● Try to avoid them.
● Notably, use vmod-querystring and vmod-cookie.
go from:
set req.http.Cookie = regsuball(req.http.Cookie, "(^|(?<=; )) *__utma=[^;]+;? *", "1");
to:
Use vmod-var, it’s good for you!
Use vmod-goto for dynamic backends, or vmod-stendhal to store backends/directors in a dictionary.
Visit http://www.varnish-cache.org/vmods/ for more vmods!

20. Not everything is a nail, use vmods
Regex are super powerful and versatile and deadly.
● Try to avoid them.
● Notably, use vmod-querystring and vmod-cookie.
go from:
set req.http.Cookie = regsuball(req.http.Cookie, "(^|(?<=; )) *__utma=[^;]+;? *", "1");
to:
cookie.filter_except("__utma");
Use vmod-var, it’s good for you!
Use vmod-goto for dynamic backends, or vmod-stendhal to store backends/directors in a dictionary.
Visit http://www.varnish-cache.org/vmods/ for more vmods!

21. Use functions, er...subs!
Reuse and isolate code for fun and profit:
sub myfunction {
unset req.http.host;
set req.http.this-header = “is super useful”
}
sub vcl_recv {
if (req.url ~ “^/test”) {
call myfunction;
}
}

22. It’s dangerous to label people, VCL however...
VCL labels are nice
Provide an alias to a potentially changing vcl
[sudo] varnishadm vcl.label production foo123
But also funnier stuff!

23. Testing

24. Contact info:
Email: guillaume@varni.sh
IRC: gquintar on irc.linpro.no

25. Images info:
https://flic.kr/p/c7juws
https://flic.kr/p/4HfejV
https://flic.kr/p/dVbhyq
https://flic.kr/p/gh6toq
https://flic.kr/p/mQCP6P