varnishlog client IP problem via Apache SSL reverse proxy

Admin Beckspaced admin at
Wed Aug 16 08:56:10 CEST 2017

Thanks a lot for your suggestion for using HaProxy ;)

My thinking was just: why install another bit of software when apache is 
able to do the SSL termination.
But like Andrei said, if traffic spikes hit the apache runaround will 
not be the optimal solution.

Do you guys have any recent up-to-date tutorials / howtos on setting up 
HaProxy as SSL terminator in front of varnish.
also doing the SSL redirects ...

Did look around for Hitch but wasn't very pleased with the info provided ;(

Any hints are welcome & thanks for your help & replies ;)


On 15.08.2017 22:04, Jan Hugo Prins | BetterBe wrote:
> I would not do it like that.
> Better is to use something like Hitch or HaProxy (my preference) and 
> put that in front of Varnish.
> Then HaProxy / Hitch can terminate all SSL traffic, and HaProxy can 
> also do your redirect to SSL if needed.
> Then in Varnish you use the Apache server as a backend and let it only 
> serve what it needs to serve.
> Use the ProxyProtocol to send the client information from HaProxy to 
> Vernish.
> In Varnish you need to put the client IP into the X-Forwarded-For header.
> In Apache you can then use this header to have the real client IP address.
> This way you have the real client IP information on all layers.
> Jan Hugo Prins

More information about the varnish-misc mailing list