1VARNISH-CLI(7) VARNISH-CLI(7)
2
6 varnish-cli - Varnish Command Line Interface
7
9 Varnish has a command line interface (CLI) which can control and change
10 most of the operational parameters and the configuration of Varnish,
11 without interrupting the running service.
12 The CLI can be used for the following tasks:
14 configuration
16 You can upload, change and delete VCL files from the CLI.
17 parameters
19 You can inspect and change the various parameters Varnish has
20 available through the CLI. The individual parameters are docu‐
21 mented in the varnishd(1) man page.
22 bans Bans are filters that are applied to keep Varnish from serving
24 stale content. When you issue a ban Varnish will not serve any
25 banned object from cache, but rather re-fetch it from its back‐
26 end servers.
27 process management
29 You can stop and start the cache (child) process though the CLI.
30 You can also retrieve the latest stack trace if the child
31 process has crashed.
32 If you invoke varnishd(1) with -T, -M or -d the CLI will be available.
34 In debug mode (-d) the CLI will be in the foreground, with -T you can
35 connect to it with varnishadm or telnet and with -M varnishd will con‐
36 nect back to a listening service pushing the CLI to that service.
37 Please see varnishd(1) for details.
38 Syntax
40 The Varnish CLI is similar to another command line interface, the
41 Bourne Shell. Commands are usually terminated with a newline, and they
42 may take arguments. The command and its arguments are tokenized before
43 parsing, and as such arguments containing spaces must be enclosed in
44 double quotes.
45 It means that command parsing of
47 help banner
49 is equivalent to
51 "help" banner
53 because the double quotes only indicate the boundaries of the help
55 token.
56 Within double quotes you can escape characters with \ (backslash). The
58 \n, \r, and \t get translated to newlines, carriage returns, an tabs.
59 Double quotes and backslashes themselves can be escaped with \" and \\
60 respectively.
61 To enter characters in octals use the \nnn syntax. Hexadecimals can be
63 entered with the \xnn syntax.
64 Commands may not end with a newline when a shell-style here document
66 (here-document or heredoc) is used. The format of a here document is:
67 << word
69 here document
70 word
71 word can be any continuous string chosen to make sure it doesn't appear
73 naturally in the following here document. Traditionally EOF or END is
74 used.
75 Quoting pitfalls
77 Integrating with the Varnish CLI can be sometimes surprising when quot‐
78 ing is involved. For instance in Bourne Shell the delimiter used with
79 here documents may or may not be separated by spaces from the << token:
80 cat <<EOF
82 hello
83 world
84 EOF
85 hello
86 world
87 With the Varnish CLI, the << and EOF tokens must be separated by at
89 least one blank:
90 vcl.inline boot <<EOF
92 106 258
93 Message from VCC-compiler:
94 VCL version declaration missing
95 Update your VCL to Version 4 syntax, and add
96 vcl 4.0;
97 on the first line of the VCL files.
98 ('<vcl.inline>' Line 1 Pos 1)
99 <<EOF
100 ##---
101 Running VCC-compiler failed, exited with 2
103 VCL compilation failed
104 With the missing space, the here document can be added and the actual
106 VCL can be loaded:
107 vcl.inline test << EOF
109 vcl 4.0;
110 backend be {
112 .host = "localhost";
113 }
114 EOF
115 200 14
116 VCL compiled.
117 When using a front-end to the Varnish-CLI like varnishadm, one must
119 take into account the double expansion happening. First in the shell
120 launching the varnishadm command and then in the Varnish CLI itself.
121 When a command's parameter require spaces, you need to ensure that the
122 Varnish CLI will see the double quotes:
123 varnishadm param.set cc_command '"my alternate cc command"'
125 Change will take effect when VCL script is reloaded
127 Otherwise if you don't quote the quotes, you may get a seemingly unre‐
129 lated error message:
130 varnishadm param.set cc_command "my alternate cc command"
132 Unknown request.
133 Type 'help' for more info.
134 Too many parameters
135 Command failed with error code 105
137 If you are quoting with a here document, you must wrap it inside a
139 shell multi-line argument:
140 varnishadm vcl.inline test '<< EOF
142 vcl 4.0;
143 backend be {
145 .host = "localhost";
146 }
147 EOF'
148 VCL compiled.
149 Other pitfalls include variable expansion of the shell invoking var‐
151 nishadm but this is not directly related to the Varnish CLI. If you get
152 the quoting right you should be fine even with complex commands.
153 JSON
155 A number of commands with informational responses support a -j parame‐
156 ter for JSON output, as specified below. The top-level structure of the
157 JSON response is an array with these first three elements:
158 · A version number for the JSON format (integer)
160 · An array of strings that comprise the CLI command just received
162 · The time at which the response was generated, as a Unix epoch time in
164 seconds with millisecond precision (floating point)
165 The remaining elements of the array form the data that are specific to
167 the CLI command, and their structure and content depend on the command.
168 For example, the response to status -j just contains a string in the
170 top-level array indicating the state of the child process ("running",
171 "stopped" and so forth):
172 [ 2, ["status", "-j"], 1538031732.632, "running"
174 ]
175 The JSON responses to other commands may have longer lists of elements,
177 which may have simple data types or form structured objects.
178 JSON output is only returned if command execution was successful. The
180 output for an error response is always the same as it would have been
181 for the command without the -j parameter.
182 Commands
184 auth <response>
185 Authenticate.
186 backend.list [-j] [-p] [<backend_pattern>]
188 List backends. -p also shows probe status.
189 -j specifies JSON output.
191 backend.set_health <backend_pattern> [auto|healthy|sick]
193 Set health status on the backends.
194 ban <field> <operator> <arg> [&& <field> <oper> <arg> ...]
196 Mark obsolete all objects where all the conditions match.
197 See vcl(7)_ban for details
199 ban.list [-j]
201 List the active bans.
202 Unless -j is specified (for JSON output), the output format is:
204 · Time the ban was issued.
206 · Objects referencing this ban.
208 · C if ban is completed = no further testing against it.
210 · if lurker debugging is enabled:
212 · R for req.* tests
214 · O for obj.* tests
216 · Pointer to ban object
218 · Ban specification
220 banner
222 Print welcome banner.
223 help [-j] [<command>]
225 Show command/protocol help.
226 -j specifies JSON output.
228 panic.clear [-z]
230 Clear the last panic, if any, -z will clear related varnishstat
231 counter(s)
232 panic.show [-j]
234 Return the last panic, if any.
235 -j specifies JSON output -- the panic message is returned as an
237 unstructured JSON string.
238 param.set <param> <value>
240 Set parameter value.
241 param.show [-l|-j] [<param>|changed]
243 Show parameters and their values.
244 The long form with -l shows additional information, including documen‐
246 tation and minimum, maximum and default values, if defined for the
247 parameter. JSON output is specified with -j, in which the information
248 for the long form is included; only one of -l or -j is permitted. If a
249 parameter is specified with <param>, show only that parameter. If
250 changed is specified, show only those parameters whose values differ
251 from their defaults.
252 ping [-j] [<timestamp>]
254 Keep connection alive.
255 The response is formatted as JSON if -j is specified.
257 quit
259 Close connection.
260 start
262 Start the Varnish cache process.
263 status [-j]
265 Check status of Varnish cache process.
266 -j specifies JSON output.
268 stop
270 Stop the Varnish cache process.
271 storage.list [-j]
273 List storage devices.
274 -j specifies JSON output.
276 vcl.discard <configname|label>
278 Unload the named configuration (when possible).
279 vcl.inline <configname> <quoted_VCLstring> [auto|cold|warm]
281 Compile and load the VCL data under the name provided.
282 Multi-line VCL can be input using the here document ref_syntax.
284 vcl.label <label> <configname>
286 Apply label to configuration.
287 vcl.list [-j]
289 List all loaded configuration.
290 -j specifies JSON output.
292 vcl.load <configname> <filename> [auto|cold|warm]
294 Compile and load the VCL file under the name provided.
295 vcl.show [-v] <configname>
297 Display the source code for the specified configuration.
298 vcl.state <configname> [auto|cold|warm]
300 Force the state of the named configuration.
301 vcl.use <configname|label>
303 Switch to the named configuration immediately.
304 Backend Pattern
306 A backend pattern can be a backend name or a combination of a VCL name
307 and backend name in "VCL.backend" format. If the VCL name is omitted,
308 the active VCL is assumed. Partial matching on the backend and VCL
309 names is supported using shell-style wilcards, e.g. asterisk (*).
310 Examples:
312 backend.list def*
314 backend.list b*.def*
315 backend.set_health default sick
316 backend.set_health def* healthy
317 backend.set_health * auto
318 Ban Expressions
320 A ban expression consists of one or more conditions. A condition con‐
321 sists of a field, an operator, and an argument. Conditions can be
322 ANDed together with "&&".
323 A field can be any of the variables from VCL, for instance req.url,
325 req.http.host or obj.http.set-cookie.
326 Operators are "==" for direct comparison, "~" for a regular expression
328 match, and ">" or "<" for size comparisons. Prepending an operator
329 with "!" negates the expression.
330 The argument could be a quoted string, a regexp, or an integer. Inte‐
332 gers can have "KB", "MB", "GB" or "TB" appended for size related
333 fields.
334 VCL Temperature
336 A VCL program goes through several states related to the different com‐
337 mands: it can be loaded, used, and later discarded. You can load sev‐
338 eral VCL programs and switch at any time from one to another. There is
339 only one active VCL, but the previous active VCL will be maintained
340 active until all its transactions are over.
341 Over time, if you often refresh your VCL and keep the previous versions
343 around, resource consumption will increase, you can't escape that. How‐
344 ever, most of the time you want only one to pay the price only for the
345 active VCL and keep older VCLs in case you'd need to rollback to a pre‐
346 vious version.
347 The VCL temperature allows you to minimize the footprint of inactive
349 VCLs. Once a VCL becomes cold, Varnish will release all the resources
350 that can be be later reacquired. You can manually set the temperature
351 of a VCL or let varnish automatically handle it.
352 Scripting
354 If you are going to write a script that talks CLI to varnishd, the
355 include/cli.h contains the relevant magic numbers.
356 One particular magic number to know, is that the line with the status
358 code and length field always is exactly 13 characters long, including
359 the NL character.
360 The varnishapi library contains functions to implement the basics of
362 the CLI protocol, see the vcli.h include file.
363 Authentication with -S
365 If the -S secret-file is given as argument to varnishd, all network CLI
366 connections must authenticate, by proving they know the contents of
367 that file.
368 The file is read at the time the auth command is issued and the con‐
370 tents is not cached in varnishd, so it is possible to update the file
371 on the fly.
372 Use the unix file permissions to control access to the file.
374 An authenticated session looks like this:
376 critter phk> telnet localhost 1234
378 Trying ::1...
379 Trying 127.0.0.1...
380 Connected to localhost.
381 Escape character is '^]'.
382 107 59
383 ixslvvxrgkjptxmcgnnsdxsvdmvfympg
384 Authentication required.
386 auth 455ce847f0073c7ab3b1465f74507b75d3dc064c1e7de3b71e00de9092fdc89a
388 200 279
389 -----------------------------
390 Varnish Cache CLI 1.0
391 -----------------------------
392 Linux,4.4.0-1-amd64,x86_64,-jnone,-smalloc,-smalloc,-hcritbit
393 varnish-trunk revision dc360a4
394 Type 'help' for command list.
396 Type 'quit' to close CLI session.
397 Type 'start' to launch worker process.
398 The CLI status of 107 indicates that authentication is necessary. The
400 first 32 characters of the response text is the challenge "ixsl...mpg".
401 The challenge is randomly generated for each CLI connection, and
402 changes each time a 107 is emitted.
403 The most recently emitted challenge must be used for calculating the
405 authenticator "455c...c89a".
406 The authenticator is calculated by applying the SHA256 function to the
408 following byte sequence:
409 · Challenge string
411 · Newline (0x0a) character.
413 · Contents of the secret file
415 · Challenge string
417 · Newline (0x0a) character.
419 and dumping the resulting digest in lower-case hex.
421 In the above example, the secret file contained foon and thus:
423 critter phk> cat > _
425 ixslvvxrgkjptxmcgnnsdxsvdmvfympg
426 foo
427 ixslvvxrgkjptxmcgnnsdxsvdmvfympg
428 ^D
429 critter phk> hexdump -C _
430 00000000 69 78 73 6c 76 76 78 72 67 6b 6a 70 74 78 6d 63 |ixslvvxrgkjptxmc|
431 00000010 67 6e 6e 73 64 78 73 76 64 6d 76 66 79 6d 70 67 |gnnsdxsvdmvfympg|
432 00000020 0a 66 6f 6f 0a 69 78 73 6c 76 76 78 72 67 6b 6a |.foo.ixslvvxrgkj|
433 00000030 70 74 78 6d 63 67 6e 6e 73 64 78 73 76 64 6d 76 |ptxmcgnnsdxsvdmv|
434 00000040 66 79 6d 70 67 0a |fympg.|
435 00000046
436 critter phk> sha256 _
437 SHA256 (_) = 455ce847f0073c7ab3b1465f74507b75d3dc064c1e7de3b71e00de9092fdc89a
438 critter phk> openssl dgst -sha256 < _
439 455ce847f0073c7ab3b1465f74507b75d3dc064c1e7de3b71e00de9092fdc89a
440 The sourcefile lib/libvarnish/cli_auth.c contains a useful function
442 which calculates the response, given an open filedescriptor to the
443 secret file, and the challenge string.
444
446 Load a multi-line VCL using shell-style here document:
447 vcl.inline example << EOF
449 vcl 4.0;
450 backend www {
452 .host = "127.0.0.1";
453 .port = "8080";
454 }
455 EOF
456 Ban all requests where req.url exactly matches the string /news:
458 ban req.url == "/news"
460 Ban all documents where the serving host is "example.com" or "www.exam‐
462 ple.com", and where the Set-Cookie header received from the backend
463 contains "USERID=1663":
464 ban req.http.host ~ "^(?i)(www\\.)?example\\.com$" && obj.http.set-cookie ~ "USERID=1663"
466
468 This manual page was originally written by Per Buer and later modified
469 by Federico G. Schwindt, Dridi Boukelmoune, Lasse Karstensen and
470 Poul-Henning Kamp.
471
473 · varnishadm(1)
474 · varnishd(1)
476 · vcl(7)
478 VARNISH-CLI(7)