Best practice for SSL passthrough?

Lars Jørgensen lajo at kb.dk
Mon Jun 20 11:20:02 CEST 2011


>> Is that how it works? That seems pretty neat because then I can cache https
>> requests too.

>Yup, that's it exactly. And Nginx is pretty performant as well, so it completes Varnish in that matter.

Great, I'll probably look into it.

So far I've found out that https is only really used in a redirect during login, and after that it's straight back to http. I have therefore no need to cache encrypted pages. If I can avoid learning new tech (nginx), I would prefer it at this point. So I did this:

backend default {
  .host = "1.2.3.62";
  .port = "80";
}

backend default_ssl {
  .host = "1.2.3.62";
  .port = "443";
}

sub vcl_recv {
  if (server.port == 443) {
    set req.backend = default_ssl;
    return(pipe);
  } else {
    set req.backend = default;
  }
  .
  .
  .
}

But it doesn't work, all I get is this:

   15 SessionOpen  c 10.6.0.18 52617 :443
   15 Debug        c herding

   15 SessionClose c timeout
   15 StatSess     c 10.6.0.18 52617 0 1 0 0 0 0 0 0
   15 SessionOpen  c 10.6.0.18 52622 :443
   15 Debug        c herding

   15 SessionClose c timeout
   15 StatSess     c 10.6.0.18 52622 0 1 0 0 0 0 0 0

Am I doing something obviously wrong? Is "server.port" not available in 3.0? I tried putting a std.log("HTTPS"); in the backend select statement above, but it doesn't get logged. Looks like that if-statement is wrong?


-- 
Lars




More information about the varnish-misc mailing list