Varnish pipe through for SSL requests

Reinis Rozitis r at
Thu Jul 25 04:12:43 CEST 2013

> My question is, how do I have to setup varnish, that the SSL requests pipe 
> through it and go directly to the managed server? And were do I have to 
> install the SSL certificate?

Varnish doesnt play with SSL in any fashion ( ), so you have to use 
other tools or different approaches for serving/piping the SSL traffic.

Depending on the software you are familiar with you can either directly 
forward the 443 port to your backend using the OS tools like 
iptables/ipfw/xinetd/etc (or any other "firewall/portfoward type" 
software) - then you need to install the certificate on the backend 
The drawback of this method is (unless you are using something like TPROXY 
for the iptable rules) the backend won't see the original client ip.

Or use something like haproxy / nginx / stud to offload the SSL.
Then you have to install the certificate on the proxy (unless it works in 
"tcp mode" -  haproxy (and nginx with third party module) can operate like 

Usually this is more easy to setup and the client ip can be passed with 
additional http headers (X-Forwarded-For) and most webservers have modules 
to transparently convert the ip for the application (nginx - realip / 
apache - mod_rpaf)

For a single instance of varnish I personally use Stud ( ).
Haproxy ( ) on the other hand is more suitable for 
more complex setups (multiple backends / loadbalancing and more).


More information about the varnish-misc mailing list