varnish with ssl
michael at dynamine.net
Wed Apr 7 23:20:17 CEST 2010
On Wed, Apr 7, 2010 at 2:07 PM, Poul-Henning Kamp <phk at phk.freebsd.dk> wrote:
> In message <t2id002c4031004071101s8bc80aaeg5665316830381e6d at mail.gmail.com>, Mi
> chael Fischer writes:
>>What's the incompatibility with OpenSSL?
> I have two main reservations about SSL in Varnish:
> 1. OpenSSL is almost 350.000 lines of code, Varnish is only 58.000,
> Adding such a massive amount of code to Varnish footprint, should
> result in a very tangible benefit.
RAM is cheap. Besides, as a shared library the cost is amortized
among all processes using it.
> Compared to running a SSL proxy in front of Varnish, I can see
> very, very little benefit from integration. Yeah, one process
> less and only one set of config parameters.
> But that all sounds like "second systems syndrome" thinking to me,
> it does not really sound lige a genuine "The world would become
> a better place" feature request.
Well, there are a couple of benefits:
(1) stunnel doesn't scale particularly well, and can't scale across
multiple CPUs in any event;
(2) As someone else pointed out, Varnish can only do effective logging
of and access control pertaining to the peer IP if the SSL negotiation
is done in-process. stunnel won't spoof the peer IP for Varnish (and
arguably no secure kernel should allow it to).
> But I do see some some serious drawbacks: The necessary changes
> to Varnish internal logic will almost certainly hurt varnish
> performance for the plain HTTP case. We need to add an inordinate
> about of overhead code, to configure and deal with the key/cert
I defer to your judgment on that issue.
> 2. I have looked at the OpenSSL source code, I think it is a catastrophe
> waiting to happen. In fact, the only thing that prevents attackers
> from exploiting problems more actively, is that the source code is
> fundamentally unreadable and impenetrable.
Is GNU TLS any better? I've not used it.
More information about the varnish-misc