Best practice for SSL passthrough?

Lars Jørgensen lajo at kb.dk
Tue Jun 21 12:53:29 CEST 2011 

Hi,

Not a solution to below problem, but I found a very easy workaround. Posting it here in case it has relevance to other users.

Problem: HTTP and HTTPS goes to same cached FQDN. Varnish only does HTTP, how to pass HTTPS through to the backend?
Solution: xinetd can do this out of the box. Create a file in /etc/xinetd.d containing stuff like below and restart xinetd.

service some_unique_name
{
 type = UNLISTED
 flags = REUSE
 socket_type = stream
 wait = no
 user = root
 redirect = back.end.ip.address 443
 port = 443
}

A big caveat to this: You will not be able to cache HTTPS traffic. In my case that's not a problem but YMMV.


Lars

-----Original Message-----
From: varnish-misc-bounces at varnish-cache.org [mailto:varnish-misc-bounces at varnish-cache.org] On Behalf Of Lars Jørgensen
Sent: Monday, June 20, 2011 11:20 AM
To: varnish-misc at varnish-cache.org
Subject: RE: Best practice for SSL passthrough?

>> Is that how it works? That seems pretty neat because then I can cache https
>> requests too.

>Yup, that's it exactly. And Nginx is pretty performant as well, so it completes Varnish in that matter.

Great, I'll probably look into it.

So far I've found out that https is only really used in a redirect during login, and after that it's straight back to http. I have therefore no need to cache encrypted pages. If I can avoid learning new tech (nginx), I would prefer it at this point. So I did this:

backend default {
  .host = "1.2.3.62";
  .port = "80";
}

backend default_ssl {
  .host = "1.2.3.62";
  .port = "443";
}

sub vcl_recv {
  if (server.port == 443) {
    set req.backend = default_ssl;
    return(pipe);
  } else {
    set req.backend = default;
  }
  .
  .
  .
}

But it doesn't work, all I get is this:

   15 SessionOpen  c 10.6.0.18 52617 :443
   15 Debug        c herding

   15 SessionClose c timeout
   15 StatSess     c 10.6.0.18 52617 0 1 0 0 0 0 0 0
   15 SessionOpen  c 10.6.0.18 52622 :443
   15 Debug        c herding

   15 SessionClose c timeout
   15 StatSess     c 10.6.0.18 52622 0 1 0 0 0 0 0 0

Am I doing something obviously wrong? Is "server.port" not available in 3.0? I tried putting a std.log("HTTPS"); in the backend select statement above, but it doesn't get logged. Looks like that if-statement is wrong?


-- 
Lars

_______________________________________________
varnish-misc mailing list
varnish-misc at varnish-cache.org
http://www.varnish-cache.org/lists/mailman/listinfo/varnish-misc

More information about the varnish-misc mailing list