varnishlog client IP problem via Apache SSL reverse proxy

Guillaume Quintard guillaume at varnish-software.com
Wed Aug 16 12:39:23 CEST 2017 

For multiple certificates, simply put multiple pem-file lines in
hitch.conf, and you're good to go :-)

-- 
Guillaume Quintard

On Aug 16, 2017 12:30, "Admin Beckspaced" <admin at beckspaced.com> wrote:

> Thanks Guillaume,
>
> will then have a look into the info you provided and report back if I run
> into any trouble trying to setup hitch  ;)
>
> What's your recommendation of up-to-date documents on how to setup hitch
> in front of varnish with multiple vhost SSL certificates?
>
> So far I found:
>
> https://github.com/varnish/hitch
> https://hitch-tls.org/
>
> Is there any docu elsewhere you can recommend?
>
> Thanks a lot for your support!
>
> Greetings
> Becki
>
>
> On 16.08.2017 09:57, Guillaume Quintard wrote:
>
>> At the risk of insisting, hitch is super easy to setup, once installed,
>> you just need to:
>> - Edit /etc/hitch/hitch.conf to
>>   - Set the front-end, usually *:443
>>   - Set the backend (where to send decrypted traffic), 127.0.0.1:8443 <
>> http://127.0.0.1:8443>
>>   - Set the pem-file line to point to a certificate
>> - Add "-a 127.0.0.1:8443 <http://127.0.0.1:8443>,PROXY" to Varnish
>> command.
>>
>> The Varnish part will be needed anyway if you want to use the proxy
>> protocol.
>>
>> The docs here https://docs.varnish-software.
>> com/varnish-cache-plus/features/client-ssl/ can help you (except that
>> the name of the package differs) but the crux of it is really what I listed
>> above.
>>
>> So we can do better next time, what didn't you like about the info you
>> got about hitch?
>>
>> --
>> Guillaume Quintard
>>
>> On Aug 16, 2017 09:29, "Admin Beckspaced" <admin at beckspaced.com <mailto:
>> admin at beckspaced.com>> wrote:
>>
>>     Thanks a lot for your suggestion for using HaProxy ;)
>>
>>     My thinking was just: why install another bit of software when
>>     apache is able to do the SSL termination.
>>     But like Andrei said, if traffic spikes hit the apache runaround
>>     will not be the optimal solution.
>>
>>     Do you guys have any recent up-to-date tutorials / howtos on
>>     setting up HaProxy as SSL terminator in front of varnish.
>>     also doing the SSL redirects ...
>>
>>     Did look around for Hitch but wasn't very pleased with the info
>>     provided ;(
>>
>>     Any hints are welcome & thanks for your help & replies ;)
>>
>>     Greetings
>>     Becki
>>
>>
>>
>>     On 15.08.2017 22:04, Jan Hugo Prins | BetterBe wrote:
>>
>>         I would not do it like that.
>>         Better is to use something like Hitch or HaProxy (my
>>         preference) and put that in front of Varnish.
>>         Then HaProxy / Hitch can terminate all SSL traffic, and
>>         HaProxy can also do your redirect to SSL if needed.
>>         Then in Varnish you use the Apache server as a backend and let
>>         it only serve what it needs to serve.
>>         Use the ProxyProtocol to send the client information from
>>         HaProxy to Vernish.
>>         In Varnish you need to put the client IP into the
>>         X-Forwarded-For header.
>>         In Apache you can then use this header to have the real client
>>         IP address.
>>
>>         This way you have the real client IP information on all layers.
>>
>>         Jan Hugo Prins
>>
>>
>>
>>
>>     _______________________________________________
>>     varnish-misc mailing list
>>     varnish-misc at varnish-cache.org <mailto:varnish-misc at varnish-cache.org
>> >
>>     https://www.varnish-cache.org/lists/mailman/listinfo/varnish-misc
>>     <https://www.varnish-cache.org/lists/mailman/listinfo/varnish-misc>
>>
>>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://www.varnish-cache.org/lists/pipermail/varnish-misc/attachments/20170816/8c9bf430/attachment.html>

More information about the varnish-misc mailing list