Before Varnish : 
client –http port tcp 80 –>  Apache Web Server

After Install Varnish : 
client –http port tcp 80 –> Varnish – http port tcp 8088 ->  Apache Web Server

Setup varnish repo :
[root@centos ~]# wget http://repo.varnish-cache.org/redhat/varnish-3.0/el6/noarch/varnish-release/varnish-release-3.0-1.el6.noarch.rpm
[root@centos ~]# rpm –nosignature -i varnish-release-3.0-1.el6.noarch.rpm

Install Varnish and Apache :
[root@centos ~]# yum install varnish -y
[root@centos ~]# yum install httpd -y

chkconfig for start at boot :
[root@centos ~]# chkconfig –level 345 varnish on
[root@centos ~]# chkconfig –level 345 httpd on

Configure apache to listen to port 8088 :
[root@centos ~]# vi /etc/httpd/conf/httpd.conf

Modify below :
change :
Listen 80

to
Listen 8088

Configuring Varnish Cache:
[root@centos ~]# vim /etc/sysconfig/varnish

========================== Config Varnish Start =================

# Configuration file for varnish
#
# /etc/init.d/varnish expects the variable $DAEMON_OPTS to be set from this
# shell script fragment.
#

# Maximum number of open files (for ulimit -n)
NFILES=131072

# Locked shared memory (for ulimit -l)
# Default log size is 82MB + header
MEMLOCK=82000

# Set this to 1 to make init script reload try to switch vcl without restart.
# To make this work, you need to set the following variables
# explicit: VARNISH_VCL_CONF, VARNISH_ADMIN_LISTEN_ADDRESS,
# VARNISH_ADMIN_LISTEN_PORT, VARNISH_SECRET_FILE, or in short,
# use Alternative 3, Advanced configuration, below
RELOAD_VCL=1

# This file contains 4 alternatives, please use only one.
DAEMON_OPTS=”-a :80 \
-T localhost:6082 \
-f /etc/varnish/default.vcl \
-S /etc/varnish/secret \
-s malloc,1G”

========================== Config Varnish End  =================

Add the following in /etc/varnish/default.vcl :
[root@centos ~]# vim /etc/varnish/default.vcl

===== config default.vcl start =======

# This is a basic VCL configuration file for varnish. See the vcl(7)
# man page for details on VCL syntax and semantics.
#
# Default backend definition. Set this to point to your content
# server.
#
backend default {
.host = “127.0.0.1”;
.port = “8088”;
}

# Respond to incoming requests
sub vcl_recv {
# Set the director to cycle between web servers.
#set req.backend = web_director;

if (req.url ~ “^/server_status\.php$”) {
return (pass);
}

# Always cache the following file types for all users.
if (req.url ~ “(?i)\.(png|gif|jpeg|jpg|ico|swf|css|js|html|htm)(\?[a-z0-9]+)?$”) {
unset req.http.Cookie;
}
}

sub vcl_hash {
}

# Code determining what to do when serving items from the Apache servers.
sub vcl_fetch {
# Don’t allow static files to set cookies.
if (req.url ~ “(?i)\.(png|gif|jpeg|jpg|ico|swf|css|js|html|htm)(\?[a-z0-9]+)?$”) {
# beresp == Back-end response from the web server.
unset beresp.http.set-cookie;
}

# Allow items to be stale if needed.
set beresp.grace = 6h;
}

## Deliver

sub vcl_deliver {

## We’d like to hide the X-Powered-By headers. Nobody has to know we can run PHP and have version xyz of it.
remove resp.http.X-Powered-By;
}

===== config default.vcl End =======

Start Varnish and Apache
[root@centos ~]# service varnish start
Starting Varnish Cache: [ OK ]
[root@centos ~]# service httpd restart
Starting httpd: [ OK ]

verify Port Service varnish and Apache :
[root@centos ~]# netstat -plunt | grep :80

tcp 0 0 0.0.0.0:8080 0.0.0.0:* LISTEN 6054/httpd
tcp 0 0 0.0.0.0:80 0.0.0.0:* LISTEN 8507/varnishd
tcp 0 0 0.0.0.0:8081 0.0.0.0:* LISTEN 6054/httpd
tcp 0 0 0.0.0.0:8088 0.0.0.0:* LISTEN 6054/httpd
tcp 0 0 :::80 :::* LISTEN 8507/varnishd

Verify the Varnish run Reverse Proxy for  pache the following command.

[root@centos ~]# curl -I http://blog.thaieasydns.com

HTTP/1.1 200 OK
Server: Apache/2.2.15 (CentOS)
X-Pingback: http://blog.thaieasydns.com/xmlrpc.php
Content-Type: text/html; charset=UTF-8
Content-Length: 32942
Date: Wed, 10 Jun 2015 06:25:01 GMT
X-Varnish: 1112037056
Age: 0
Via: 1.1 varnish
Connection: keep-alive

ApacheBench performance test without Varnish Cache

[root@centos ~]# ab -k -n 1000 -c 50 http://blog.thaieasydns.com:8088/

This is ApacheBench, Version 2.3 <$Revision: 655654 $>
Copyright 1996 Adam Twiss, Zeus Technology Ltd, http://www.zeustech.net/
Licensed to The Apache Software Foundation, http://www.apache.org/

Benchmarking blog.thaieasydns.com (be patient)
Completed 100 requests
Completed 200 requests
Completed 300 requests
Completed 400 requests
Completed 500 requests
Completed 600 requests
Completed 700 requests
Completed 800 requests
Completed 900 requests
Completed 1000 requests
Finished 1000 requests
Server Software: Apache/2.2.15
Server Hostname: blog.thaieasydns.com
Server Port: 8088

Document Path: /
Document Length: 0 bytes

Concurrency Level: 50
Time taken for tests: 7.485 seconds
Complete requests: 1000
Failed requests: 0
Write errors: 0
Non-2xx responses: 1000
Keep-Alive requests: 1000
Total transferred: 336512 bytes
HTML transferred: 0 bytes
Requests per second: 133.59 [#/sec] (mean)
Time per request: 374.270 [ms] (mean)
Time per request: 7.485 [ms] (mean, across all concurrent requests)
Transfer rate: 43.90 [Kbytes/sec] received

Connection Times (ms)
min mean[+/-sd] median max
Connect: 0 0 0.5 0 5
Processing: 30 163 493.4 97 6860
Waiting: 30 163 493.4 97 6859
Total: 30 163 493.9 97 6864

Percentage of the requests served within a certain time (ms)
50% 97
66% 105
75% 114
80% 122
90% 139
95% 156
98% 1758
99% 2905
100% 6864 (longest request)

ApacheBench performance test with Varnish Cache

[root@centos ~]# ab -k -n 1000 -c 50 http://blog.thaieasydns.com/

This is ApacheBench, Version 2.3 <$Revision: 655654 $>
Copyright 1996 Adam Twiss, Zeus Technology Ltd, http://www.zeustech.net/
Licensed to The Apache Software Foundation, http://www.apache.org/

Benchmarking blog.thaieasydns.com (be patient)
Completed 100 requests
Completed 200 requests
Completed 300 requests
Completed 400 requests
Completed 500 requests
Completed 600 requests
Completed 700 requests
Completed 800 requests
Completed 900 requests
Completed 1000 requests
Finished 1000 requests
Server Software: Apache/2.2.15
Server Hostname: blog.thaieasydns.com
Server Port: 80

Document Path: /
Document Length: 32942 bytes

Concurrency Level: 50
Time taken for tests: 0.408 seconds
Complete requests: 1000
Failed requests: 0
Write errors: 0
Keep-Alive requests: 1000
Total transferred: 33494360 bytes
HTML transferred: 33205075 bytes
Requests per second: 2449.02 [#/sec] (mean)
Time per request: 20.416 [ms] (mean)
Time per request: 0.408 [ms] (mean, across all concurrent requests)
Transfer rate: 80105.74 [Kbytes/sec] received

Connection Times (ms)
min mean[+/-sd] median max
Connect: 0 0 1.2 0 7
Processing: 1 13 32.6 4 251
Waiting: 0 10 32.7 1 247
Total: 1 13 33.7 4 256

Percentage of the requests served within a certain time (ms)
50% 4
66% 4
75% 4
80% 5
90% 25
95% 46
98% 182
99% 183
100% 256 (longest request)

Complete !!!!

#ATA66
hdparm -Tt /dev/hdc
/dev/hdc:
Timing cached reads: 1200 MB in 2.00 seconds = 598.89 MB/sec
Timing buffered disk reads: 82 MB in 3.03 seconds = 27.10 MB/sec

#ATA100
hdparm -Tt /dev/hda
/dev/hda:
Timing cached reads: 1036 MB in 2.00 seconds = 516.79 MB/sec
Timing buffered disk reads: 146 MB in 3.04 seconds = 48.10 MB/sec
if new SATAII better than not forget set mode AHCI in bios and set jumper on Harddisk
speed up within interface but disc is slow.

#SATAII
hdparm -t /dev/sda
/dev/sda:
Timing cached reads: 2572 MB in 2.00 seconds = 1287.07 MB/sec
Timing buffered disk reads: 236 MB in 3.02 seconds = 78.06 MB/sec

vi /etc/ssh/sshd_config

change line below :
PermitRootLogin yes

yes = Allow first login to root
no = Deny root login Before user login after user root login

input line in file : /etc/sysctl.conf
if error message on dmesg and message file

Nov 2 17:07:20 server kernel: printk: 153 messages suppressed.
Nov 2 17:07:20 server kernel: Neighbour table overflow.
#fixed Error : Neighbour table overflow.
net.ipv4.neigh.default.gc_thresh1 = 4096
net.ipv4.neigh.default.gc_thresh2 = 8192
net.ipv4.neigh.default.gc_thresh3 = 8192
net.ipv4.neigh.default.base_reachable_time = 86400
net.ipv4.neigh.default.gc_stale_time = 86400

apply config sysctl above :
sysctl -p

ตรวจสอบว่ามีคนส่ง syn เข้ามาเพื่อขอติดต่อแต่ละ ip เป็นจำนวนเท่าไหร่ หากเกิน 10 ก็ให้ทำการ block ได้เลย
# netstat -ntu | grep SYN_RECV | awk “{print $5}” | cut -d: -f1 | sort | uniq -c | sort -nr
ตรวจสอบว่าแต่ละ ip connect server กี่ connection ไม่ควรเกิน 10-20 connection ต่อ ip
# netstat -ntu | grep ESTABLISHED | awk “{print $5}” | cut -d: -f1

Protect important file and folder with rm command

cd /root/installed/
wget http://linux.thaieasydns.com/downloads/safe-rm-0.9.tar.gz

tar -zxvf safe-rm-0.9.tar.gz
cd safe-rm-0.9
cp safe-rm /usr/local/bin/
cd /usr/local/bin/
ln -s safe-rm rm

create file config /etc/safe-rm.conf
vim /etc/safe-rm.conf

input line below :
/root/test/test

:wq!

test delete from list above :

rm -rf /root/test/test
safe-rm: skipping /root/test/test

comment : if protect folder /root/test
config on safe-rm.conf 
/root/test   !!!! not use /root/test/
if protect all file in /root/test/  use /root/test/* but protect sub file on folder /root/test/xxx/*

rm -rf /root/test/
safe-rm: skipping /root/test/

rm -rf /root/test
safe-rm: skipping /root/test

Success…

Before Apply Solution

client --http port tcp 80 -->  Apache Web Server

After Apply Solution

client --http port tcp 80 --> Nginx - http port tcp 8080 ->  Apache Web Server
Server OS :Centos

– Install Apache
#yum install httpd httpd-devel -y

Configure the Reverse Proxy settings on Apache
#vim /etc/httpd/conf/httpd.conf

Listen 80
to
Listen 8080

NameVirtualHost *:80
to
NameVirtualHost *:8080

</VirtualHost>

#/etc/init.d/httpd restart

Install Nginx with yum
#yum install nginx -y

#vim /etc/nginx/nginx.conf

user nginx;
worker_processes  4;
error_log  logs/error.log crit;
#error_log  logs/error.log info;

}

and create virtual host on nginx

/etc/nginx/conf.d/yourdomainname.com.conf

server {
listen    80;
server_name  www.yourdomainname.com yourdomainname.com;
access_log off;
error_log  logs/www.yourdomainname.com-error_log crit;

proxy_set_header   Host   $host;
proxy_set_header   X-Real-IP  $remote_addr;
proxy_set_header   X-Forwarded-For $proxy_add_x_forwarded_for;
}
}
Install mod_rpaf
mod_rpaf will help Apache to know who connects to it (otherwise the only IP address you will see in your logs is 127.0.0.1):

mkdir /root/installed/
cd /root/installed/
wget https://github.com/y-ken/mod_rpaf/archive/master.zip
unzip master.zip
cd mod_rpaf-master/
apxs -i -c -n mod_rpaf-2.0.so mod_rpaf-2.0.c

#vim /etc/httpd/conf.d/rpaf.conf

LoadModule rpaf_module /usr/lib64/httpd/modules/mod_rpaf-2.0.so

#Reverse proxy
RPAFenable On
RPAFsethostname On
RPAFproxy_ips 127.0.0.1 Your_Real_Server_IP
#/etc/init.d/httpd restart

curl -I http://www.yourdomainname.com/

output :

HTTP/1.1 200 OK
Server: nginx

Complete!!!!!

example  :  HA Proxy user internet  access to http://10.1.228.137/  round robin to Web1 and Web2  with web server  session support

HAProxy: 10.1.228.137 port 80

Web2 : 10.1.228.53 port 80
install haproxy
wget http://blog.up2box.com/downloads/haproxy-1.4.20.tar.gz
Compile the sources with `make install`
#tar -zxvf  haproxy-1.4.20.tar.gz

#cd haproxy-1.4.20

#make install

#cp haproxy /usr/sbin/haproxy

+Download a sample config file
#wget http://blog.up2box.com/downloads/haproxy-standard.cfg -O /etc/haproxy.cfg
+Download a launcher
#wget http://blog.up2box.com/downloads/haproxy.init -O /etc/init.d/haproxy
+adjust the startup settings
#chmod +x /etc/init.d/haproxy
#chkconfig –add haproxy
#chkconfig haproxy on

vim /etc/haproxy.cfg

input line below :

listen webfarm 10.1.228.137:80
mode http
balance source
cookie JSESSIONID prefix
option httpchk HEAD /check.txt HTTP/1.0
option httpclose
option forwardfor
server web1 10.1.228.52:80 cookie A check
server web2 10.1.228.53:80 cookie B checkinstalled success

================
installed fail2ban
================
yum install -y fail2ban
vim /etc/fail2ban/fail2ban.conf             edit red word

# Fail2Ban configuration file
#
# Author: Cyril Jaquier
#
# $Revision: 629 $
#
[Definition]
# Option:  loglevel
# Notes.:  Set the log level output.
#          1 = ERROR
#          2 = WARN
#          3 = INFO
#          4 = DEBUG
# Values:  NUM  Default:  3
#
loglevel = 3
# Option:  logtarget
# Notes.:  Set the log target. This could be a file, SYSLOG, STDERR or STDOUT.
#          Only one log target can be specified.
# Values:  STDOUT STDERR SYSLOG file  Default:  /var/log/fail2ban.log
#
logtarget = /var/log/fail2ban.log
# Option: socket
# Notes.: Set the socket file. This is used to communicate with the daemon. Do
#         not remove this file when Fail2ban runs. It will not be possible to
#         communicate with the server afterwards.
# Values: FILE  Default:  /var/run/fail2ban/fail2ban.sock
#
socket = /var/run/fail2ban/fail2ban.sock
=========================================
vim /etc/fail2ban/jail.conf   --> edit red word
# Fail2Ban configuration file
#
# Author: Cyril Jaquier
#
# $Revision: 617 $
#
# The DEFAULT allows a global definition of the options. They can be override
# in each jail afterwards.
[DEFAULT]
# "ignoreip" can be an IP address, a CIDR mask or a DNS host. Fail2ban will not
# ban a host which matches an address in this list. Several addresses can be
# defined using space separator.
ignoreip = 127.0.0.1
# "bantime" is the number of seconds that a host is banned.
bantime  = 600
# A host is banned if it has generated "maxretry" during the last "findtime"
# seconds.
findtime  = 600
# "maxretry" is the number of failures before a host get banned.
# maxretry = 3
maxretry = 5
# "backend" specifies the backend used to get files modification. Available
# options are "gamin", "polling" and "auto". This option can be overridden in
# each jail too (use "gamin" for a jail and "polling" for another).
#
# gamin:   requires Gamin (a file alteration monitor) to be installed. If Gamin
#          is not installed, Fail2ban will use polling.
# polling: uses a polling algorithm which does not require external libraries.
# auto:    will choose Gamin if available and polling otherwise.
backend = auto
# This jail corresponds to the standard configuration in Fail2ban 0.6.
# The mail-whois action send a notification e-mail with a whois request
# in the body.
[ssh-iptables]
enabled  = false
filter   = sshd
action   = iptables[name=SSH, port=ssh, protocol=tcp]
sendmail-whois[name=SSH, dest=you@mail.com, sender=fail2ban@mail.com]
logpath  = /var/log/sshd.log
maxretry = 5
[proftpd-iptables]
enabled  = false
filter   = proftpd
action   = iptables[name=ProFTPD, port=ftp, protocol=tcp]
sendmail-whois[name=ProFTPD, dest=you@mail.com]
logpath  = /var/log/proftpd/proftpd.log
maxretry = 6
# This jail forces the backend to "polling".
[sasl-iptables]
enabled  = false
filter   = sasl
backend  = polling
action   = iptables[name=sasl, port=smtp, protocol=tcp]
sendmail-whois[name=sasl, dest=you@mail.com]
logpath  = /var/log/mail.log
# Here we use TCP-Wrappers instead of Netfilter/Iptables. "ignoreregex" is
# used to avoid banning the user "myuser".
[ssh-tcpwrapper]
enabled     = false
filter      = sshd
action      = hostsdeny
sendmail-whois[name=SSH, dest=you@mail.com]
ignoreregex = for myuser from
logpath     = /var/log/sshd.log
# This jail demonstrates the use of wildcards in "logpath".
# Moreover, it is possible to give other files on a new line.
[apache-tcpwrapper]
enabled  = false
filter   = apache-auth
action   = hostsdeny
logpath  = /var/log/apache*/*error.log
/home/www/myhomepage/error.log
maxretry = 6
# The hosts.deny path can be defined with the "file" argument if it is
# not in /etc.
[postfix-tcpwrapper]
enabled  = false
filter   = postfix
action   = hostsdeny[file=/not/a/standard/path/hosts.deny]
sendmail[name=Postfix, dest=you@mail.com]
logpath  = /var/log/postfix.log
bantime  = 300
# Do not ban anybody. Just report information about the remote host.
# A notification is sent at most every 600 seconds (bantime).
[vsftpd-notification]
enabled  = false
filter   = vsftpd
#action   = sendmail-whois[name=VSFTPD, dest=you@mail.com]
action   = sendmail-whois[name=VSFTPD, dest=email_admin@domain.com]
logpath  = /var/log/vsftpd.log
maxretry = 5
bantime  = 600
# Same as above but with banning the IP address.
[vsftpd-iptables]
enabled  = true
filter   = vsftpd
action   = iptables[name=VSFTPD, port=ftp, protocol=tcp]
sendmail-whois[name=VSFTPD, dest=email_admin@domain.com]
logpath  = /var/log/vsftpd.log
maxretry = 5
bantime  = 600
# Ban hosts which agent identifies spammer robots crawling the web
# for email addresses. The mail outputs are buffered.
[apache-badbots]
enabled  = false
filter   = apache-badbots
action   = iptables-multiport[name=BadBots, port="http,https"]
sendmail-buffered[name=BadBots, lines=5, dest=you@mail.com]
logpath  = /var/www/*/logs/access_log
bantime  = 172800
maxretry = 1
# Use shorewall instead of iptables.
[apache-shorewall]
enabled  = false
filter   = apache-noscript
action   = shorewall
sendmail[name=Postfix, dest=you@mail.com]
logpath  = /var/log/apache2/error_log
# This jail uses ipfw, the standard firewall on FreeBSD. The "ignoreip"
# option is overridden in this jail. Moreover, the action "mail-whois" defines
# the variable "name" which contains a comma using "". The characters '' are
# valid too.
[ssh-ipfw]
enabled  = false
filter   = sshd
action   = ipfw[localhost=192.168.0.1]
sendmail-whois[name="SSH,IPFW", dest=you@mail.com]
logpath  = /var/log/auth.log
ignoreip = 168.192.0.1
# These jails block attacks against named (bind9). By default, logging is off
# with bind9 installation. You will need something like this:
#
# logging {
#     channel security_file {
#         file "/var/log/named/security.log" versions 3 size 30m;
#         severity dynamic;
#         print-time yes;
#     };
#     category security {
#         security_file;
#     };
# }
#
# in your named.conf to provide proper logging.
# This jail blocks UDP traffic for DNS requests.
[named-refused-udp]
enabled  = false
filter   = named-refused
action   = iptables-multiport[name=Named, port="domain,953", protocol=udp]
sendmail-whois[name=Named, dest=you@mail.com]
logpath  = /var/log/named/security.log
ignoreip = 168.192.0.1
# This jail blocks TCP traffic for DNS requests.
[named-refused-tcp]
enabled  = false
filter   = named-refused
action   = iptables-multiport[name=Named, port="domain,953", protocol=tcp]
sendmail-whois[name=Named, dest=you@mail.com]
logpath  = /var/log/named/security.log
ignoreip = 168.192.0.1=========================
iptables config for support fail2ban

=========================

start fail2ban :

/etc/init.d/fail2ban start

or

service fail2ban start

service start when Linux boot :

chkconfig fail2ban on

note : fail2ban blocked public ip user ftp when login fails 5 time  and block time 600 seconds.
with fail2ban automatic add rule on iptables below :
iptables -N fail2ban-VSFTPD

iptables -I INPUT -p tcp -m tcp --dport 21 -j fail2ban-VSFTPD
when user ftp login fails 5 time  . fail2ban add rule below:

iptables -t filter -I fail2ban-VSFTPD 1 -s public_ip_user_ftp_fails -j DROP
Good Luck. fail2ban can apply to ssh , apache and other services with plus Security policy blocked hacker login fails.