varnishlog client IP problem via Apache SSL reverse proxy

Admin Beckspaced admin at beckspaced.com
Fri Aug 18 09:08:36 CEST 2017 

Good Morning Everyone ;)

Before doing some work today and installing Hitch as a SSL/TLS 
terminator in front of varnish on my production server ...

I would like to thank you all for your help & suggestions and especially 
@Guillaume for insisting to have a look at Hitch ;)

First, I want to take back my statement about hitch documentation. I 
found all in the docu that is needed to setup and configure hitch.
Perhaps I was a bit surprised about the 'tiny' amount of documentation 
but hey ... hitch is only a 'dumb' TLS proxy!
So there's nothing that much to document after all ;)

Also the redirect from http -> https works like a breeze ... though I 
had to do a bit of std.log("local port: "  + std.port(local.ip))
to understand the difference between remote, local, client, server 
variables ...

Another tiny bit of frustration I encountered via a typo copy & paste 
from github

https://github.com/varnish/hitch/issues/39

It's about setting the X-Forwarded-Proto https header in varnish VCL to 
let my wordpress know that it's running on https

and if you do a copy & paste of

sub vcl_recv {
    if (std.port(local.ip) == 80) {
      return (synth(700));
    } else {
      set req.http.X-Forwared-Proto = "https";
    }
}

and you don't have a close look that the 'd' is missing in 
req.http.X-Forwared-Proto
it should be req.http.X-Forwarded-Proto

you will scratch your head for quite some time and wonder why wordpress 
doesn't know that it is running on SSL ... oh my gosh!

anyway ... all worked out fine and now I got some hitch install to do on 
my production server ;)

Thanks & best wishes
Becki


On 16.08.2017 09:57, Guillaume Quintard wrote:
> At the risk of insisting, hitch is super easy to setup, once 
> installed, you just need to:
> - Edit /etc/hitch/hitch.conf to
>   - Set the front-end, usually *:443
>   - Set the backend (where to send decrypted traffic), 127.0.0.1:8443 
> <http://127.0.0.1:8443>
>   - Set the pem-file line to point to a certificate
> - Add "-a 127.0.0.1:8443 <http://127.0.0.1:8443>,PROXY" to Varnish 
> command.
>
> The Varnish part will be needed anyway if you want to use the proxy 
> protocol.
>
> The docs here 
> https://docs.varnish-software.com/varnish-cache-plus/features/client-ssl/ 
> can help you (except that the name of the package differs) but the 
> crux of it is really what I listed above.
>
> So we can do better next time, what didn't you like about the info you 
> got about hitch?
>
> -- 
> Guillaume Quintard
>
> On Aug 16, 2017 09:29, "Admin Beckspaced" <admin at beckspaced.com 
> <mailto:admin at beckspaced.com>> wrote:
>
>     Thanks a lot for your suggestion for using HaProxy ;)
>
>     My thinking was just: why install another bit of software when
>     apache is able to do the SSL termination.
>     But like Andrei said, if traffic spikes hit the apache runaround
>     will not be the optimal solution.
>
>     Do you guys have any recent up-to-date tutorials / howtos on
>     setting up HaProxy as SSL terminator in front of varnish.
>     also doing the SSL redirects ...
>
>     Did look around for Hitch but wasn't very pleased with the info
>     provided ;(
>
>     Any hints are welcome & thanks for your help & replies ;)
>
>     Greetings
>     Becki
>
>

More information about the varnish-misc mailing list