EESSI · bedroge · Nov 10, 2025 · Nov 10, 2025 · Nov 10, 2025 · Nov 10, 2025
diff --git a/defaults/main.yml b/defaults/main.yml
@@ -18,6 +18,9 @@ cvmfs_stratum1_http_ports:
 cvmfs_localproxy_http_ports:
   - 3128
 
+# Type of local forward proxy, can be either squid or varnish
+cvmfs_localproxy_type: squid
+# use a Squid reverse proxy on the Stratum1
 cvmfs_stratum1_squid: false
 # if a Squid frontend is used on the Stratum 1, Apache needs to listen on an internal port
 # otherwise we stick to cvmfs_stratum1_http_ports

diff --git a/handlers/main.yml b/handlers/main.yml
@@ -11,6 +11,11 @@
     name: "{{ cvmfs_squid_service_name }}"
     state: restarted
 
+- name: Restart varnish
+  ansible.builtin.service:
+    name: "{{ cvmfs_varnish_service_name }}"
+    state: restarted
+
 - name: Restart apache
   ansible.builtin.service:
     name: "{{ cvmfs_apache_service_name }}"

diff --git a/tasks/localproxy.yml b/tasks/localproxy.yml
@@ -9,6 +9,13 @@
   ansible.builtin.include_tasks: squid.yml
   vars:
     _cvmfs_squid_conf_src: "{{ cvmfs_squid_conf_src | default('localproxy_squid.conf.j2') }}"
+  when: cvmfs_localproxy_type == 'squid'
+
+- name: Include varnish tasks
+  ansible.builtin.include_tasks: varnish.yml
+  vars:
+    _cvmfs_varnish_conf_src: "{{ cvmfs_varnish_conf_src | default('localproxy_varnish.vcl.j2') }}"
+  when: cvmfs_localproxy_type == 'varnish'
 
 # Need to double check that this actually works (see the hosts_file directive)
 # - name: Create squid hosts file

diff --git a/tasks/varnish.yml b/tasks/varnish.yml
@@ -0,0 +1,68 @@
+---
+- name: Determine Varnish version
+  ansible.builtin.shell: "varnishd -V 2>&1 | grep -oP 'varnish-\\d+\\.\\d+' | sed 's|varnish-||'"
+  changed_when: false
+  register: varnish_version_command
+
+- name: Check if vmod-dynamic is already installed
+  ansible.builtin.stat:
+    path: "{{ cvmfs_varnish_vmod_dynamic_installed_file }}"
+  register: vmod_dynamic_installed
+
+- name: Check for which Varnish version vmod_dynamic was built
+  ansible.builtin.slurp:
+    src: "{{ cvmfs_varnish_vmod_dynamic_installed_file }}"
+  register: vmod_dynamic_installed_file
+  when: vmod_dynamic_installed.stat.exists
+
+- name: Set facts for installed Varnish version and the one used for the vmod_dynamic installation
+  ansible.builtin.set_fact:
+    varnish_version: "{{ varnish_version_command.stdout }}"
+    vmod_dynamic_varnish_version: "{{ '0' if not vmod_dynamic_installed.stat.exists else vmod_dynamic_installed_file['content'] | b64decode }}"
+
+- block:
+    - name: Download vmod_dynamic sources
+      ansible.builtin.get_url:
+        url: "https://github.com/nigoroll/libvmod-dynamic/archive/refs/heads/{{ varnish_version }}.tar.gz"
+        dest: /tmp/
+        mode: '0440'
+
+    - name: Extract vmod_dynamic tarball
+      ansible.builtin.unarchive:
+        src: "/tmp/libvmod-dynamic-{{ varnish_version }}.tar.gz"
+        remote_src: true
+        dest: /tmp/
+
+    - name: Run autogen.sh, configure, make, make install for vmod_dynamic
+      ansible.builtin.shell:
+        cmd: "./autogen.sh && ./configure && make && make install"
+        chdir: "/tmp/libvmod-dynamic-{{ varnish_version }}"
+        creates: "{{ cvmfs_varnish_vmod_dynamic_man_page }}"
+
+    - name: Log the varnish version for which vmod_dynamic was built to a file
+      ansible.builtin.copy:
+        content: "{{ varnish_version }}"
+        dest: "{{ cvmfs_varnish_vmod_dynamic_installed_file }}"
+        mode: 0644
+        owner: root
+        group: root
+
+    - name: Clean up source files
+      ansible.builtin.file:
+        path: "{{ item }}"
+        state: absent
+      with_items:
+        - "/tmp/libvmod-dynamic-{{ varnish_version }}.tar.gz"
+        - "/tmp/libvmod-dynamic-{{ varnish_version }}"
+
+  when: not vmod_dynamic_installed.stat.exists or (vmod_dynamic_installed.stat.exists and vmod_dynamic_varnish_version != varnish_version)
+
+- name: Configure Varnish forward proxy
+  ansible.builtin.template:
+    src: "{{ _cvmfs_varnish_conf_src }}"
+    dest: "{{ cvmfs_varnish_conf_file }}"
+    backup: true
+    mode: 0644
+  notify:
+    - Restart varnish
+...
diff --git a/vars/debian.yml b/vars/debian.yml
@@ -7,6 +7,11 @@ cvmfs_squid_conf_file: /etc/squid/squid.conf
 cvmfs_squid_user: proxy
 cvmfs_squid_group: proxy
 
+cvmfs_varnish_service_name: varnish
+cvmfs_varnish_conf_file: /etc/varnish/default.vcl
+cvmfs_varnish_vmod_dynamic_installed_file: /usr/share/varnish/vmod_dynamic.installed
+cvmfs_varnish_vmod_dynamic_man_page: /usr/share/man/man3/vmod_dynamic.3
+
 cvmfs_packages:
   stratum0:
     - apache2
@@ -21,7 +26,6 @@ cvmfs_packages:
     - "{{ 'squid' if cvmfs_stratum1_squid else omit }}"
   stratum1-s3:
     - cvmfs-server
-  localproxy:
-    - squid
+  localproxy: "{{ ['varnish', 'libvarnishapi-dev', 'automake', 'make', 'pkg-config', 'libtool', 'python3-docutils'] if cvmfs_localproxy_type == 'varnish' else ['squid'] }}"
   client:
     - cvmfs
diff --git a/vars/redhat.yml b/vars/redhat.yml
@@ -7,6 +7,11 @@ cvmfs_squid_conf_file: /etc/squid/squid.conf
 cvmfs_squid_user: squid
 cvmfs_squid_group: squid
 
+cvmfs_varnish_service_name: varnish
+cvmfs_varnish_conf_file: /etc/varnish/default.vcl
+cvmfs_varnish_vmod_dynamic_installed_file: /usr/share/varnish/vmod_dynamic.installed
+cvmfs_varnish_vmod_dynamic_man_page: /usr/share/man/man3/vmod_dynamic.3
+
 cvmfs_dnf_repos:
   - name: cernvm
     description: CernVM packages
@@ -64,6 +69,6 @@ cvmfs_packages:
   stratum1-s3:
     - cvmfs-server
   localproxy:
-    - squid
+    - "{{ ['varnish', 'varnish-devel', 'automake', 'libtool', python-docutils'] if cvmfs_localproxy_type == 'varnish' else 'squid' }}"
   client:
     - cvmfs