RE: Best practice for SSL passthrough?

[Lars Jørgensen]

Hi,

Not a solution to below problem, but I found a very easy workaround. Posting it 
here in case it has relevance to other users.

Problem: HTTP and HTTPS goes to same cached FQDN. Varnish only does HTTP, how 
to pass HTTPS through to the backend?
Solution: xinetd can do this out of the box. Create a file in /etc/xinetd.d 
containing stuff like below and restart xinetd.

service some_unique_name
{
 type = UNLISTED
 flags = REUSE
 socket_type = stream
 wait = no
 user = root
 redirect = back.end.ip.address 443
 port = 443
}

A big caveat to this: You will not be able to cache HTTPS traffic. In my case 
that's not a problem but YMMV.


Lars

-----Original Message-----
From: varnish-misc-boun...@varnish-cache.org 
[mailto:varnish-misc-boun...@varnish-cache.org] On Behalf Of Lars Jørgensen
Sent: Monday, June 20, 2011 11:20 AM
To: varnish-misc@varnish-cache.org
Subject: RE: Best practice for SSL passthrough?

>> Is that how it works? That seems pretty neat because then I can cache https
>> requests too.

>Yup, that's it exactly. And Nginx is pretty performant as well, so it 
>completes Varnish in that matter.

Great, I'll probably look into it.

So far I've found out that https is only really used in a redirect during 
login, and after that it's straight back to http. I have therefore no need to 
cache encrypted pages. If I can avoid learning new tech (nginx), I would prefer 
it at this point. So I did this:

backend default {
  .host = "1.2.3.62";
  .port = "80";
}

backend default_ssl {
  .host = "1.2.3.62";
  .port = "443";
}

sub vcl_recv {
  if (server.port == 443) {
    set req.backend = default_ssl;
    return(pipe);
  } else {
    set req.backend = default;
  }
  .
  .
  .
}

But it doesn't work, all I get is this:

   15 SessionOpen  c 10.6.0.18 52617 :443
   15 Debug        c herding

   15 SessionClose c timeout
   15 StatSess     c 10.6.0.18 52617 0 1 0 0 0 0 0 0
   15 SessionOpen  c 10.6.0.18 52622 :443
   15 Debug        c herding

   15 SessionClose c timeout
   15 StatSess     c 10.6.0.18 52622 0 1 0 0 0 0 0 0

Am I doing something obviously wrong? Is "server.port" not available in 3.0? I 
tried putting a std.log("HTTPS"); in the backend select statement above, but it 
doesn't get logged. Looks like that if-statement is wrong?


-- 
Lars

_______________________________________________
varnish-misc mailing list
varnish-misc@varnish-cache.org
http://www.varnish-cache.org/lists/mailman/listinfo/varnish-misc

_______________________________________________
varnish-misc mailing list
varnish-misc@varnish-cache.org
http://www.varnish-cache.org/lists/mailman/listinfo/varnish-misc