by , , revisited on

We have by far the largest RPM repository with NGINX module packages and VMODs for Varnish. If you want to install NGINX, Varnish, and lots of useful performance/security software with smooth yum upgrades for production use, this is the repository for you.
Active subscription is required.

Just stumbled upon this question the other day and was amazed with what ServerPilot has to say about Varnish:

ServerPilot does not recommend using Varnish.
This tutorial is provided for users who, for legacy reasons, require Varnish in their application stack. Varnish misconfiguration can result in security and performance problems as well as downtime on your server. Please be careful!

A total disaster of a statement? Not exactly.

An effing disaster of a statement

It is obvious that ServerPilot can’t support Varnish because its configuration maybe not always trivial. And when you introduce Varnish to your stack, you quickly realize that you have to get rid of ServerPilot. They only want to save their butt and get around by lying.

Instead of mentioning that they can’t support Varnish because their product is too simple / underdeveloped, they totally mislead and lie to all of their clients by introducing “legacy reasons” for not using Varnish.

Varnish for legacy reasons

How can Varnish use be a legacy reason, if Varnish is relatively new HTTP caching proxy? Making your web application fast is a legacy reason? I don’t think so. You will agree with me.

Security problems

Varnish is mostly as secure as HTTP protocol since that’s the level where it operates. It is a transparent HTTP proxy and there’s no known security threats form running it.

Performance problems

Varnish is designed to make your web site faster by storing its full page cache in RAM. No comments here.


When you configure your server with new application stack, the downtime is inevitable. The same applies to ServerPilot – some downtime is to be expected when you let them provision your server for the first time.

Now, let’s quickly review ServerPilot itself.

#1. ServerPilot is insecure

ServerPilot has access to your server. You trust your server data into hands of a company that gets around by lying to its clients. Do you feel safe?

#2. ServerPilot is insecure

ServerPilot does not use standard operating system packages and naturally their packages will be nearly always less secure than provided by the operating system.

#3. ServerPilot is insecure

I had to say it magic 3 times in hope that my wish comes true and ServerPilot is gone. If ServerPilot is so insecure about Varnish, they should be gone.

Now let’s make things right and provide the correct statement:

We do not recommend using ServerPilot.
This article is provided for users who, for legacy reasons, have been using ServerPilot. The use of ServerPilot can and will result in security and performance problems as well as downtime on your server. Please be careful!

  1. eric

    Hey man, first of all thank u for shining some light on these product. I never liked having to log in to their website to be able to manage my server. What do u think about EasyEngine? Would love to hear ur thoughts. Oh and one more thing what happens after u finish with the Citrus Stack in a small VPS (10 dollars) and then u want to upgrade to a more powerful one? Will u need to reconfigure some things or will the old configuration simply make use of the additional resources? Cheers

    • Danila Vershinin

      I can’t say much about EasyEngine as I didn’t try it. But as I know:

      • They are not a fan of Varnish (just because they don’t want to learn it) which is quite silly. Varnish has beautiful VCL which allows to configure caching in any way you want. Nginx fastcgi cache is OK but it is not even nearly as flexible as Varnish VCL.
      • It is Ubuntu only (again, just what I’ve heard)

      Yes, further fine tuning required upon server upgrade: namely PHP max_children, Varnish cache size, MySQL buffers, etc. so that they can use increased RAM better.


Leave a Reply

This site uses Akismet to reduce spam. Learn how your comment data is processed.

%d bloggers like this: