Rewriting/enforcing SSL behing an SSL termination point

Per Buer perbu at varnish-software.com
Fri Dec 9 09:48:48 CET 2011


On Fri, Dec 9, 2011 at 8:08 AM, Jason Farnsworth <jason at pethub.com> wrote:

> We are hosted on Amazon Web Services and all SSL termination is done by an
> Elastic Load Balancer.  So all I'm looking to do is re-write URLs like
> this
>
> http://domain.com -> https://www.domain.com
> http://www.domain.com -> https://www.domain.com
> https://domain.com -> https://www.domain.com


Varnish will not rewrite the actual content coming from the backend. We can
however, _redirect_ the client whenever they ask for a http:// URL.

We use the following code on varnish-cache.org to do this:

in vcl_recv:

  if ( (req.http.host ~ "(?i)www.varnish-cache.org") && !(client.ip ~
localhost)) {
    set req.http.x-redir-url = "https://" + req.http.host + req.url;
    error 750 req.http.x-redir-url;
  }

(..)


sub vcl_error {
  # standard redirection in VCL:
  if (obj.status == 750) {
    set obj.http.Location = obj.response;
    set obj.status = 302;
    return(deliver);
  }
}


Since we have an SSL terminator in front of Varnish client.ip is localhost
when there is SSL present. You might want to change the code to test
X-Forwarded-Proto
for whatever it is set to.


-- 
Per Buer, CEO
Phone: +47 21 98 92 61 / Mobile: +47 958 39 117 / Skype: per.buer
*Varnish makes websites fly!*
Whitepapers <http://www.varnish-software.com/whitepapers> |
Video<http://www.youtube.com/watch?v=x7t2Sp174eI> |
Twitter <https://twitter.com/varnishsoftware>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://www.varnish-cache.org/lists/pipermail/varnish-misc/attachments/20111209/2b8a3620/attachment-0003.html>


More information about the varnish-misc mailing list