-
Notifications
You must be signed in to change notification settings - Fork 149
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
EZP-31804: [Docker] Added fixed IP to varnish container to workaround TRUSTED_PROXIES setting #592
Conversation
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Nice, no need for hacks or anything 😉 👍 💯
And yes, no need for several Varnish servers here. We anyway (in general) recommend using one active Varnish server and one passive that can take over, to make sure to get the best possible cache hit ratio. Varnish does have commercial solutions to share cache between instances, which might be given as recommendation on a case by case basis.
SIDE: We currently don't specify how people should do this in order to make sure the passive one can have some cache warmed up in it to not take over with cold cache, but we could consider having such things covered too.
In docker stack that would probably be config to always make sure one instance is running?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
So, with this change, you cannot have two separate installs on the same machine, right?
@vidarl |
@vidarl : As @ViniTou wrote, wasn't it always the case? We had the exposed ports (8080,8081) clashing with each other from I'm not sure how you're dealing with this issue now - the only solution that comes to my mind is remapping the ports manually, so this would be another value to remap when setting up the n-th Docker stack. |
The port clashing does not prevent you from creating containers for multiple installs at the same time ( only one install may run at a given time though ). I haven't tested, but I suspect that with this change, you cannot even create the containers for a second install as backend network's subnet will clash with an existing one. |
3e40a7d
to
545da12
Compare
@vidarl you're right - without this solution it's enough to I've searched again for solutions and here is a short summary:
I've changed this PR to solution 3 and will be happy to hear how you feel about it. |
a 4th solution would be that the php container would resolve hostnames in However, your approach is much simpler so we can do that. |
Co-authored-by: André R. <289757+andrerom@users.noreply.github.com>
545da12
to
f495faa
Compare
JIRA: https://jira.ez.no/browse/EZP-31804
A potential replacement to the solution proposed in ezsystems/docker-php#34
Currently we set
varnish
as trusted proxy, but it doesn't work - Symfony does not resolve hostnames when looking at trusted proxies, meaning that in our Docker stack no proxy is trusted. This makes it impossible to purge cache correctly when using it.Things I've considered:
Currently
varnish
has a dependency onapp
(because it resolves theapp
hostname in--acl-add
command, so adding avarnish
dependency toapp
to resolve trusted proxy would create a circular dependency.This leaves as with a possibility to wait until
varnish
container is available as in ezsystems/docker-php#34 or we could try to set the IP without resolving hostname:app
container is available to the publicbackend
network (so the network used both byvarnish
andapp
) to use a specified subnet with Varnish container having a fixed IP in that subnet - so that we don't have to resolve it and can hardcode it.This fixed subnet is specified only in
varnish.yml
, so there's no change for people not using it.Also in our Docker stack there is only one varnish instance (and I don't think we have a plan to introduce multiple reverse proxies in front of our application in the Docker stack, Fastly-style) so IMHO having a fixed IP is acceptable here.