Mailing List Archive: Varnish: Misc

Varnish pipe through for SSL requests

Index | Next | Previous | View Threaded

yarishima42 at googlemail

Jul 24, 2013, 4:31 PM

Post #1 of 8 (152 views)
Permalink

Varnish pipe through for SSL requests

Hello,

We have the following server setting:

First a Magento shop on a managed server. It serves the non-SSL and SSL
traffic. Now we want to setup a varnish caching server. Because it is a
managed server we cannot install any extra software on it, so we need to do it
on another root server.

I setup varnish on this root server and for non-SSL requests everything works
fine. Varnish should only cache non-SSL pages, everything regarding the
checkout or account should not be cached by varnish. My question is, how do I
have to setup varnish, that the SSL requests pipe through it and go directly
to the managed server? And were do I have to install the SSL certificate?

Thanx in advance
YS

_______________________________________________
varnish-misc mailing list
varnish-misc [at] varnish-cache
https://www.varnish-cache.org/lists/mailman/listinfo/varnish-misc

smwood4 at gmail

Jul 24, 2013, 6:39 PM

Post #2 of 8 (151 views)
Permalink

Re: Varnish pipe through for SSL requests [In reply to]

Unfortunately varnish only supports HTTP and not HTTPS, but you may find
this other users experience helpful:

https://www.varnish-cache.org/lists/pipermail/varnish-misc/2011-June/020695.html

On Wed, Jul 24, 2013 at 4:31 PM, Yari Shima <yarishima42 [at] googlemail>wrote:

> Hello,
>
> We have the following server setting:
>
> First a Magento shop on a managed server. It serves the non-SSL and SSL
> traffic. Now we want to setup a varnish caching server. Because it is a
> managed server we cannot install any extra software on it, so we need to
> do it
> on another root server.
>
> I setup varnish on this root server and for non-SSL requests everything
> works
> fine. Varnish should only cache non-SSL pages, everything regarding the
> checkout or account should not be cached by varnish. My question is, how
> do I
> have to setup varnish, that the SSL requests pipe through it and go
> directly
> to the managed server? And were do I have to install the SSL certificate?
>
> Thanx in advance
> YS
>
> _______________________________________________
> varnish-misc mailing list
> varnish-misc [at] varnish-cache
> https://www.varnish-cache.org/lists/mailman/listinfo/varnish-misc
>

--
Stephen Wood
Dev/Ops Engineer
Moz, Inc.
Website: www.heystephenwood.com

r at roze

Jul 24, 2013, 7:12 PM

Post #3 of 8 (151 views)
Permalink

Re: Varnish pipe through for SSL requests [In reply to]

> My question is, how do I have to setup varnish, that the SSL requests pipe
> through it and go directly to the managed server? And were do I have to
> install the SSL certificate?

Varnish doesnt play with SSL in any fashion (
https://www.varnish-cache.org/docs/trunk/phk/ssl.html ), so you have to use
other tools or different approaches for serving/piping the SSL traffic.

Depending on the software you are familiar with you can either directly
forward the 443 port to your backend using the OS tools like
iptables/ipfw/xinetd/etc (or any other "firewall/portfoward type"
software) - then you need to install the certificate on the backend
webserver.
The drawback of this method is (unless you are using something like TPROXY
for the iptable rules) the backend won't see the original client ip.

Or use something like haproxy / nginx / stud to offload the SSL.
Then you have to install the certificate on the proxy (unless it works in
"tcp mode" - haproxy (and nginx with third party module) can operate like
that).

Usually this is more easy to setup and the client ip can be passed with
additional http headers (X-Forwarded-For) and most webservers have modules
to transparently convert the ip for the application (nginx - realip /
apache - mod_rpaf)

For a single instance of varnish I personally use Stud (
https://github.com/bumptech/stud ).
Haproxy ( http://haproxy.1wt.eu/ ) on the other hand is more suitable for
more complex setups (multiple backends / loadbalancing and more).

rr

_______________________________________________
varnish-misc mailing list
varnish-misc [at] varnish-cache
https://www.varnish-cache.org/lists/mailman/listinfo/varnish-misc

yarishima42 at googlemail

Jul 25, 2013, 12:22 PM

Post #4 of 8 (147 views)
Permalink

Re: Varnish pipe through for SSL requests [In reply to]

Hi Reinis,

Thanks for your awnser.
But can't I use apache to listen on port 443 on my root server and with
mod_proxy pipr the traffic through to my managed server?

Best
YS

_______________________________________________
varnish-misc mailing list
varnish-misc [at] varnish-cache
https://www.varnish-cache.org/lists/mailman/listinfo/varnish-misc

smwood4 at gmail

Jul 25, 2013, 1:31 PM

Post #5 of 8 (147 views)
Permalink

Re: Varnish pipe through for SSL requests [In reply to]

I'm not familiar with mod_proxy, but the point being is that traffic being
received by varnish must be plain http traffic. Any SSL encryption
*must*be terminated before it reaches the port Varnish is running.

The are many different ways to do this and mod_proxy and apache might be
one as long as you fulfill the above requirement and Varnish is receiving
only http traffic. I find that the easiest solution is to do SSL
termination on your load balancer.

On Thu, Jul 25, 2013 at 12:22 PM, Yari Shima <yarishima42 [at] googlemail>wrote:

> Hi Reinis,
>
> Thanks for your awnser.
> But can't I use apache to listen on port 443 on my root server and with
> mod_proxy pipr the traffic through to my managed server?
>
> Best
> YS
>
> _______________________________________________
> varnish-misc mailing list
> varnish-misc [at] varnish-cache
> https://www.varnish-cache.org/lists/mailman/listinfo/varnish-misc
>

--
Stephen Wood
Dev/Ops Engineer
Moz, Inc.
Website: www.heystephenwood.com

numard at gmail

Jul 25, 2013, 6:22 PM

Post #6 of 8 (144 views)
Permalink

Re: Varnish pipe through for SSL requests [In reply to]

You should be able to with modproxy.. We terminate on nginx which acts as
proxy for clusters of app servers and varnishes...just tell nginx to
connect to varnish over http.
On 26/07/2013 5:27 AM, "Yari Shima" <yarishima42 [at] googlemail> wrote:

> Hi Reinis,
>
> Thanks for your awnser.
> But can't I use apache to listen on port 443 on my root server and with
> mod_proxy pipr the traffic through to my managed server?
>
> Best
> YS
>
> _______________________________________________
> varnish-misc mailing list
> varnish-misc [at] varnish-cache
> https://www.varnish-cache.org/lists/mailman/listinfo/varnish-misc
>

dharrigan at gmail

Jul 29, 2013, 6:24 AM

Post #7 of 8 (108 views)
Permalink

Re: Varnish pipe through for SSL requests [In reply to]

Hi,

Our approach is to terminate using Pound (http://www.apsis.ch/pound), then
to pass on to Varnish. It works *wonderfully* well and is super easy to
configure.

-=david=-

On 26 July 2013 02:22, Norberto Meijome <numard [at] gmail> wrote:

> You should be able to with modproxy.. We terminate on nginx which acts as
> proxy for clusters of app servers and varnishes...just tell nginx to
> connect to varnish over http.
> On 26/07/2013 5:27 AM, "Yari Shima" <yarishima42 [at] googlemail> wrote:
>
>> Hi Reinis,
>>
>> Thanks for your awnser.
>> But can't I use apache to listen on port 443 on my root server and with
>> mod_proxy pipr the traffic through to my managed server?
>>
>> Best
>> YS
>>
>> _______________________________________________
>> varnish-misc mailing list
>> varnish-misc [at] varnish-cache
>> https://www.varnish-cache.org/lists/mailman/listinfo/varnish-misc
>>
>
> _______________________________________________
> varnish-misc mailing list
> varnish-misc [at] varnish-cache
> https://www.varnish-cache.org/lists/mailman/listinfo/varnish-misc
>

--
I prefer encrypted and signed messages. KeyID: B20A22F9
Fingerprint: 110A F423 3647 54E2 880F ADAD 1C52 85BF B20A 22F9

"It is not usually until you've built and used a version of the program
that you understand the issues well enough to get the design right." - Rob
Pike, Brian Kernighan.

No trees were harmed in the sending of this message, however, a number of
electrons were inconvenienced.

gabster at lelutin

Jul 29, 2013, 11:12 AM

Post #8 of 8 (106 views)
Permalink

Re: Varnish pipe through for SSL requests [In reply to]

Hi there,

On 29/07/13 09:24 AM, David Harrigan wrote:
> Our approach is to terminate using Pound (http://www.apsis.ch/pound),
> then to pass on to Varnish. It works *wonderfully* well and is super
> easy to configure.

Please note that if it is setup that way with the infrastructure that
the OP described (e.g. caching needs to be on another server than the
web server), then it means that your clients who are using an encrypted
connection to your site will have their traffic pass over the internet
unencrypted between the caching node and the web server.

that's usually very bad security-wise because as a client if you use
encryption, you expect that any sensitive data passed to a site stays
encrypted over the network and that only that website can gain access to
the sensitive data. if traffic goes through the net unencrypted, then
that assumption is completely false.

in that case, you can either:

* consider moving your web hosting to your other server that hosts
varnish, if you feel up to the challenge of managing your own web server.
* or find some way to reencrypt traffic between the caching and the web
server.

for the 2nd option, the easiest would be to setup an encryption tunnel
(like a VPN) between both servers and use the tunnel exclusively to
communicate between varnish and the web server.

> On 26 July 2013 02:22, Norberto Meijome <numard [at] gmail
> <mailto:numard [at] gmail>> wrote:
>
> You should be able to with modproxy.. We terminate on nginx which
> acts as proxy for clusters of app servers and varnishes...just tell
> nginx to connect to varnish over http.
>
> On 26/07/2013 5:27 AM, "Yari Shima" <yarishima42 [at] googlemail
> <mailto:yarishima42 [at] googlemail>> wrote:
>
> Hi Reinis,
>
> Thanks for your awnser.
> But can't I use apache to listen on port 443 on my root server
> and with
> mod_proxy pipr the traffic through to my managed server?

--
Gabriel Filion

Attachments:

signature.asc (0.28 KB)

Index | Next | Previous | View Threaded

Interested in having your list archived? Contact Gossamer Threads