Varnish cache, munin-node and server-status

varnish-cacheOn my server running Ubuntu 12.04, I have Apache2 listening on port 8008 (20 virtual hosts) and Varnish on port 80. I use munin and monit to keep tabs on the various services running on the machine and they use the mod_status output to keep tabs on Apache2 processes. As mod_status is compiled into Apache2 by default and the module is enabled this means that the detailed information about your secure webserver is exposed for all the world to see. The mod_status configuation file allows you to lock access down to localhost access only which is nice.

munin

However, Varnish connects to the backend Apache2 server as localhost and so exposes the server-status page to the wild wild web. With the Varnish VCL I was using my server-status page was cached for an hour so it was still available but only provided a static status report that changed when the cache refreshed. Implementing a solution from serverfault.com made the live server-status available through Varnish as it passed it to the backend. This did not help. To secure my server-status I had to block access to the server-status URL but still keep it open for munin-node.

My Apache2 virtual hosts are configured to listen on port 8008. So I configured munin-node to listen on 8008 in /etc/munin/plugin-conf.d/munin-node:

[apache_*]
env.url http://127.0.0.1:%d/server-status?auto
env.ports 8008

I then added the following line to my VCL at the top of the vcl_recv section:

if (req.url ~ "^/server-status") {
error 403;
}

This blocks access to the server-status URL on port 80 and returns a 403 forbidden message but now means that munin-node can still connect to the server-status on localhost:8008

This post was helpful in working it all out: http://nwlinux.com/how-to-configure-varnish-on-ubuntu-server/

Leave a Reply

Your email address will not be published. Required fields are marked *