Login | Register For Free | Help
Search for: (Advanced)

Mailing List Archive: Varnish: Misc

Rewriting/enforcing SSL behing an SSL termination point

 

 

Varnish misc RSS feed   Index | Next | Previous | View Threaded


jason at pethub

Dec 8, 2011, 11:08 PM

Post #1 of 9 (1792 views)
Permalink
Rewriting/enforcing SSL behing an SSL termination point

Hi everyone, new Varnish user and new to the list here, but I've quickly
become a strong advocate of using Varnish in our organization based on my
initial experiences with it.

However, I'm having a difficult time finding information on what I think
would be a fairly common problem. We want to enforce the use of www.
(which we currently do with mod_rewrite) AND enforce the use of HTTPS -
site wide. I'm aware that we can do both of these with mod_rewrite, but
there are various reasons I'd like to keep this at the Varnish levelŠ

We are hosted on Amazon Web Services and all SSL termination is done by an
Elastic Load Balancer. So all I'm looking to do is re-write URLs like
thisŠ

http://domain.com -> https://www.domain.com
http://www.domain.com -> https://www.domain.com
https://domain.com -> https://www.domain.com

Of course, we also want to pass on the x-forwarded-proto header (which is
pretty well documented, no problem there.)

The URL re-write directions on the website address rewriting the host and
the path well, but not SSL. It would make me quite happy if we could use
Varnish for all this.

Regards,
Jason Farnsworth



_______________________________________________
varnish-misc mailing list
varnish-misc [at] varnish-cache
https://www.varnish-cache.org/lists/mailman/listinfo/varnish-misc


varnish at mm

Dec 8, 2011, 11:45 PM

Post #2 of 9 (1756 views)
Permalink
Re: Rewriting/enforcing SSL behing an SSL termination point [In reply to]

On Fri, Dec 09, 2011 at 07:08:50AM +0000, Jason Farnsworth wrote:
> I'm having a difficult time finding information on what I think
> would be a fairly common problem. We want to enforce the use of
> www. (which we currently do with mod_rewrite) AND enforce the use
> of HTTPS - site wide. I'm aware that we can do both of these with
> mod_rewrite, but there are various reasons I'd like to keep this at
> the Varnish levelÅ 

Since Varnish doesn't handle HTTPS there's a sort of level of
abstracton here. You need some other indicator as to whether the
connection was made via SSL, which it sounds like you have:

> We are hosted on Amazon Web Services and all SSL termination is done
> by an Elastic Load Balancer. So all I'm looking to do is re-write
> URLs like thisÅ 
>
> http://domain.com -> https://www.domain.com
> http://www.domain.com -> https://www.domain.com
> https://domain.com -> https://www.domain.com
>
> Of course, we also want to pass on the x-forwarded-proto header
> (which is pretty well documented, no problem there.)

I take it the X-Forwarded-Proto header a) indicates whether the
connection was made via SSL or not and b) can be trusted? If so then
you're set. If not you'll need to find something in the request you
can use for this purpose.

> The URL re-write directions on the website address rewriting the
> host and the path well, but not SSL. It would make me quite happy
> if we could use Varnish for all this.

Once you have a mechanism for determining how the original connection
was made, it's pretty straightforward. In vcl_recv you just check for
that header e.g. if (req.http.X-Forwarded-Proto ~ "SSL") or whatever,
and if it wasn't SSL then you issue a redirect to the same URL with an
https:// prefix in the usual manner.

_______________________________________________
varnish-misc mailing list
varnish-misc [at] varnish-cache
https://www.varnish-cache.org/lists/mailman/listinfo/varnish-misc


perbu at varnish-software

Dec 9, 2011, 12:48 AM

Post #3 of 9 (1762 views)
Permalink
Re: Rewriting/enforcing SSL behing an SSL termination point [In reply to]

On Fri, Dec 9, 2011 at 8:08 AM, Jason Farnsworth <jason [at] pethub> wrote:

> We are hosted on Amazon Web Services and all SSL termination is done by an
> Elastic Load Balancer. So all I'm looking to do is re-write URLs like
> this
>
> http://domain.com -> https://www.domain.com
> http://www.domain.com -> https://www.domain.com
> https://domain.com -> https://www.domain.com


Varnish will not rewrite the actual content coming from the backend. We can
however, _redirect_ the client whenever they ask for a http:// URL.

We use the following code on varnish-cache.org to do this:

in vcl_recv:

if ( (req.http.host ~ "(?i)www.varnish-cache.org") && !(client.ip ~
localhost)) {
set req.http.x-redir-url = "https://" + req.http.host + req.url;
error 750 req.http.x-redir-url;
}

(..)


sub vcl_error {
# standard redirection in VCL:
if (obj.status == 750) {
set obj.http.Location = obj.response;
set obj.status = 302;
return(deliver);
}
}


Since we have an SSL terminator in front of Varnish client.ip is localhost
when there is SSL present. You might want to change the code to test
X-Forwarded-Proto
for whatever it is set to.


--
Per Buer, CEO
Phone: +47 21 98 92 61 / Mobile: +47 958 39 117 / Skype: per.buer
*Varnish makes websites fly!*
Whitepapers <http://www.varnish-software.com/whitepapers> |
Video<http://www.youtube.com/watch?v=x7t2Sp174eI> |
Twitter <https://twitter.com/varnishsoftware>


jason at pethub

Dec 14, 2011, 8:40 PM

Post #4 of 9 (1735 views)
Permalink
Re: Rewriting/enforcing SSL behing an SSL termination point [In reply to]

This is great, I'll give this a shot and report back!

From: Per Buer <perbu [at] varnish-software<mailto:perbu [at] varnish-software>>
Date: Fri, 9 Dec 2011 09:48:48 +0100
To: Jason Farnsworth <jason [at] pethub<mailto:jason [at] pethub>>
Cc: "varnish-misc [at] varnish-cache<mailto:varnish-misc [at] varnish-cache>" <varnish-misc [at] varnish-cache<mailto:varnish-misc [at] varnish-cache>>
Subject: Re: Rewriting/enforcing SSL behing an SSL termination point

On Fri, Dec 9, 2011 at 8:08 AM, Jason Farnsworth <jason [at] pethub<mailto:jason [at] pethub>> wrote:
We are hosted on Amazon Web Services and all SSL termination is done by an
Elastic Load Balancer. So all I'm looking to do is re-write URLs like
this

http://domain.com -> https://www.domain.com
http://www.domain.com -> https://www.domain.com
https://domain.com -> https://www.domain.com

Varnish will not rewrite the actual content coming from the backend. We can however, _redirect_ the client whenever they ask for a http:// URL.

We use the following code on varnish-cache.org<http://varnish-cache.org> to do this:

in vcl_recv:

if ( (req.http.host ~ "(?i)www.varnish-cache.org<http://www.varnish-cache.org>") && !(client.ip ~ localhost)) {
set req.http.x-redir-url = "https://" + req.http.host + req.url;
error 750 req.http.x-redir-url;
}

(..)


sub vcl_error {
# standard redirection in VCL:
if (obj.status == 750) {
set obj.http.Location = obj.response;
set obj.status = 302;
return(deliver);
}
}


Since we have an SSL terminator in front of Varnish client.ip is localhost when there is SSL present. You might want to change the code to test X-Forwarded-Proto for whatever it is set to.


--
[http://www.varnish-software.com/sites/default/files/varnishsoft_white_190x47.png]
Per Buer, CEO
Phone: +47 21 98 92 61 / Mobile: +47 958 39 117 / Skype: per.buer
Varnish makes websites fly!
Whitepapers<http://www.varnish-software.com/whitepapers> | Video<http://www.youtube.com/watch?v=x7t2Sp174eI> | Twitter<https://twitter.com/varnishsoftware>


jason at pethub

Dec 15, 2011, 12:51 PM

Post #5 of 9 (1757 views)
Permalink
Re: Rewriting/enforcing SSL behing an SSL termination point [In reply to]

Alright, I had to re-write the rule a bit since I'm watching for X-Forwarded-Proto, and want to handle domain.com as well as www.domain.com. I've put this rule together, and it seems to be working OK…

sub vcl_recv {
if((req.http.host ~ "^(?i)pethub.com") || ((req.http.host ~ "^(?i)www.pethub.com") && (req.http.X-Forwarded-Proto !~ "(?i)https"))){
set req.http.x-redir-url = "https://www.pethub.com" + req.url;
error 750 req.http.x-redir-url;
}
}

sub vcl_error {
if (obj.status == 750) {
set obj.http.Location = obj.response;
set obj.status = 302;
return(deliver);
}

Thanks for the info!

Jason

From: Jason Farnsworth <jason [at] pethub<mailto:jason [at] pethub>>
Date: Wed, 14 Dec 2011 20:39:59 -0800
To: Per Buer <perbu [at] varnish-software<mailto:perbu [at] varnish-software>>
Cc: "varnish-misc [at] varnish-cache<mailto:varnish-misc [at] varnish-cache>" <varnish-misc [at] varnish-cache<mailto:varnish-misc [at] varnish-cache>>
Subject: Re: Rewriting/enforcing SSL behing an SSL termination point

This is great, I'll give this a shot and report back!

From: Per Buer <perbu [at] varnish-software<mailto:perbu [at] varnish-software>>
Date: Fri, 9 Dec 2011 09:48:48 +0100
To: Jason Farnsworth <jason [at] pethub<mailto:jason [at] pethub>>
Cc: "varnish-misc [at] varnish-cache<mailto:varnish-misc [at] varnish-cache>" <varnish-misc [at] varnish-cache<mailto:varnish-misc [at] varnish-cache>>
Subject: Re: Rewriting/enforcing SSL behing an SSL termination point

On Fri, Dec 9, 2011 at 8:08 AM, Jason Farnsworth <jason [at] pethub<mailto:jason [at] pethub>> wrote:
We are hosted on Amazon Web Services and all SSL termination is done by an
Elastic Load Balancer. So all I'm looking to do is re-write URLs like
this

http://domain.com -> https://www.domain.com
http://www.domain.com -> https://www.domain.com
https://domain.com -> https://www.domain.com

Varnish will not rewrite the actual content coming from the backend. We can however, _redirect_ the client whenever they ask for a http:// URL.

We use the following code on varnish-cache.org<http://varnish-cache.org> to do this:

in vcl_recv:

if ( (req.http.host ~ "(?i)www.varnish-cache.org<http://www.varnish-cache.org>") && !(client.ip ~ localhost)) {
set req.http.x-redir-url = "https://" + req.http.host + req.url;
error 750 req.http.x-redir-url;
}

(..)


sub vcl_error {
# standard redirection in VCL:
if (obj.status == 750) {
set obj.http.Location = obj.response;
set obj.status = 302;
return(deliver);
}
}


Since we have an SSL terminator in front of Varnish client.ip is localhost when there is SSL present. You might want to change the code to test X-Forwarded-Proto for whatever it is set to.


--
[http://www.varnish-software.com/sites/default/files/varnishsoft_white_190x47.png]
Per Buer, CEO
Phone: +47 21 98 92 61 / Mobile: +47 958 39 117 / Skype: per.buer
Varnish makes websites fly!
Whitepapers<http://www.varnish-software.com/whitepapers> | Video<http://www.youtube.com/watch?v=x7t2Sp174eI> | Twitter<https://twitter.com/varnishsoftware>


cosimo at streppone

Dec 19, 2011, 6:27 AM

Post #6 of 9 (1707 views)
Permalink
Re: Rewriting/enforcing SSL behing an SSL termination point [In reply to]

On Thu, 15 Dec 2011 21:51:01 +0100, Jason Farnsworth <jason [at] pethub>
wrote:

> I've put this rule together, and it seems to be working

Thanks. Added to the wiki, may be useful to others (/me).

"Redirect to HTTPS",

https://www.varnish-cache.org/trac/wiki/VCLExampleRedirectInVCL

--
Cosimo

_______________________________________________
varnish-misc mailing list
varnish-misc [at] varnish-cache
https://www.varnish-cache.org/lists/mailman/listinfo/varnish-misc


jason at pethub

Dec 20, 2011, 2:04 AM

Post #7 of 9 (1692 views)
Permalink
Re: Rewriting/enforcing SSL behing an SSL termination point [In reply to]

Great! FYI - we've had this running on our production site for a few days
now with no issues at all. It's working very well.

On 12/19/11 6:27 AM, "Cosimo Streppone" <cosimo [at] streppone> wrote:

>On Thu, 15 Dec 2011 21:51:01 +0100, Jason Farnsworth <jason [at] pethub>
>wrote:
>
>> I've put this rule together, and it seems to be working
>
>Thanks. Added to the wiki, may be useful to others (/me).
>
>"Redirect to HTTPS",
>
>https://www.varnish-cache.org/trac/wiki/VCLExampleRedirectInVCL
>
>--
>Cosimo
>



_______________________________________________
varnish-misc mailing list
varnish-misc [at] varnish-cache
https://www.varnish-cache.org/lists/mailman/listinfo/varnish-misc


cianmcgovern91 at gmail

Dec 31, 2011, 5:22 PM

Post #8 of 9 (1647 views)
Permalink
Re: Rewriting/enforcing SSL behing an SSL termination point [In reply to]

Hi,

I'm having an issue when I try to implement the redirect and reload varnish:

Message from VCC-compiler:
Expected variable, string or semicolon
(input Line 17 Pos 68)
set req.http.x-redir-url = "https://www.cianmcgovern.com/" +
req.url;

---------------------------------------------------------------------------#---------

Can't find a solution to this but I suspect it might be due to the version,
2.1.5, I'm using??

Thanks for any help!


perbu at varnish-software

Jan 3, 2012, 6:24 AM

Post #9 of 9 (1633 views)
Permalink
Re: Rewriting/enforcing SSL behing an SSL termination point [In reply to]

Hi Cian,

On Sun, Jan 1, 2012 at 2:22 AM, Cian Mc Govern <cianmcgovern91 [at] gmail>wrote:

I'm having an issue when I try to implement the redirect and reload varnish:
>
> Message from VCC-compiler:
> Expected variable, string or semicolon
> (input Line 17 Pos 68)
> set req.http.x-redir-url = "https://www.cianmcgovern.com/" +
> req.url;
>
> ---------------------------------------------------------------------------#---------
>
> Can't find a solution to this but I suspect it might be due to the
> version, 2.1.5, I'm using??
>

In 2.1 string concatenation looks like this:
set req.http.x-redir-url = "https://www.cianmcgovern.com/" req.url;

In 3.0 this was done explicit using "+".


> Thanks for any help!
>
> _______________________________________________
> varnish-misc mailing list
> varnish-misc [at] varnish-cache
> https://www.varnish-cache.org/lists/mailman/listinfo/varnish-misc
>



--
Per Buer, CEO
Phone: +47 21 98 92 61 / Mobile: +47 958 39 117 / Skype: per.buer
*Varnish makes websites fly!*
Whitepapers <http://www.varnish-software.com/whitepapers> |
Video<http://www.youtube.com/watch?v=x7t2Sp174eI> |
Twitter <https://twitter.com/varnishsoftware>

Varnish misc RSS feed   Index | Next | Previous | View Threaded
 
 


Interested in having your list archived? Contact Gossamer Threads
 
  Web Applications & Managed Hosting Powered by Gossamer Threads Inc.