Varnish pipe through for SSL requests

Gabriel Filion gabster at lelutin.ca
Mon Jul 29 20:12:23 CEST 2013


Hi there,

On 29/07/13 09:24 AM, David Harrigan wrote:
> Our approach is to terminate using Pound (http://www.apsis.ch/pound),
> then to pass on to Varnish. It works *wonderfully* well and is super
> easy to configure.

Please note that if it is setup that way with the infrastructure that
the OP described (e.g. caching needs to be on another server than the
web server), then it means that your clients who are using an encrypted
connection to your site will have their traffic pass over the internet
unencrypted between the caching node and the web server.

that's usually very bad security-wise because as a client if you use
encryption, you expect that any sensitive data passed to a site stays
encrypted over the network and that only that website can gain access to
the sensitive data. if traffic goes through the net unencrypted, then
that assumption is completely false.


in that case, you can either:

 * consider moving your web hosting to your other server that hosts
varnish, if you feel up to the challenge of managing your own web server.
 * or find some way to reencrypt traffic between the caching and the web
server.


for the 2nd option, the easiest would be to setup an encryption tunnel
(like a VPN) between both servers and use the tunnel exclusively to
communicate between varnish and the web server.

> On 26 July 2013 02:22, Norberto Meijome <numard at gmail.com
> <mailto:numard at gmail.com>> wrote:
> 
>     You should be able to with modproxy.. We terminate on nginx which
>     acts as proxy for clusters of app servers and varnishes...just tell
>     nginx to connect to varnish over http.
> 
>     On 26/07/2013 5:27 AM, "Yari Shima" <yarishima42 at googlemail.com
>     <mailto:yarishima42 at googlemail.com>> wrote:
> 
>         Hi Reinis,
> 
>         Thanks for your awnser.
>         But can't I use apache to listen on port 443 on my root server
>         and with
>         mod_proxy pipr the traffic through to my managed server?


-- 
Gabriel Filion

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 291 bytes
Desc: OpenPGP digital signature
URL: <https://www.varnish-cache.org/lists/pipermail/varnish-misc/attachments/20130729/25fc575f/attachment.pgp>


More information about the varnish-misc mailing list