varnishlog client IP problem via Apache SSL reverse proxy
Admin Beckspaced
admin at beckspaced.com
Wed Aug 16 12:30:46 CEST 2017
Thanks Guillaume,
will then have a look into the info you provided and report back if I
run into any trouble trying to setup hitch ;)
What's your recommendation of up-to-date documents on how to setup hitch
in front of varnish with multiple vhost SSL certificates?
So far I found:
https://github.com/varnish/hitch
https://hitch-tls.org/
Is there any docu elsewhere you can recommend?
Thanks a lot for your support!
Greetings
Becki
On 16.08.2017 09:57, Guillaume Quintard wrote:
> At the risk of insisting, hitch is super easy to setup, once
> installed, you just need to:
> - Edit /etc/hitch/hitch.conf to
> - Set the front-end, usually *:443
> - Set the backend (where to send decrypted traffic), 127.0.0.1:8443
> <http://127.0.0.1:8443>
> - Set the pem-file line to point to a certificate
> - Add "-a 127.0.0.1:8443 <http://127.0.0.1:8443>,PROXY" to Varnish
> command.
>
> The Varnish part will be needed anyway if you want to use the proxy
> protocol.
>
> The docs here
> https://docs.varnish-software.com/varnish-cache-plus/features/client-ssl/
> can help you (except that the name of the package differs) but the
> crux of it is really what I listed above.
>
> So we can do better next time, what didn't you like about the info you
> got about hitch?
>
> --
> Guillaume Quintard
>
> On Aug 16, 2017 09:29, "Admin Beckspaced" <admin at beckspaced.com
> <mailto:admin at beckspaced.com>> wrote:
>
> Thanks a lot for your suggestion for using HaProxy ;)
>
> My thinking was just: why install another bit of software when
> apache is able to do the SSL termination.
> But like Andrei said, if traffic spikes hit the apache runaround
> will not be the optimal solution.
>
> Do you guys have any recent up-to-date tutorials / howtos on
> setting up HaProxy as SSL terminator in front of varnish.
> also doing the SSL redirects ...
>
> Did look around for Hitch but wasn't very pleased with the info
> provided ;(
>
> Any hints are welcome & thanks for your help & replies ;)
>
> Greetings
> Becki
>
>
>
> On 15.08.2017 22:04, Jan Hugo Prins | BetterBe wrote:
>
> I would not do it like that.
> Better is to use something like Hitch or HaProxy (my
> preference) and put that in front of Varnish.
> Then HaProxy / Hitch can terminate all SSL traffic, and
> HaProxy can also do your redirect to SSL if needed.
> Then in Varnish you use the Apache server as a backend and let
> it only serve what it needs to serve.
> Use the ProxyProtocol to send the client information from
> HaProxy to Vernish.
> In Varnish you need to put the client IP into the
> X-Forwarded-For header.
> In Apache you can then use this header to have the real client
> IP address.
>
> This way you have the real client IP information on all layers.
>
> Jan Hugo Prins
>
>
>
>
> _______________________________________________
> varnish-misc mailing list
> varnish-misc at varnish-cache.org <mailto:varnish-misc at varnish-cache.org>
> https://www.varnish-cache.org/lists/mailman/listinfo/varnish-misc
> <https://www.varnish-cache.org/lists/mailman/listinfo/varnish-misc>
>
More information about the varnish-misc
mailing list