Varnish pipe through for SSL requests
r at roze.lv
Thu Jul 25 04:12:43 CEST 2013
> My question is, how do I have to setup varnish, that the SSL requests pipe
> through it and go directly to the managed server? And were do I have to
> install the SSL certificate?
Varnish doesnt play with SSL in any fashion (
https://www.varnish-cache.org/docs/trunk/phk/ssl.html ), so you have to use
other tools or different approaches for serving/piping the SSL traffic.
Depending on the software you are familiar with you can either directly
forward the 443 port to your backend using the OS tools like
iptables/ipfw/xinetd/etc (or any other "firewall/portfoward type"
software) - then you need to install the certificate on the backend
The drawback of this method is (unless you are using something like TPROXY
for the iptable rules) the backend won't see the original client ip.
Or use something like haproxy / nginx / stud to offload the SSL.
Then you have to install the certificate on the proxy (unless it works in
"tcp mode" - haproxy (and nginx with third party module) can operate like
Usually this is more easy to setup and the client ip can be passed with
additional http headers (X-Forwarded-For) and most webservers have modules
to transparently convert the ip for the application (nginx - realip /
apache - mod_rpaf)
For a single instance of varnish I personally use Stud (
Haproxy ( http://haproxy.1wt.eu/ ) on the other hand is more suitable for
more complex setups (multiple backends / loadbalancing and more).
More information about the varnish-misc