Rewriting/enforcing SSL behing an SSL termination point

Michael Alger varnish at
Fri Dec 9 08:45:13 CET 2011

On Fri, Dec 09, 2011 at 07:08:50AM +0000, Jason Farnsworth wrote:
> I'm having a difficult time finding information on what I think
> would be a fairly common problem.  We want to enforce the use of
> www.  (which we currently do with mod_rewrite) AND enforce the use
> of HTTPS - site wide.  I'm aware that we can do both of these with
> mod_rewrite, but there are various reasons I'd like to keep this at
> the Varnish levelŠ

Since Varnish doesn't handle HTTPS there's a sort of level of
abstracton here. You need some other indicator as to whether the
connection was made via SSL, which it sounds like you have:

> We are hosted on Amazon Web Services and all SSL termination is done
> by an Elastic Load Balancer.  So all I'm looking to do is re-write
> URLs like thisŠ
> ->
> ->
> ->
> Of course, we also want to pass on the x-forwarded-proto header
> (which is pretty well documented, no problem there.)

I take it the X-Forwarded-Proto header a) indicates whether the
connection was made via SSL or not and b) can be trusted? If so then
you're set. If not you'll need to find something in the request you
can use for this purpose.

> The URL re-write directions on the website address rewriting the
> host and the path well, but not SSL.  It would make me quite happy
> if we could use Varnish for all this.

Once you have a mechanism for determining how the original connection
was made, it's pretty straightforward. In vcl_recv you just check for
that header e.g. if (req.http.X-Forwarded-Proto ~ "SSL") or whatever,
and if it wasn't SSL then you issue a redirect to the same URL with an
https:// prefix in the usual manner.

More information about the varnish-misc mailing list