SSL

Robert Shilston rtshilston at gmail.com
Mon Mar 14 09:22:02 CET 2011


On 14 Mar 2011, at 08:14, Poul-Henning Kamp wrote:

> In message <AANLkTiny7-wR9kfVWJ8-bh8NOAuQ=p1N+PHPQTKZss7H at mail.gmail.com>, Per 
> Buer writes:
> 
>> Yes. If we use the patched stunnel version that haproxy also uses. It
>> requires Varnish to understand the protocol however, as the address of the
>> client is sent at the beginning of the conversation in binary form.
> 
> I would say  "Use a more intelligent SSL proxy" then...

We're using Varnish successfully with nginx.  The config looks like:

=====
worker_processes  1;

error_log  /var/log/nginx/global-error.log;

pid        /var/run/nginx.pid;

events {
   worker_connections  1024;
}


http {

   include       mime.types;
   default_type  application/octet-stream;

   sendfile        on;

   keepalive_timeout  65;

   server {
       ssl on;
       ssl_certificate      /etc/ssl/example.com.crt;
       ssl_certificate_key  /etc/ssl/example.com.key;
       listen a.b.c.4 default ssl;

       access_log /var/log/nginx/access.log;
       error_log /var/log/nginx/error.log;

       # Proxy any requests to the local varnish instance
       location / {
           proxy_set_header "Host" $host;
           proxy_set_header "X-Forwarded-By" "Nginx-a.b.c.4";
           proxy_set_header "X-Forwarded-For" $proxy_add_x_forwarded_for;
           proxy_pass a.b.c.5;
       }
   } 
}
====



More information about the varnish-misc mailing list