Please pardon our dust! We're in the process of renaming xVarnish to Cachewall. This document and our RPM packages continue to refer to the xVarnish name. They will be updated in the near future.


xVarnish is a feature-rich software package providing simple management of Varnish Cache, the open source high-performance HTTP accelerator developed by Poul-Henning Kamp and Varnish Software.

The xVarnish control panel software has been created for use with cPanel on shared web hosting servers, but we hope that it is useful to others in any similar applications. Work is underway to support non-cPanel systems and alternative backends, such as LiteSpeed and Nginx.

Features of xVarnish include:

xVarnish is production-ready for all cPanel versions and provides an immediate, significant improvement in website performance. While it's heavily dependent on traffic characteristics, we've seen numerous cases where CPU utilization by PHP/CGI scripts is reduced by over 50% - without negatively impacting website visitors!

The xVarnish software has been under active development and used in production shared web hosting since 2014.

Interface Screenshots

xVarnish Cachewall dashboard for Varnish Cache Purged cached files by pattern matching in Varnish Cache Ratelimit website requests with Cachewall for Varnish Cache Cachewall ratelimit rule creation for Varnish Cache Cachewall WAF Challenge bypass CAPTCHA example Cachewall Varnish Cache configuration management
Exclusions for Varnish Cache Create an exclusion for Varnish Cache Request pattern matching for Cachewall Varnish Cache Update Cachewall xVarnish Configure custom error pages for Varnish Cache Configure custom error pages for Varnish Cache


We are currently providing limited support while we work on our next update. Thank you for your patience.

Latest Version: Release 0.36.2, January 6th, 2018 - Changelog is available here.

January 4th, 2018 - Happy New Year! We have a number of updates coming soon.

April 18th, 2017 - We've started gathering help documentation for our knowledge base at Feel free to send any suggestions if there's a feature you'd like to see explained in-depth.

February 20th, 2017 - A significant update 0.31.9999 is available on the xvarnish-edge repository which includes the Cachewall rename for the interfaces.  There are quite a few changes in this version, particularly with HTTPS support. Please give it a try today and report any discovered problems. This version is being prepared for the xvarnish-release tier and it will be moved there in the coming days, bar the discovery of any significant problems. The changelog has been updated with some additional details.

February 20th, 2017 - We've renamed xVarnish to Cachewall to better align with our vision and future plans for the software. The new name will be rolled out in two phases: Initially for the WebHost Manager and cPanel interfaces, and later for the packaging, system paths, and the xvctl command line tool. You'll now find Cachewall listed in the Plugins section of WebHost Manager starting with xVarnish 0.31 and higher.

January 18th, 2016 - Our latest update is now available on the edge repository.  There is a significant amount of work involved in this update and you may see some rough edges in the user interface.

December 20th, 2016 - xVarnish 0.30.5 is now available.  All users on the release repository are recommended to update as soon as possible.  This update fixes an important issue within the healthcheck (xvhealth) service.

December 13th, 2016 - xVarnish 0.30.2 is now available on the release repository, and 0.30.1 has been moved to the stable repository.
December 2nd, 2016 - xVarnish 0.30 is now available on the release repository. Please see the changelog.

Installation and Upgrade

xVarnish is compatible with cPanel under both CentOS 6 and CentOS 7. The software may be installed in both dedicated and virtual server environments. xVarnish works with all cPanel versions, EasyApache 3, EasyApache 4 (see Note for EA4), and LiteSpeed WebServer.

CentOS 6:

yum install epel-release
curl -s | sudo bash
rpm --nosignature -i
yum install xvarnish

CentOS 7:

yum install epel-release
curl -s | sudo bash
rpm --nosignature -i
yum install xvarnish

Note for EA4: If you're using cPanel EasyApache 4 you should install the ea-apache24-devel cPanel package too. This provides apxs which is necessary to configure xVarnish mod_xvarnish for visitor IP address correction:. Use: yum install xvarnish ea-apache24-devel

Debug output may be enabled by specifying -v for xvctl, or by setting export LOG_ECHO=1.

Please don't hesitant to get in touch if you experience any problems. We will work with you to troubleshoot and promptly issue a bugfix if necessary.


To upgrade xVarnish, run:

yum update xvarnish

Using xVarnish

The installation provides a completely hand-free setup of your server for xVarnish and Varnish Cache.

You should now register on by entering your email address if you have not already done so. You will be immediately sent new account access information for the xVarnish license manager and after signing in, you can create a license key for any number of servers. There is no cost currently for using xVarnish on any number of servers, and when that changes there we will provide notification at least 2 months in advance. (Written June 2016)

Once you have your license key, run:

/usr/local/xvarnish/bin/activate --key KEY

xVarnish is not enabled automatically by default. Once you're ready you can simply access the xVarnish page under WebHost Manager to make the web server switch. You can run this right from the command line too:

xvctl enable xvarnish
xvctl enable https

During the enable process, Apache is moved to port 82 to serve as the backend for Varnish Cache, which then listens on HTTP port 80. A WebHost Manager plugin is installed for management and you may also use the xvctl utility (see xvctl --help), which has equivalent management functionality.

To install/update with the latest xVarnish testing release:

yum update xvarnish --enablerepo=xvarnish-edge

If you experience significant problems you may revert the system changes made by xVarnish and return to the normal Apache setup. To immediately disable xVarnish and Varnish Cache you may run either of the following commands.

xvctl disable xvarnish
bash /usr/local/xvarnish/bin/

If the script is lost on your serevr you may download it below (revert-apache.txt).


To remove xVarnish:

yum remove xvarnish xvarnish-vmods varnish
rm -rI /usr/local/xvarnish


Please see: Cachewall Technical Support Guide

Useful Files


Latest Changes

Release 0.36.3, 2017-01-08
- [Case 477] SSL certificates not updating automatically.

Release 0.36.2, 2018-01-06
- [Case 476] Additional cPanel 68 SSL change fix.

Edge 0.36.2, 2018-01-04
- [Case 467] Fixes for cPanel 68 SSL changes. Please test!

Edge 0.36.1
- [Case 445] Add stunnel as a package dependency.
- [Case 448] Fixed HTTP request matching for rule request patterns having the https:// scheme specified.
- [Case 455] Fixed 'Enable Cachewall' prompt standby indicator and navigation/dismissal disallow after submitting.
- [Case 456] Fixed UI not locking while Cachewall software is updating.
- [Case 457] Fixed 'Save Configuration' prompt submitting after pressing cancel button.
- [Case 458] Automatically update WebHost Manager plugin's AppConfig configuration.
- [Case 460] Add events to status history for Cachewall Enable and Disable procedures.
- [Case 461] Lock the UI while Cachewall is enabling and disabling.
- [Case 462] Fixed UI inconsistency after a failed Cachewall enable.
- [Case 463] Prevent Dashboard data polling from disrupting new WebHost Manager sessions.
- [Case 465] Gracefully handle failure loading or polling Dashboard data.
- [Case 466] Allow disabling Cachewall without --force when the configuration has it disabled.
- Updated hello message.
- Removed legacy xVarnish WebHost Manager link.
- Merged expanded-realtime; improved web traffic and statistics charts.
- Fixed potential ownership problem on /var/run/xvarnish.

Release 0.36, 2017-06-12
- [Case 451] Carry over customized TTL configuration option values to their new option names.

Edge 0.36, 2017-05-26
- [Case 449] Resolved WAF Traffic Analytics start failure if .xvbeat_registry is corrupted. ("Could not start registrar: Error decoding states: EOF")
- [Case 450] Updated hitch.service systemd unit from Type=forking to Type=simple, to capture standard output and error in journald.  (Should help troubleshoot cause of sporadic config reloads resulting in worker SIGABRT crashes.)
- [Case 463] Fixed Dashboard chart script error under Internet Explorer.

Edge 0.36, 2017-05-02
- Update to Varnish Cache 4.1.6.
- Improved handling of request and response Cache-Control. Cache objects are now updated when the Cache-Control no-cache directive is present.
- Automatically correct Hitch configuration CA chain certificate order if a bundle is found misordered. It appears cPanel Inc / COMODO AutoSSL CA bundles have this problem in particular.
- Added bin/ to simplify troubleshooting. Users can run this to gather Cachewall information and log files into a single tarball to provide for support. See:
- Added default PASS exclusion rule for request URL pattern: /.well-known/*
- Renamed option listen_address to frontend_http_address. (Varnish Cache listen interface address for incoming HTTP requests)
- Renamed option frontend_port to frontend_http_port. (Varnish Cache listen port number for incoming HTTP requests)
- Renamed option hitch_be_address to frontend_proxy_address. (Varnish Cache PROXY address for the Hitch backend)
- Renamed option hitch_be_port to frontend_proxy_port. (Varnish Cache PROXY port number for the Hitch backend)
- Renamed option hitch_fe_address to frontend_https_address. (Hitch listen interface address for incoming HTTPS requests)
- Renamed option frontend_port_https to frontend_https_port. (Hitch listen port number for incoming HTTPS requests)
- Merged option hitch_fe_port into frontend_https_port.
- Removed legacy unused options hitch_enable_ssl, hitch_enable_tls, sslproxy_be_port and sslproxy_fe_port.
- Renamed option dynamic to dynamic_ttl. (Cached object time-to-live for dynamic responses)
- Renamed option static to static_ttl. (Cached object time-to-live for static responses)
- Split option object_grace_period into static_grace and dynamic_grace, allowing independent control over grace periods.
- Fixed the frontend Hitch configuration not properly respecting the value of frontend_https_address.
- Added remaining network-related settings options to the WebHost Manager Configuration page and grouped network options separately.
- Returned the ability to automatically compress suitable response types. (See options gzip_responses and gzip_types)
- Added option gzip_responses. (Toggles automatic response compression)
- Added option gzip_types. (Plaintext responses with a Content-Type header matching this expression are compressed)
- Changed memory option type from string to integer. (Earlier versions allowed an 'M' suffix on the value)
- Fixed some advanced options displaying under Configuration when they shouldn't be.
- Fixed WebHost Manager plug-in opening in a new window in cPanel 64.

Release 0.35.6, 2017-04-07
- Also respect no-store and private response Cache-Control header value for option respect_response_cache_control.
- Fixed implementation of settings option respect_request_cache_control.

Release 0.34.4, 2017-04-06
- Fixed cPanel proxy subdomains redirecting to hostname + /cgi-sys/defaultwebpage.cgi with 'Require SSL' and 'Non-SSL redirect destination:  Hostname' configured.
- Fixed UnboundLocalError while generating HTTPS configuration if system hostname certificate is not installed.
- Fixed ordering of certificate private key in Hitch configuration PEM files.
- Fixed problem with static file objects having dynamic TTL applied.
- Fixed inaccurate service status details (dropdown) shown initially on Licensing page.

Release 0.34.3, 2017-03-30
- Fixed PHP templating error on the xVarnish rename intermediate page.

Release 0.34.2, 2017-03-29
- Fixed PHP templating error shown in the WebHost Manager plug-in (license.php) for new\unlicensed systems.

Release 0.34.1, 2017-03-29
- Added TLSv1.0 to the default TLS protocols in Cachewall option hitch_tls_protos (Hitch option tls-protos).
- Tweaked styling Dashboard real-time and donut chart styling.
- Fixed package version not showing in WebHost Manager plug-in page footers.
- Fixed Dashboard requests chart y-axis scale when a gap is found in the timeseries.
- Fixed Dashboard requests chart not remembering the last selected time period.
- Fixed cPanel proxy subdomain cPPHP wrapper when executed outside of cpsrv. ("Cannot execute $path or path resolves back to $0.")
- Fixed cPanel proxy subdomain redirect loop when 'Require SSL' is enabled in cPanel.
- Fixed HTTPS certificate validation of Punycode representations for Unicode internationalized domain names (IDNs).
- Fixed 301 and 302 status backend response caching (redirects); these always generated a hit-for-pass in earlier versions.
- Reduced response hit-for-pass object TTL from 120s to 60s.
- Improved HTTPS configuration handling; Notably, options defined in conf.d/default/hitch.conf are no longer overwritten.
- Improved Hitch service (EL6): Test start failures without -t or --daemon, ensuring stderr is available for review.
- Improved HTTPS port status check following a Cachewall update, enable, or disable. If backend is discovered listening on the Cachewall HTTPS port 445 and Cachewall HTTPS is disabled, cPanel option apache_ssl_port is set to HTTPS port 443 ( and httpd.conf rebuilt.

Release 0.34, 2017-03-20
- WAF Security Challenge redesign - Invisible reCAPTCHA!
- Updated default response template designs (error pages, ratelimit reached, WAF, etc).
- Resolved "Failed parsing last reload timestamp" Healthcheck errors.
- Removed unused sslproxy_online Healthcheck module that was missed in the previous update.
- Improvements to WAF traffic analysis.

Release 0.33, 2017-03-16
- Resolved fatal error shown while loading Error Pages in WebHost Manager and renamed this to Templates.
- Fixed cPanel Webmail (Horde, SquirrelMail) generating invalid URLs and/or using wrong HTTP/HTTPS port numbers.
- Removed legacy xvssl service.

Edge 0.32.1, 2017-03-13
- Added support for HTTP BAN requests.
- Fixed regex match condition for URL paths in HTTP PURGE requests.
- Fixed mod_xvarnish failing to correct the RewriteCond HTTPS variable for some HTTP requests.
- Resolved a problem that prevented the expiration of end-user Development Mode exclusion rules.

Stable 0.30.7, 2017-03-09
Changes since 0.30.6:
- Update Varnish Cache dependency to 4.1.5.

Edge 0.32.1, 2017-03-09
- Fixes for HTTPS support and Hitch configuration.

Release 0.32, 2017-02-23
No changes since Edge 0.31.

Edge 0.31, 2017-02-22
- Fixed opted-in domain management via prompt and misc UI cleanup.
- Fixed license activation required message not displaying on new installations.
- Fixed header X-Forwarded-For in new HTTPS implementation for websites hosted behind SSL/TLS terminating load balancers (Cloudflare, Cloudfront, etc).

Edge 0.31, 2017-02-20
This update has significant changes with respect to HTTPS, to resolve sporadic issues and also in preparation for HTTP/2. Please report any problems discovered. The initial update requires EPEL for the added Hitch dependency (yum update xvarnish --enablerepo=epel).

- Initial stage of project rename from xVarnish to Cachewall. See our news!
- Revamped WebHost Manager user interface.
- Varnish Cache 4.1.5; loosened Varnish Cache version dependency.
- Improved HTTPS support: Hitch updated to 1.4.4, removal of XVSSL service. This change requires mod_xvarnish to be enabled and loaded, otherwise the HTTPS feature will be disabled automatically.
- Ability to exclude requests from the web application firewall (WAF). Example: xvctl excludes create --type=waf PATTERN
- Improved flexibility of VCL request pattern matching via libvmod_header.
- Removed deprecated request headers added by xVarnish: XV-Connecting-IP, XV-Real-IP-Source
- Renamed xvctl excludes argument --return-action (-r) to --type (-t).
- Ability to specify multiple Varnish Cache storage backend specifications via configuration.
- Manage Opt-in Mode domains from the Dashboard.
- Improved Real-time Requests chart and Varnish Cache statistics tracking backend.
- Internal rework and cleanup.
- Dozens of other minor, miscellaneous enhancements and bugfixes.

Release 0.30.6, 2016-12-22
- Fixed redirect in WebHost Manager script addon_xvarnish.cgi for non-root users.

Release 0.30.5, 2016-12-20
- Fixed large number of open files by healthcheck logging introduced in 0.30.2. This problem may lead to the healthcheck failing to run additional checks after multiple days, all users are recommended to update.

Release 0.30.4, 2016-12-16
- Corrected permissions for mod_xvarnish httpd include file.

Release 0.30.3, 2016-12-15
- Fixed possible unbound variable while listing exclusions after having removed all rules.

Release 0.30.2, 2016-12-13
- Reliability improvements for xvbeat service handling and improved error logging and output.
- Healthcheck log messages are now always prefixed by the respective module name.
- Updated WAF traffic statistics (xvbeat) aggregation configuration.
- Improved logging and output handling.
- Miscellenous internal cleanup and reorganization.
- Fixed cPanel tailwatchd program path.
- Fixed error when the primary IP address cannot be determined using the cPanel mainip file.
- Fixed HTTPS (xvssl) failing on systems with IPv6 disabled (ipv6.disable=1).

Release 0.30.1, 2016-12-03
- Fixed hitch_online Healthcheck module failing port availability check.

Release 0.30, 2016-12-02
- Update to Varnish Cache 4.1.4. (
- Better detection of LiteSpeed Web Server and whether it is enabled.
- Fixes for HTTPS support (xvssl symlink target) in all environments (CentOS 6/7, EasyApache 3/4, LiteSpeed enabled/disabled).
- xVarnish settings option "Reject Unrecognized Names" (hitch_enable_sni_noabort_match) is now disabled by default. **
- The system hostname certificate is now sent for visitor HTTPS requests which specify a name that wasn't found in any installed certificate.
- Improvements and fixes fosyncsvnr upgrading xVarnish via the WebHost Manager plug-in or `xvctl check-updates|update`.
- All Varnish Cache (varnishd) parameters may now be specified via xVarnish option varnishd_sysconfig_extra.
- Fixed non-specific wildcard exclusion rules breaking exclusions.
- Fixed xvbeat systemd service unit PIDFile.
- Miscellaneous bugfixes.

**: In the past xVarnish configured Hitch to reject HTTPS requests in this situation by default (e.g., ERR_SSL_UNRECOGNIZED_NAME_ALERT). If this is behavior desired, you may enable option "Reject Unrecognized Names" under Configuration > Hitch - HTTPS Frontend.