1VARNISH-CLI(7) VARNISH-CLI(7)
2
6 varnish-cli - Varnish Command Line Interface
7
9 Varnish has a command line interface (CLI) which can control and change
10 most of the operational parameters and the configuration of Varnish,
11 without interrupting the running service.
12 The CLI can be used for the following tasks:
14 configuration
16 You can upload, change and delete VCL files from the CLI.
17 parameters
19 You can inspect and change the various parameters Varnish has
20 available through the CLI. The individual parameters are docu‐
21 mented in the varnishd(1) man page.
22 bans Bans are filters that are applied to keep Varnish from serving
24 stale content. When you issue a ban Varnish will not serve any
25 banned object from cache, but rather re-fetch it from its back‐
26 end servers.
27 process management
29 You can stop and start the cache (child) process though the CLI.
30 You can also retrieve the latest stack trace if the child
31 process has crashed.
32 If you invoke varnishd(1) with -T, -M or -d the CLI will be available.
34 In debug mode (-d) the CLI will be in the foreground, with -T you can
35 connect to it with varnishadm or telnet and with -M varnishd will con‐
36 nect back to a listening service pushing the CLI to that service.
37 Please see varnishd(1) for details.
38 Syntax
40 The Varnish CLI is similar to another command line interface, the
41 Bourne Shell. Commands are usually terminated with a newline, and they
42 may take arguments. The command and its arguments are tokenized before
43 parsing, and as such arguments containing spaces must be enclosed in
44 double quotes.
45 It means that command parsing of
47 help banner
49 is equivalent to
51 "help" banner
53 because the double quotes only indicate the boundaries of the help
55 token.
56 Within double quotes you can escape characters with \ (backslash). The
58 \n, \r, and \t get translated to newlines, carriage returns, an tabs.
59 Double quotes and backslashes themselves can be escaped with \" and \\
60 respectively.
61 To enter characters in octals use the \nnn syntax. Hexadecimals can be
63 entered with the \xnn syntax.
64 Commands may not end with a newline when a shell-style here document
66 (here-document or heredoc) is used. The format of a here document is:
67 << word
69 here document
70 word
71 word can be any continuous string chosen to make sure it doesn't appear
73 naturally in the following here document. Traditionally EOF or END is
74 used.
75 Quoting pitfalls
77 Integrating with the Varnish CLI can be sometimes surprising when quot‐
78 ing is involved. For instance in Bourne Shell the delimiter used with
79 here documents may or may not be separated by spaces from the << token:
80 cat <<EOF
82 hello
83 world
84 EOF
85 hello
86 world
87 With the Varnish CLI, the << and EOF tokens must be separated by at
89 least one blank:
90 vcl.inline boot <<EOF
92 106 258
93 Message from VCC-compiler:
94 VCL version declaration missing
95 Update your VCL to Version 4 syntax, and add
96 vcl 4.0;
97 on the first line of the VCL files.
98 ('<vcl.inline>' Line 1 Pos 1)
99 <<EOF
100 ##---
101 Running VCC-compiler failed, exited with 2
103 VCL compilation failed
104 With the missing space, the here document can be added and the actual
106 VCL can be loaded:
107 vcl.inline test << EOF
109 vcl 4.0;
110 backend be {
112 .host = "localhost";
113 }
114 EOF
115 200 14
116 VCL compiled.
117 When using a front-end to the Varnish-CLI like varnishadm, one must
119 take into account the double expansion happening. First in the shell
120 launching the varnishadm command and then in the Varnish CLI itself.
121 When a command's parameter require spaces, you need to ensure that the
122 Varnish CLI will see the double quotes:
123 varnishadm param.set cc_command '"my alternate cc command"'
125 Change will take effect when VCL script is reloaded
127 Otherwise if you don't quote the quotes, you may get a seemingly unre‐
129 lated error message:
130 varnishadm param.set cc_command "my alternate cc command"
132 Unknown request.
133 Type 'help' for more info.
134 Too many parameters
135 Command failed with error code 105
137 If you are quoting with a here document, you must wrap it inside a
139 shell multi-line argument:
140 varnishadm vcl.inline test '<< EOF
142 vcl 4.0;
143 backend be {
145 .host = "localhost";
146 }
147 EOF'
148 VCL compiled.
149 Other pitfalls include variable expansion of the shell invoking var‐
151 nishadm but this is not directly related to the Varnish CLI. If you get
152 the quoting right you should be fine even with complex commands.
153 Commands
155 auth <response>
156 Authenticate.
157 backend.list [-p] [<backend_pattern>]
159 List backends. -p also shows probe status.
160 backend.set_health <backend_pattern> [auto|healthy|sick]
162 Set health status on the backends.
163 ban <field> <operator> <arg> [&& <field> <oper> <arg> ...]
165 Mark obsolete all objects where all the conditions match.
166 See vcl(7)_ban for details
168 ban.list
170 List the active bans.
171 The output format is:
173 · Time the ban was issued.
175 · Objects referencing this ban.
177 · C if ban is completed = no further testing against it.
179 · if lurker debugging is enabled:
181 · R for req.* tests
183 · O for obj.* tests
185 · Pointer to ban object
187 · Ban specification
189 banner
191 Print welcome banner.
192 help [<command>]
194 Show command/protocol help.
195 panic.clear [-z]
197 Clear the last panic, if any, -z will clear related varnishstat
198 counter(s)
199 panic.show
201 Return the last panic, if any.
202 param.set <param> <value>
204 Set parameter value.
205 param.show [-l] [<param>|changed]
207 Show parameters and their values.
208 The long form with -l shows additional information, including documen‐
210 tation and minimum, maximum and default values, if defined for the
211 parameter. If a parameter is specified with <param>, show only that
212 parameter. If changed is specified, show only those parameters whose
213 values differ from their defaults.
214 ping [<timestamp>]
216 Keep connection alive.
217 quit
219 Close connection.
220 start
222 Start the Varnish cache process.
223 status
225 Check status of Varnish cache process.
226 stop
228 Stop the Varnish cache process.
229 storage.list
231 List storage devices.
232 vcl.discard <configname|label>
234 Unload the named configuration (when possible).
235 vcl.inline <configname> <quoted_VCLstring> [auto|cold|warm]
237 Compile and load the VCL data under the name provided.
238 Multi-line VCL can be input using the here document ref_syntax.
240 vcl.label <label> <configname>
242 Apply label to configuration.
243 vcl.list
245 List all loaded configuration.
246 vcl.load <configname> <filename> [auto|cold|warm]
248 Compile and load the VCL file under the name provided.
249 vcl.show [-v] <configname>
251 Display the source code for the specified configuration.
252 vcl.state <configname> [auto|cold|warm]
254 Force the state of the named configuration.
255 vcl.use <configname|label>
257 Switch to the named configuration immediately.
258 Backend Pattern
260 A backend pattern can be a backend name or a combination of a VCL name
261 and backend name in "VCL.backend" format. If the VCL name is omitted,
262 the active VCL is assumed. Partial matching on the backend and VCL
263 names is supported using shell-style wilcards, e.g. asterisk (*).
264 Examples:
266 backend.list def*
268 backend.list b*.def*
269 backend.set_health default sick
270 backend.set_health def* healthy
271 backend.set_health * auto
272 Ban Expressions
274 A ban expression consists of one or more conditions. A condition con‐
275 sists of a field, an operator, and an argument. Conditions can be
276 ANDed together with "&&".
277 A field can be any of the variables from VCL, for instance req.url,
279 req.http.host or obj.http.set-cookie.
280 Operators are "==" for direct comparison, "~" for a regular expression
282 match, and ">" or "<" for size comparisons. Prepending an operator
283 with "!" negates the expression.
284 The argument could be a quoted string, a regexp, or an integer. Inte‐
286 gers can have "KB", "MB", "GB" or "TB" appended for size related
287 fields.
288 VCL Temperature
290 A VCL program goes through several states related to the different com‐
291 mands: it can be loaded, used, and later discarded. You can load sev‐
292 eral VCL programs and switch at any time from one to another. There is
293 only one active VCL, but the previous active VCL will be maintained
294 active until all its transactions are over.
295 Over time, if you often refresh your VCL and keep the previous versions
297 around, resource consumption will increase, you can't escape that. How‐
298 ever, most of the time you want only one to pay the price only for the
299 active VCL and keep older VCLs in case you'd need to rollback to a pre‐
300 vious version.
301 The VCL temperature allows you to minimize the footprint of inactive
303 VCLs. Once a VCL becomes cold, Varnish will release all the resources
304 that can be be later reacquired. You can manually set the temperature
305 of a VCL or let varnish automatically handle it.
306 Scripting
308 If you are going to write a script that talks CLI to varnishd, the
309 include/cli.h contains the relevant magic numbers.
310 One particular magic number to know, is that the line with the status
312 code and length field always is exactly 13 characters long, including
313 the NL character.
314 The varnishapi library contains functions to implement the basics of
316 the CLI protocol, see the vcli.h include file.
317 Authentication with -S
319 If the -S secret-file is given as argument to varnishd, all network CLI
320 connections must authenticate, by proving they know the contents of
321 that file.
322 The file is read at the time the auth command is issued and the con‐
324 tents is not cached in varnishd, so it is possible to update the file
325 on the fly.
326 Use the unix file permissions to control access to the file.
328 An authenticated session looks like this:
330 critter phk> telnet localhost 1234
332 Trying ::1...
333 Trying 127.0.0.1...
334 Connected to localhost.
335 Escape character is '^]'.
336 107 59
337 ixslvvxrgkjptxmcgnnsdxsvdmvfympg
338 Authentication required.
340 auth 455ce847f0073c7ab3b1465f74507b75d3dc064c1e7de3b71e00de9092fdc89a
342 200 279
343 -----------------------------
344 Varnish Cache CLI 1.0
345 -----------------------------
346 Linux,4.4.0-1-amd64,x86_64,-jnone,-smalloc,-smalloc,-hcritbit
347 varnish-trunk revision dc360a4
348 Type 'help' for command list.
350 Type 'quit' to close CLI session.
351 Type 'start' to launch worker process.
352 The CLI status of 107 indicates that authentication is necessary. The
354 first 32 characters of the response text is the challenge "ixsl...mpg".
355 The challenge is randomly generated for each CLI connection, and
356 changes each time a 107 is emitted.
357 The most recently emitted challenge must be used for calculating the
359 authenticator "455c...c89a".
360 The authenticator is calculated by applying the SHA256 function to the
362 following byte sequence:
363 · Challenge string
365 · Newline (0x0a) character.
367 · Contents of the secret file
369 · Challenge string
371 · Newline (0x0a) character.
373 and dumping the resulting digest in lower-case hex.
375 In the above example, the secret file contained foon and thus:
377 critter phk> cat > _
379 ixslvvxrgkjptxmcgnnsdxsvdmvfympg
380 foo
381 ixslvvxrgkjptxmcgnnsdxsvdmvfympg
382 ^D
383 critter phk> hexdump -C _
384 00000000 69 78 73 6c 76 76 78 72 67 6b 6a 70 74 78 6d 63 |ixslvvxrgkjptxmc|
385 00000010 67 6e 6e 73 64 78 73 76 64 6d 76 66 79 6d 70 67 |gnnsdxsvdmvfympg|
386 00000020 0a 66 6f 6f 0a 69 78 73 6c 76 76 78 72 67 6b 6a |.foo.ixslvvxrgkj|
387 00000030 70 74 78 6d 63 67 6e 6e 73 64 78 73 76 64 6d 76 |ptxmcgnnsdxsvdmv|
388 00000040 66 79 6d 70 67 0a |fympg.|
389 00000046
390 critter phk> sha256 _
391 SHA256 (_) = 455ce847f0073c7ab3b1465f74507b75d3dc064c1e7de3b71e00de9092fdc89a
392 critter phk> openssl dgst -sha256 < _
393 455ce847f0073c7ab3b1465f74507b75d3dc064c1e7de3b71e00de9092fdc89a
394 The sourcefile lib/libvarnish/cli_auth.c contains a useful function
396 which calculates the response, given an open filedescriptor to the
397 secret file, and the challenge string.
398
400 Load a multi-line VCL using shell-style here document:
401 vcl.inline example << EOF
403 vcl 4.0;
404 backend www {
406 .host = "127.0.0.1";
407 .port = "8080";
408 }
409 EOF
410 Ban all requests where req.url exactly matches the string /news:
412 ban req.url == "/news"
414 Ban all documents where the serving host is "example.com" or "www.exam‐
416 ple.com", and where the Set-Cookie header received from the backend
417 contains "USERID=1663":
418 ban req.http.host ~ "^(?i)(www\\.)?example\\.com$" && obj.http.set-cookie ~ "USERID=1663"
420
422 This manual page was originally written by Per Buer and later modified
423 by Federico G. Schwindt, Dridi Boukelmoune, Lasse Karstensen and
424 Poul-Henning Kamp.
425
427 · varnishadm(1)
428 · varnishd(1)
430 · vcl(7)
432 VARNISH-CLI(7)