Rewriting/enforcing SSL behing an SSL termination point

Jason Farnsworth jason at
Thu Dec 15 05:40:02 CET 2011

This is great, I'll give this a shot and report back!

From: Per Buer <perbu at<mailto:perbu at>>
Date: Fri, 9 Dec 2011 09:48:48 +0100
To: Jason Farnsworth <jason at<mailto:jason at>>
Cc: "varnish-misc at<mailto:varnish-misc at>" <varnish-misc at<mailto:varnish-misc at>>
Subject: Re: Rewriting/enforcing SSL behing an SSL termination point

On Fri, Dec 9, 2011 at 8:08 AM, Jason Farnsworth <jason at<mailto:jason at>> wrote:
We are hosted on Amazon Web Services and all SSL termination is done by an
Elastic Load Balancer.  So all I'm looking to do is re-write URLs like
this -> -> ->

Varnish will not rewrite the actual content coming from the backend. We can however, _redirect_ the client whenever they ask for a http:// URL.

We use the following code on<> to do this:

in vcl_recv:

  if ( ( ~ "(?i)<>") && !(client.ip ~ localhost)) {
    set req.http.x-redir-url = "https://" + + req.url;
    error 750 req.http.x-redir-url;


sub vcl_error {
  # standard redirection in VCL:
  if (obj.status == 750) {
    set obj.http.Location = obj.response;
    set obj.status = 302;

Since we have an SSL terminator in front of Varnish client.ip is localhost when there is SSL present. You might want to change the code to test X-Forwarded-Proto for whatever it is set to.

Per Buer, CEO
Phone: +47 21 98 92 61 / Mobile: +47 958 39 117 / Skype: per.buer
Varnish makes websites fly!
Whitepapers<> | Video<> | Twitter<>

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <>

More information about the varnish-misc mailing list