Varnish, NGINX SSL and Wordpress

Carlos Peñas San José theistian at gmx.com
Wed Nov 11 19:58:34 CET 2015


Also if you want to deliver different content and using the same varnish
 you must add x-forwarded-proto to the hashed_data

I do not use wordpress, my stack is nginx(http(80), http(443)) -  varnish
(6080) - rails (8080)

When a request is made to the 443 port I add the header x-forwarded-proto
"https"  to the proxied request in nginx (via proxy_set_header). then in
vcl you must add that header in hash_data here:

sub vcl_hash {
        if (req.http.X-Forwarded-Proto) {
                hash_data(req.http.X-Forwarded-Proto);
        }
}

Whit this You are storing two versions for the same url, one for http and
other for https, so you wouldn't end getting an http cached item when
accessing via https and vice-versa

In the app backend the Rails app renders stuff using X-Forwarded-Proto as a
hint to know whats the working protocol.


2015-11-03 16:16 GMT+01:00 Phil Daws <uxbod at splatnix.net>:

> Thank you to both.
>
> Will clone my existing instance and give these suggestions a whirl.
>
> Phil.
>
> ----- On 3 Nov, 2015, at 14:17, Jason Heffner jdh132 at psu.edu wrote:
>
> > We run Varnish in between an F5 and Apache as well as use Nginx for ssl
> and load
> > balancing in development, in conjunction with Wordpress backends. You
> have to
> > tell Wordpress that you are behind SSL and it will function properly. To
> > accomplish this I’d use the following code in wp-config.php
> >
> > if ($_SERVER['HTTP_X_FORWARDED_PROTO'] == 'https') {
> >        $_SERVER['HTTPS']='on';
> > }
> >
> > You can then also set FORCE_SSL_ADMIN and FORCE_SSL_LOGIN however you
> see fit
> > and it should work. I saw some updates not that long ago to support proxy
> > headers but don’t believe they are fully supported yet.
> >
> > Jason
> >
> >
> >> On Nov 2, 2015, at 12:37 PM, Carlos M. Fernández <cfernand at sju.edu>
> wrote:
> >>
> >> Hi, Phil,
> >>
> >> We don't use Nginx but do SSL termination at a hardware load balancer,
> >> with most of the work to support that setup done in the VCL, and
> something
> >> similar could possibly apply to your scenario.
> >>
> >> Our load balancer can use different backend ports depending on which
> >> protocol the client requests; e.g., if the client connects to port 80
> for
> >> HTTP, then the load balancer proxies that to Varnish on port 80, while
> if
> >> the client connects to 443 for HTTPS the load balancer proxies to
> Varnish
> >> on port 8008. The choice of Varnish port numbers doesn't matter, just
> the
> >> fact that Varnish listens on both ports and that the load balancer uses
> >> one or the other based on the SSL status with the client (using the
> >> command line option "-a :80,8008" in this case).
> >>
> >> Then, in vcl_recv, we have the following to inform the backend when an
> SSL
> >> request has arrived:
> >>
> >> if ( std.port( server.ip ) == 8008 ) {
> >>    set req.http.X-Forwarded-Proto = "https";
> >> }
> >>
> >> We also have the following in vcl_hash to cache HTTP and HTTPS requests
> >> separately and avoid redirection loops:
> >>
> >> if ( req.http.X-Forwarded-Proto ) {
> >>    hash_data( req.http.X-Forwarded-Proto );
> >> }
> >>
> >> The backend then can look for that header and respond accordingly. For
> >> example, in Apache we set the HTTPS environment variable to "on":
> >>
> >> SetEnvIf X_FORWARDED_PROTO https HTTPS=on
> >>
> >> I have no knowledge of Nginx, but if it can be configured to use
> different
> >> backend ports then you should be able to use the above.
> >>
> >> Best regards,
> >> --
> >> Carlos.
> >>
> >> -----Original Message-----
> >> From: varnish-misc-bounces+cfernand=sju.edu at varnish-cache.org
> >> [mailto:varnish-misc-bounces+cfernand=sju.edu at varnish-cache.org] On
> Behalf
> >> Of Phil Daws
> >> Sent: Monday, 02 November, 2015 12:03
> >> To: varnish-misc at varnish-cache.org
> >> Subject: Varnish, NGINX SSL and Wordpress
> >>
> >> Hello,
> >>
> >> Are any of you running Varnish in-front of a SSL Wordpress site ?
> >>
> >> I have tried using NGINX as the SSL termination point and proxying back
> to
> >> Varnish on port 80 but you end up with mixed content errors.  If you
> tell
> >> Wordpress to use https exclusively, and you are proxy with http, then
> you
> >> get into 301 perm loop.
> >>
> >> Any thoughts please ?
> >>
> >> Thanks, Phil
> >>
> >>
> >>
> >> _______________________________________________
> >> varnish-misc mailing list
> >> varnish-misc at varnish-cache.org
> >> https://www.varnish-cache.org/lists/mailman/listinfo/varnish-misc
> >>
> >> _______________________________________________
> >> varnish-misc mailing list
> >> varnish-misc at varnish-cache.org
> >> https://www.varnish-cache.org/lists/mailman/listinfo/varnish-misc
> >
> >
> > _______________________________________________
> > varnish-misc mailing list
> > varnish-misc at varnish-cache.org
> > https://www.varnish-cache.org/lists/mailman/listinfo/varnish-misc
>
>
>
> _______________________________________________
> varnish-misc mailing list
> varnish-misc at varnish-cache.org
> https://www.varnish-cache.org/lists/mailman/listinfo/varnish-misc
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://www.varnish-cache.org/lists/pipermail/varnish-misc/attachments/20151111/3fdc81f5/attachment.html>


More information about the varnish-misc mailing list