varnishlog client IP problem via Apache SSL reverse proxy

Admin Beckspaced admin at
Wed Aug 16 12:30:46 CEST 2017

Thanks Guillaume,

will then have a look into the info you provided and report back if I 
run into any trouble trying to setup hitch  ;)

What's your recommendation of up-to-date documents on how to setup hitch 
in front of varnish with multiple vhost SSL certificates?

So far I found:

Is there any docu elsewhere you can recommend?

Thanks a lot for your support!


On 16.08.2017 09:57, Guillaume Quintard wrote:
> At the risk of insisting, hitch is super easy to setup, once 
> installed, you just need to:
> - Edit /etc/hitch/hitch.conf to
>   - Set the front-end, usually *:443
>   - Set the backend (where to send decrypted traffic), 
> <>
>   - Set the pem-file line to point to a certificate
> - Add "-a <>,PROXY" to Varnish 
> command.
> The Varnish part will be needed anyway if you want to use the proxy 
> protocol.
> The docs here 
> can help you (except that the name of the package differs) but the 
> crux of it is really what I listed above.
> So we can do better next time, what didn't you like about the info you 
> got about hitch?
> -- 
> Guillaume Quintard
> On Aug 16, 2017 09:29, "Admin Beckspaced" <admin at 
> <mailto:admin at>> wrote:
>     Thanks a lot for your suggestion for using HaProxy ;)
>     My thinking was just: why install another bit of software when
>     apache is able to do the SSL termination.
>     But like Andrei said, if traffic spikes hit the apache runaround
>     will not be the optimal solution.
>     Do you guys have any recent up-to-date tutorials / howtos on
>     setting up HaProxy as SSL terminator in front of varnish.
>     also doing the SSL redirects ...
>     Did look around for Hitch but wasn't very pleased with the info
>     provided ;(
>     Any hints are welcome & thanks for your help & replies ;)
>     Greetings
>     Becki
>     On 15.08.2017 22:04, Jan Hugo Prins | BetterBe wrote:
>         I would not do it like that.
>         Better is to use something like Hitch or HaProxy (my
>         preference) and put that in front of Varnish.
>         Then HaProxy / Hitch can terminate all SSL traffic, and
>         HaProxy can also do your redirect to SSL if needed.
>         Then in Varnish you use the Apache server as a backend and let
>         it only serve what it needs to serve.
>         Use the ProxyProtocol to send the client information from
>         HaProxy to Vernish.
>         In Varnish you need to put the client IP into the
>         X-Forwarded-For header.
>         In Apache you can then use this header to have the real client
>         IP address.
>         This way you have the real client IP information on all layers.
>         Jan Hugo Prins
>     _______________________________________________
>     varnish-misc mailing list
>     varnish-misc at <mailto:varnish-misc at>
>     <>

More information about the varnish-misc mailing list