You are here: start / networking / varnish / ssl_termination_proxy

Table of Contents

About

Since Varnish does not support SSL such that if you have SSL websites on your backend servers, you will need to terminate the SSL connection before it reaches Varnish.

Diagram

The main idea is that browsers will establish a connection to NGiNX first that will terminate the SSL connection and forward the request onto Varnish. In turn, Varnish will query the backends and then answer back through NGiNX.

Configuring NGiNX

On Debian NGiNX can be installed by issuing: 

aptitude install nginx.

and then the file at /etc/nginx/sites/sites-available/default can be edited to include the following: 

server {
        listen 443 ssl;
        server_name site.tld;
        ssl_certificate /etc/nginx/ssl/site.tld.crt;
        ssl_certificate_key /etc/nginx/ssl/site.tld.key;
        location / {
            proxy_pass http://127.0.0.1:80;
            proxy_set_header X-Real-IP  $remote_addr;
            proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
            proxy_set_header X-Forwarded-Proto https;
            proxy_set_header X-Forwarded-Port 443;
            proxy_set_header Host $host;
        }
}

where:

  • site.tld is the virtual host name - this can be useful if you have multiple certificates for multiple sub-domains.
  • /etc/nginx/ssl/site.tld.crt and /etc/nginx/ssl/site.tld.key should be the certificate and key pair that is used for the domain.
  • http://127.0.0.1:80 should point to the varnish listen address and port.

For multiple domains, you can duplicate the server stanza and add more domains - each with their separate certificates.

Redirecting to HTTPs

Optionally, Varnish can be configured to redirect clients to HTTPs if they request the website through HTTP. In order to do that, edit /etc/varnish/default.vcl and make an addition to vcl_recv that will re-write the request to prepend HTTPs and then redirect the client. 

import std;
sub vcl_recv {
  # Ask Varnish to fire 750 status for HTTP requests from external IPs and port 80,
  # and not from SSL Termination Proxy (Nginx).
  if ((client.ip != "127.0.0.1" && std.port(server.ip) == 80) &&
      (req.http.host ~ "^(?i)(www\.)?example.com")) {
    set req.http.x-redir = "https://" + req.http.host + req.url;
    return (synth(750, ""));
  }
}
sub vcl_synth {
  # Listen to 750 status from vcl_recv.
  if (resp.status == 750) {
    // Redirect to HTTPS with 301 status.
    set resp.status = 301;
    set resp.http.Location = req.http.x-redir;
    return(deliver);
  }
}
networking/varnish/ssl_termination_proxy.txt ยท Last modified: 2022/04/19 08:27 by 127.0.0.1
You are here: start / networking / varnish / ssl_termination_proxy

Wizardry and Steamworks

© 2025 Wizardry and Steamworks

Access website using Tor Access website using i2p Wizardry and Steamworks PGP Key


For the contact, copyright, license, warranty and privacy terms for the usage of this website please see the contact, license, privacy, copyright.