Well, I'm running Varnish on my webservers, primarily for performance reasons, although its load balancing featues are handy as well.
My use case is caching in front of Django-based websites, and it does wonders for page loading performance. I'm able to serve most pages directly from cache and handle a flood of visitors with little trouble.
The reason I chose Varnish was mainly performance/scalability. The main points:
- Varnish let's the kernel manage virtual memory, where Squid tries to keep separate disk and memory caches, can lead to the kernel and Squid squabbling a bit about what's to be paged out to disk.
- Varnish uses VCL, it's own domain specific configuration language, which compiles down to machine code via C. That is a very real performance benefit if you have a more than a little bit of logic in your configuration – conditional header stripping etc.
In my experience, Varnish performs a bit better than Squid in most cases, and a lot better on traffic spikes. On the other hand, configuring Varnish correctly is going to take some mailing-list-trawling, since there aren't as many ready-to-go-for-your-specific-use-case-documentation flowing around the net as there are for Squid – mainly due to Varnish being a fairly young project in comparison.
Here's what you should do to redirect the traffic from one host to another one in a specific port, please note that EVERY request for port 443 will be redirect to the host you are pointing on iptables:
1) Open port 443 to traffic:
iptables -A INPUT -p tcp -m tcp --sport 443 -j ACCEPT
iptables -A OUTPUT -p tcp -m tcp --dport 443 -j ACCEPT
2) Add specific rules to redirect incoming and outcoming data
iptables -t nat -A PREROUTING -p tcp --dport 443 -j DNAT --to ip.listenig.to:443
iptables -t nat -A POSTROUTING -p tcp -d ip.listening.to --dport 443 -j MASQUERADE
3) Alternatively you can redirect the traffic that is coming from a specific host like:
iptables -t nat -A PREROUTING -s ip._not_.listening -p tcp --dport 443 -j DNAT --to-destination ip.listening.to:443
(This step is specially useful in case you want to handle port 443 in other client under your network)
4) Inform the kernel that you will accept ip forwarding
edit file /etc/sysctl.conf (or the one that suits your distro) and append (or change)
net.ipv4.ip_forward=1
and then issue the command
sysctl -p /etc/sysctl.conf (or the file that suits your distro)
I hope it helped
Best Answer
The first thing to do is to see if Varnish sees the 500. If it does, it's either Varnish's fault or the fault of your backend. If it doesn't, you can concentrate on troubleshooting Pound.
To see what Varnish is doing when you're getting 500s, use varnishlog: