Re: [Setup] CacheFu - Varnish

Tue, 04 Mar 2008 17:14:07 -0800 


On Mar 4, 2008, at 3:18 PM, Ricardo Newbery wrote:



On Mar 4, 2008, at 3:06 PM, g.sharpe wrote:


Should I be running running varnish as root?  I'm not finding much by
way of documentation on the varnish website. I noticed in the CacheFu 
deploy scripts, a "varnish_user" is given appropriate privelages to
the vcl, etc.  However, I don't see where this "varnish_user" is
created or defined (no reference in makeconfig.cfg).

Gary Sharpe
In the makeconfig.cfg, the "varnish_user" is called just "user". Now that you brought this up, it occurs to me that the makeconfig script probably shouldn't change the name during processing as it may be a bit confusing if you're trying to figure out what's happening in the templates.
In the Squid configs, we do something similar. The makeconfig.cfg allows you to set a value for "user" but processing renames this to "squid_user".
With regard to what value should be used for "user", this depends on what port you need Varnish to bind to. In order to bind to ports lower than 1024, Unix systems require the process to run as "root" (this is not the case for Windows systems -- which results in some serious security implications). So if you wish your Varnish to respond to requests on the standard HTTP port 80, you need to start it up as root. However, again for security reasons, Varnish will attempt to drop privileges as soon as the port has been bound. That's what the "user" field is for -- after binding to port 80, the Varnish child process will then continue on running with the permissions of this other, hopefully less-privileged, user.
If instead Varnish is bound to a less-privileged port like port 8000, which might be the case for a Zope-Varnish-Apache setup, then this is less important. But makeconfig still needs to know the "user" that will launch Varnish to make sure that Varnish has the proper read/write privileges for the configs and cache storage.
The Squid install works the same way. And so does Zope, where this is governed by the "effective-user" directive in zope.conf. 

Ric
Forgot to mention that in both cases, if user is not specified, Squid and Varnish will default to "nobody" as the user to switch to after starting up as root. 

Ric



_______________________________________________
Setup mailing list
[email protected]
http://lists.plone.org/mailman/listinfo/setup

Reply via email to