varnishlog client IP problem via Apache SSL reverse proxy

Guillaume Quintard guillaume at varnish-software.com
Wed Aug 16 09:57:47 CEST 2017


At the risk of insisting, hitch is super easy to setup, once installed, you
just need to:
- Edit /etc/hitch/hitch.conf to
  - Set the front-end, usually *:443
  - Set the backend (where to send decrypted traffic), 127.0.0.1:8443
  - Set the pem-file line to point to a certificate
- Add "-a 127.0.0.1:8443,PROXY" to Varnish command.

The Varnish part will be needed anyway if you want to use the proxy
protocol.

The docs here
https://docs.varnish-software.com/varnish-cache-plus/features/client-ssl/
can help you (except that the name of the package differs) but the crux of
it is really what I listed above.

So we can do better next time, what didn't you like about the info you got
about hitch?

-- 
Guillaume Quintard

On Aug 16, 2017 09:29, "Admin Beckspaced" <admin at beckspaced.com> wrote:

> Thanks a lot for your suggestion for using HaProxy ;)
>
> My thinking was just: why install another bit of software when apache is
> able to do the SSL termination.
> But like Andrei said, if traffic spikes hit the apache runaround will not
> be the optimal solution.
>
> Do you guys have any recent up-to-date tutorials / howtos on setting up
> HaProxy as SSL terminator in front of varnish.
> also doing the SSL redirects ...
>
> Did look around for Hitch but wasn't very pleased with the info provided ;(
>
> Any hints are welcome & thanks for your help & replies ;)
>
> Greetings
> Becki
>
>
>
> On 15.08.2017 22:04, Jan Hugo Prins | BetterBe wrote:
>
>> I would not do it like that.
>> Better is to use something like Hitch or HaProxy (my preference) and put
>> that in front of Varnish.
>> Then HaProxy / Hitch can terminate all SSL traffic, and HaProxy can also
>> do your redirect to SSL if needed.
>> Then in Varnish you use the Apache server as a backend and let it only
>> serve what it needs to serve.
>> Use the ProxyProtocol to send the client information from HaProxy to
>> Vernish.
>> In Varnish you need to put the client IP into the X-Forwarded-For header.
>> In Apache you can then use this header to have the real client IP address.
>>
>> This way you have the real client IP information on all layers.
>>
>> Jan Hugo Prins
>>
>>
>>
>
> _______________________________________________
> varnish-misc mailing list
> varnish-misc at varnish-cache.org
> https://www.varnish-cache.org/lists/mailman/listinfo/varnish-misc
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://www.varnish-cache.org/lists/pipermail/varnish-misc/attachments/20170816/25fd6f19/attachment.html>


More information about the varnish-misc mailing list