varnishlog client IP problem via Apache SSL reverse proxy

Guillaume Quintard guillaume at
Wed Aug 16 09:57:47 CEST 2017

At the risk of insisting, hitch is super easy to setup, once installed, you
just need to:
- Edit /etc/hitch/hitch.conf to
  - Set the front-end, usually *:443
  - Set the backend (where to send decrypted traffic),
  - Set the pem-file line to point to a certificate
- Add "-a,PROXY" to Varnish command.

The Varnish part will be needed anyway if you want to use the proxy

The docs here
can help you (except that the name of the package differs) but the crux of
it is really what I listed above.

So we can do better next time, what didn't you like about the info you got
about hitch?

Guillaume Quintard

On Aug 16, 2017 09:29, "Admin Beckspaced" <admin at> wrote:

> Thanks a lot for your suggestion for using HaProxy ;)
> My thinking was just: why install another bit of software when apache is
> able to do the SSL termination.
> But like Andrei said, if traffic spikes hit the apache runaround will not
> be the optimal solution.
> Do you guys have any recent up-to-date tutorials / howtos on setting up
> HaProxy as SSL terminator in front of varnish.
> also doing the SSL redirects ...
> Did look around for Hitch but wasn't very pleased with the info provided ;(
> Any hints are welcome & thanks for your help & replies ;)
> Greetings
> Becki
> On 15.08.2017 22:04, Jan Hugo Prins | BetterBe wrote:
>> I would not do it like that.
>> Better is to use something like Hitch or HaProxy (my preference) and put
>> that in front of Varnish.
>> Then HaProxy / Hitch can terminate all SSL traffic, and HaProxy can also
>> do your redirect to SSL if needed.
>> Then in Varnish you use the Apache server as a backend and let it only
>> serve what it needs to serve.
>> Use the ProxyProtocol to send the client information from HaProxy to
>> Vernish.
>> In Varnish you need to put the client IP into the X-Forwarded-For header.
>> In Apache you can then use this header to have the real client IP address.
>> This way you have the real client IP information on all layers.
>> Jan Hugo Prins
> _______________________________________________
> varnish-misc mailing list
> varnish-misc at
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <>

More information about the varnish-misc mailing list