Help with IP Detection when using SSL

Reinis Rozitis r at
Wed Dec 4 14:47:32 CET 2013

> Unfortunately due to strict security requirements we are not able to 
> offload SSL onto the load balancer/cache it has to go to apache.

Can you clarify this?

In this scenario you can't even use anything besides a tcp balancer since 
you can't simply put a plain http cache/proxy like nginx or varnish between 
as it needs to read (and alter) the http headers which would beat all the 
ssl/encryption purpose ("man in the middle").

Of course nginx can proxy also https traffic (like proxy_pass 
https://yoursite;) to backends but it would still need the SSL certificates 
for the https to function on client side.

This is why usually the SSL offloading is done on the top level (in your 
case it would be nginx which then passes the X-Forwarded-For header to 
varnish which further passes it to apache and apache converts it to client 


More information about the varnish-misc mailing list