SSL
Robert Shilston
rtshilston at gmail.com
Mon Mar 14 09:22:02 CET 2011
On 14 Mar 2011, at 08:14, Poul-Henning Kamp wrote:
> In message <AANLkTiny7-wR9kfVWJ8-bh8NOAuQ=p1N+PHPQTKZss7H at mail.gmail.com>, Per
> Buer writes:
>
>> Yes. If we use the patched stunnel version that haproxy also uses. It
>> requires Varnish to understand the protocol however, as the address of the
>> client is sent at the beginning of the conversation in binary form.
>
> I would say "Use a more intelligent SSL proxy" then...
We're using Varnish successfully with nginx. The config looks like:
=====
worker_processes 1;
error_log /var/log/nginx/global-error.log;
pid /var/run/nginx.pid;
events {
worker_connections 1024;
}
http {
include mime.types;
default_type application/octet-stream;
sendfile on;
keepalive_timeout 65;
server {
ssl on;
ssl_certificate /etc/ssl/example.com.crt;
ssl_certificate_key /etc/ssl/example.com.key;
listen a.b.c.4 default ssl;
access_log /var/log/nginx/access.log;
error_log /var/log/nginx/error.log;
# Proxy any requests to the local varnish instance
location / {
proxy_set_header "Host" $host;
proxy_set_header "X-Forwarded-By" "Nginx-a.b.c.4";
proxy_set_header "X-Forwarded-For" $proxy_add_x_forwarded_for;
proxy_pass a.b.c.5;
}
}
}
====
More information about the varnish-misc
mailing list