Using Varnish with SSL

Per Buer perbu at varnish-software.com
Tue Mar 22 10:25:33 CET 2011


On Tue, Mar 22, 2011 at 10:01 AM, Mattias Geniar <mattias at nucleus.be> wrote:

>> www.varnish-cache.org and www.varnish-software.com are running a
>> hidden apache (w/PHP) behind Varnish. On port 443 there is a
>> minimalistic nginx which does the SSL stuff and connects to Varnish.
>> It works well.
>
> So you're routing all SSL (port 443) via Nginx- > to Varnish -> to
> Apache?

Yes.

Varnish on port 80 with a Apache backend at some other port on loopback.

> Meaning your nginx is covering the SSL certificates, and your
> backend is only getting "normal" unencrypted hits?

Yes.

> How does that translate to performance? Are you losing a lot by passing
> it all via nginx first?

Not really. There is some HTTP header processing that is unnecessary
and that could have been saved if SSL was native in Varnish but all in
all, with Varnish you usually have a lot of CPU to spare. I remember a
couple of years back we where running the same stack and thousands of
hits per second without any issues.

> It's an interesting discussion, I'd love to hear more on the "best
> practice" implementation of this to get the most performance gain.

SSL used to be very expensive. It isn't anymore. There have been good
advances in both hardware and software so SSL rather cheap.

-- 
Per Buer, Varnish Software
Phone: +47 21 98 92 61 / Mobile: +47 958 39 117 / Skype: per.buer
Varnish makes websites fly!
Want to learn more about Varnish? http://www.varnish-software.com/whitepapers




More information about the varnish-misc mailing list