S3 Caching with Wasabi and Varnish Software

Written by Brian Stewart | 7/10/25 5:45 AM

The point of this blog is to demonstrate how to position Varnish Enterprise in front of a Wasabi S3 bucket. If you aren’t familiar with Wasabi, they are a cloud compatible S3 storage provider known for performance, reliability, and cost-effectiveness. We are teaming up with them to show how Varnish can be an effective cache for their storage buckets, leading to faster delivery. This demo will use some Enterprise only features, so if you don’t have an Enterprise account, you can reach out to sales. We’re going to set up a bucket, upload some files, create a user and access keys, and then configure Varnish to pull from the bucket. Let’s get started!

Creating a Bucket

For this demo I used a Wasabi free trial, but whether you are using a free account or paid, this demo should work for you. The first step once you are logged in is to click on Buckets in the Menu section to the left and then click Create Bucket in the top right corner.

Pick a super cool name like I did, a region that makes sense to you, and then click Next.

For steps 2-6, I left all options as the default, but enabling them won’t stop this from working.

Now that we have a Bucket, let’s add some files! Click on your newly generated Bucket, and then Upload Files in the top right. If you already have a suite of folders and objects you would like to add, just drag them in.

Creating a User and Group

Now that we have a Bucket, we need a User and Group so that we can set permissions and grant access as needed. Lets start with a User, so go to the Users section in the Menu and hit Create User in the top right.

Once you have made an equally creative name as your Bucket, you can decide what Type of Access to grant. I chose Programmatic as I didn’t want to have to make and remember any more passwords, but for purposes other than a demo, your system admins or security folks would probably not recommend doing this. After hitting Next, I chose to Create a New Group with another awesome and unique name (don’t forget to hit save).

After moving to step 3, Policies, I decided to give WasabiReadOnlyAccess. AdministratorAccess and WasabiFullAccess were tempting, but the goal of this demo is to show how Varnish can Cache Wasabi S3 buckets and more access seemed unnecessary.

After that, we’ll have made our User and Group and should see the Created Access Key! Don’t lose this as we will need both the Access Key and Secret Key very soon. I’m sharing it here in the picture below but I’ve also deleted them before this demo will go live, so it doesn’t matter for me. If you’re reading this, you probably already know not to share these with strangers anyways…

If we go to Access Keys in the Menu, we should see brians-user or whatever you named your User shown in the Access Keys List.

Assigning our User/Group/Access Key to our Bucket

We made a lot of stuff, now let's get them to work together. Let’s go back to Buckets, click on the three dots below Actions for the bucket we made, and then click Settings. We want to change the Permissions, so go there and hit Edit.

To make it easy you can copy and paste this in, but you will need to make two important changes for the parts in red!

  
    
    
    
    
      {
  "Version": "2012-10-17",
  "Statement": [
    {
      "Effect": "Allow",
      "Principal": {
        "AWS": "arn:aws:iam::100000353577:user/brians-user"
      },
      "Action": [
        "s3:Get*",
        "s3:List*"
      ],
      "Resource": "arn:aws:s3:::brians-test-bucket"
    }
  ]
}
    

First, you will want to use the AWS arn for the user you just made, so go to Users in the Menu, and throw that in your Bucket Policy.

You will also want to use the arn for your bucket in the Resource section. That should be on the same page as the Bucket Policy though, so it’s easy to grab.

When that’s done, you should see that the Bucket Policy is valid, so go ahead and hit Save.

We should now be able to Read from this bucket using these access keys, so let’s give them to Varnish and see if it works!

Setting up Varnish

Assuming you are using the default vcl file name and location, we want to edit our default.vcl file to look like this:

  
    
    
    
    
      vcl 4.1;

import s3;
backend default none;

sub vcl_init {
        new bucket = s3.director("brians-test-bucket", "us-west-1", "s3.us-west-1.wasabisys.com");
        bucket.set_access_key("kOYe2VquOJEdvvqRAB4r4VH51gBRC0hH90kj06z1", "1V1WNWLW1V67E2721ZKV");
}

sub vcl_recv {
        # Remove the query string from the URL, remove cookies, remove authorization headers
        set req.url = regsub(req.url, "\?.*$", "");
        unset req.http.Cookie;
        unset req.http.Authorization;
        # Request method options
        if (req.method != "GET" && req.method != "HEAD") {
                return (synth(405, "Method Not Allowed"));
        }
}

sub vcl_backend_fetch  {
        set bereq.backend = bucket.backend();
}

sub vcl_backend_response {
        if (beresp.status == 200) {
                set beresp.ttl = 600s;
                set beresp.grace = 1s;
                set beresp.keep = 1y;
        } else {
                set beresp.ttl = 5s;
                set beresp.grace = 0s;
        }
}
    

Once more, there are a few things you will want to change, but for ease, I made them red up above.

In vcl_init, we are initializing the backend for Varnish to pull from, so instead of “brians-test-bucket” and “us-west-1”, you will want to put your bucket name, and the region it is located in. The Service URL also changes for Wasabi based on Region, so depending on where your bucket is, change the third value in that line according to this documentation page. Remember earlier when I mentioned to save the credentials for our user? Because you will need them now, so enter your own “secret-key” and then “access-key” in the line below. Finally, you can change the ttl or time to live value for your objects in sub vcl_backend_fetch as needed. I have this as 600s or ten minutes, but it can be as long or short as you want. You can also use m for minutes, h for hours, or y for years if that’s easier for you.

Once that’s done, you can restart varnish, and you should be able to fetch from your bucket!

  
    
    
    
    
      root@wasabi-test:~# curl localhost/brians-test-bucket/100k/chunk_2.ts -i
HTTP/1.1 200 OK
Content-Length: 102400
Content-Type: video/mp2t
Date: Fri, 07 Feb 2025 00:46:36 GMT
ETag: "4c6426ac7ef186464ecbb0d81cbfcb1e"
Last-Modified: Wed, 05 Feb 2025 23:38:02 GMT
Server: WasabiS3/7.21.4959-2025-01-14-7f367e51f7
x-amz-id-2: 6DqMFawth43QoQM8+Lvj9VbtP0P+dY0w2qkivQ6n6U1JYFdEc9ldDGljaL0OeS5HbaOYVmc6WYA8
x-amz-request-id: E848853DC1E7FD3B:B
x-wasabi-cm-reference-id: 1738889196640 38.146.40.103 ConID:2465942173/EngineConID:23224110/Core:65
X-Varnish: 32774 3
Age: 587
Via: 1.1 varnish (Varnish/6.0)
Accept-Ranges: bytes
Connection: keep-alive
    

We can see we got a 200 (phew), headers from Wasabi, headers from Varnish, and the Age of our object. It works!

Adding Persistent Storage

Working is fine, but lets scale this up and add some persistent disk storage. This will let us cache way more objects than just using memory, and keep our objects cached in the event we need to restart Varnish. You can read the docs for the Massive Storage Engine or MSE4 here if you have questions I don’t cover.

First thing we want to do is create a file called mse4.conf at /etc/varnish with the following content:

  
    
    
    
    
        env: {
        books = ( {
                id = "book";
                filename = "/var/lib/mse/disk/book";
                size = "1G";

                stores = ( {
                        id = "store";
                        filename = "/var/lib/mse/disk/store";
                        size = "100G";
                } );
        } );
   };
    

As you might already have guessed, you should adjust the size of the book and store to fit your instance. The book stores the metadata for each object and is how Varnish finds each object cached on disk, so it can be a lot smaller than your store size. A general rule of thumb is 8G will be plenty of space for even multiple Terabyte disks, but the documentation example is 5g and 2048G for the book and store respectively. I am using a super small Digital Ocean instance just for the sake of this demo, so I am just using 1G and 100G just as an example.

We also need to have the mounting points we just declared in the conf file, so go ahead and create the directory paths:

  
      $ mkdir /var/lib/mse
$ mkdir /var/lib/mse/disk

After that, we want to run the command below, and you should see the following output:

  
    
    
    
    
      root@wasabi-test:~# sudo mkfs.mse4 -c /etc/varnish/mse4.conf configure
Info:    [book,"book",/var/lib/mse/disk/book] Configure book
Info:    [book,"book",/var/lib/mse/disk/book] Creating new book
Info:    [book,"book",/var/lib/mse/disk/book] File created
Info:    [book,"book",/var/lib/mse/disk/book] File initialized
Info:    [book,"book",/var/lib/mse/disk/book] Book configured
Info:    [store,"store",/var/lib/mse/disk/store] Configure store
Info:    [store,"store",/var/lib/mse/disk/store] Creating new store
Info:    [store,"store",/var/lib/mse/disk/store] File created
Info:    [store,"store",/var/lib/mse/disk/store] File initialized
Info:    [store,"store",/var/lib/mse/disk/store] Store associated with book
Info:    [store,"store",/var/lib/mse/disk/store] Store configured
Info:    [mkfs.mse4] Finished successfully
    

With our book and store configured, we just need to edit the Varnish daemon to use them. We want to change the -s parameter, and you can edit the daemon by running:

$ nano /etc/systemd/system/varnish.service

Look for the ExecStart section and modify it to look like:

  
    
    
    
    
      ExecStart=/usr/sbin/varnishd \
          -a :80 \
          -a localhost:8443,proxy \
          -T localhost:6082 \
          -S /etc/varnish/secret \
          -p feature=+http2 \
          -r vcc_allow_inline_c \
          -r allow_exec \
          -f /etc/varnish/default.vcl \
          -s mse4,/etc/varnish/mse4.conf
ExecReload=/usr/sbin/varnishreload
    

Our last step is to restart the system daemon, and restart Varnish. We can then look at the status of Varnish and see our changed -s parameter, which I made red below:

  
    
    
    
    
      root@wasabi-test:~# systemctl daemon-reload
root@wasabi-test:~# systemctl restart varnish
root@wasabi-test:~# systemctl status varnish
● varnish.service - Varnish Cache Plus, a high-performance HTTP accelerator
     Loaded: loaded (/etc/systemd/system/varnish.service; enabled; preset: enabled)
     Active: active (running) since Fri 2025-02-07 21:52:59 UTC; 2s ago
    Process: 76874 ExecStart=/usr/sbin/varnishd -a :80 -a localhost:8443,proxy -T localhost:6082 -S /etc/varnish/secret -p feature=+http2 -r vcc_allow_inline_c -r allow_exec -f /etc/varnish/default.vcl -s mse4,/etc/varnish/mse4.conf (cod>
   Main PID: 76875 (varnishd)
      Tasks: 234
     Memory: 132.6M (peak: 230.4M)
        CPU: 769ms
     CGroup: /system.slice/varnish.service
             ├─76875 /usr/sbin/varnishd -a :80 -a localhost:8443,proxy -T localhost:6082 -S /etc/varnish/secret -p feature=+http2 -r vcc_allow_inline_c -r allow_exec -f /etc/varnish/default.vcl -s mse4,/etc/varnish/mse4.conf
             └─76897 /usr/sbin/varnishd -a :80 -a localhost:8443,proxy -T localhost:6082 -S /etc/varnish/secret -p feature=+http2 -r vcc_allow_inline_c -r allow_exec -f /etc/varnish/default.vcl -s mse4,/etc/varnish/mse4.conf
    

And just like that we are done. If you were following along, thanks for sticking with me, and congrats on setting up Varnish in front of Wasabi!

View full post