Rewriting/enforcing SSL behing an SSL termination point

Jason Farnsworth jason at pethub.com
Thu Dec 15 21:51:01 CET 2011


Alright, I had to re-write the rule a bit since I'm watching for X-Forwarded-Proto, and want to handle domain.com as well as www.domain.com.  I've put this rule together, and it seems to be working OK…

sub vcl_recv {
  if((req.http.host ~ "^(?i)pethub.com") || ((req.http.host ~ "^(?i)www.pethub.com") && (req.http.X-Forwarded-Proto !~ "(?i)https"))){
      set req.http.x-redir-url = "https://www.pethub.com" + req.url;
      error 750 req.http.x-redir-url;
  }
}

sub vcl_error {
  if (obj.status == 750) {
    set obj.http.Location = obj.response;
    set obj.status = 302;
    return(deliver);
  }

Thanks for the info!

Jason

From: Jason Farnsworth <jason at pethub.com<mailto:jason at pethub.com>>
Date: Wed, 14 Dec 2011 20:39:59 -0800
To: Per Buer <perbu at varnish-software.com<mailto:perbu at varnish-software.com>>
Cc: "varnish-misc at varnish-cache.org<mailto:varnish-misc at varnish-cache.org>" <varnish-misc at varnish-cache.org<mailto:varnish-misc at varnish-cache.org>>
Subject: Re: Rewriting/enforcing SSL behing an SSL termination point

This is great, I'll give this a shot and report back!

From: Per Buer <perbu at varnish-software.com<mailto:perbu at varnish-software.com>>
Date: Fri, 9 Dec 2011 09:48:48 +0100
To: Jason Farnsworth <jason at pethub.com<mailto:jason at pethub.com>>
Cc: "varnish-misc at varnish-cache.org<mailto:varnish-misc at varnish-cache.org>" <varnish-misc at varnish-cache.org<mailto:varnish-misc at varnish-cache.org>>
Subject: Re: Rewriting/enforcing SSL behing an SSL termination point

On Fri, Dec 9, 2011 at 8:08 AM, Jason Farnsworth <jason at pethub.com<mailto:jason at pethub.com>> wrote:
We are hosted on Amazon Web Services and all SSL termination is done by an
Elastic Load Balancer.  So all I'm looking to do is re-write URLs like
this

http://domain.com -> https://www.domain.com
http://www.domain.com -> https://www.domain.com
https://domain.com -> https://www.domain.com

Varnish will not rewrite the actual content coming from the backend. We can however, _redirect_ the client whenever they ask for a http:// URL.

We use the following code on varnish-cache.org<http://varnish-cache.org> to do this:

in vcl_recv:

  if ( (req.http.host ~ "(?i)www.varnish-cache.org<http://www.varnish-cache.org>") && !(client.ip ~ localhost)) {
    set req.http.x-redir-url = "https://" + req.http.host + req.url;
    error 750 req.http.x-redir-url;
  }

(..)


sub vcl_error {
  # standard redirection in VCL:
  if (obj.status == 750) {
    set obj.http.Location = obj.response;
    set obj.status = 302;
    return(deliver);
  }
}


Since we have an SSL terminator in front of Varnish client.ip is localhost when there is SSL present. You might want to change the code to test X-Forwarded-Proto for whatever it is set to.


--
[http://www.varnish-software.com/sites/default/files/varnishsoft_white_190x47.png]
Per Buer, CEO
Phone: +47 21 98 92 61 / Mobile: +47 958 39 117 / Skype: per.buer
Varnish makes websites fly!
Whitepapers<http://www.varnish-software.com/whitepapers> | Video<http://www.youtube.com/watch?v=x7t2Sp174eI> | Twitter<https://twitter.com/varnishsoftware>


-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://www.varnish-cache.org/lists/pipermail/varnish-misc/attachments/20111215/eb494d90/attachment-0003.html>


More information about the varnish-misc mailing list