+1 for SSL with Hitch/HAProxy. The setup described with the Apache runaround will more than likely tank as soon as large traffic spikes appear
On Tue, Aug 15, 2017 at 3:04 PM, Jan Hugo Prins | BetterBe < [email protected]> wrote: > I would not do it like that. > Better is to use something like Hitch or HaProxy (my preference) and put > that in front of Varnish. > Then HaProxy / Hitch can terminate all SSL traffic, and HaProxy can also > do your redirect to SSL if needed. > Then in Varnish you use the Apache server as a backend and let it only > serve what it needs to serve. > Use the ProxyProtocol to send the client information from HaProxy to > Vernish. > In Varnish you need to put the client IP into the X-Forwarded-For header. > In Apache you can then use this header to have the real client IP address. > > This way you have the real client IP information on all layers. > > Jan Hugo Prins > > > > > On 08/15/2017 11:39 AM, Admin Beckspaced wrote: > > Hello there ;) > > I'm running varnish in front of my apache on port 80 without any issues so > far. > > Recently I decided to also use varnish for SSL connections > > To do so I first do a http to https redirect within varnish VCL > > if ( req.http.X-Forwarded-Proto !~ "(?i)https" ) { > return (synth(750, "")); > } > > then in vcl_synth() > > sub vcl_synth { > > if (resp.status == 750) { > set resp.status = 301; > set resp.http.Location = "https://"; + req.http.host + > req.url; > return(deliver); > } > } > > This works fine and all http got redirected to https > > Then on port 443 I got apache listening as a reverse proxy with the > following config: > > <VirtualHost *:443> > > ServerName somedomain.com > ServerAlias *.somedomain.org > > SSLEngine on > > ... ssl cert stuff here ... > ProxyPreserveHost On > ProxyPass / http://127.0.0.1:80/ > ProxyPassReverse / http://127.0.0.1:80/ > RequestHeader set X-Forwarded-Port "443" > RequestHeader set X-Forwarded-Proto "https" > > </VirtualHost> > > Also this works perfectly fine! Apache does the SSL termination and then > reverse proxies everything back to varnish on port 80 > > If I have a look in the apache ssl log: > > [15/Aug/2017:02:03:41 +0200] 35.190.201.122 TLSv1.2 > ECDHE-RSA-AES128-GCM-SHA256 "GET /feed/ HTTP/1.1" - > "http://domain.org/feed/"; <http://domain.org/feed/> "Go-http-client/1.1" > [15/Aug/2017:02:03:41 +0200] 35.190.201.122 TLSv1.2 > ECDHE-RSA-AES128-GCM-SHA256 "GET /feed HTTP/1.1" 10513 > "https://domain.org/feed/"; <https://domain.org/feed/> "Go-http-client/1.1" > > If I look in the varnishlog I see the following: > > domain.org 35.190.201.122 - - [15/Aug/2017:02:03:41 +0200] "GET > http://domain.org/feed/ HTTP/1.1" 301 0 "-" "Go-http-client/1.1" > domain.org 127.0.0.1 - - [15/Aug/2017:02:03:41 +0200] "GET > http://domain.org/feed/ HTTP/1.1" 301 0 "http://domain.org/feed/"; > <http://domain.org/feed/> "Go-http-client/1.1" > domain.org 127.0.0.1 - - [15/Aug/2017:02:03:41 +0200] "GET > http://domain.org/feed HTTP/1.1" 200 10513 "https://domain.org/feed/"; > <https://domain.org/feed/> "Go-http-client/1.1" > > But in the process of Varnish -> Redirect http to https -> Apache Reverse > Proxy -> Varnish I loose the client IP address in varnishlog > It jsut says 127.0.0.1 > > How can I forward the client IP to varnishlog in this process? > > I need to have the client IP in varnishlog as I use those to generate > statistics about the website. > > any help, hints or insights would be awesome ;) > > Thanks & greetings > Becki > > > -- > Beckspaced - Server Administration > ------------------------------------------------ > Ralf Flederer > Marienplatz 9 > 97353 Wiesentheid > Tel.: 09383-9033825 > Mobil: 01577-7258912 > Internet: www.beckspaced.com > ------------------------------------------------ > > > > _______________________________________________ > varnish-misc mailing > [email protected]https://www.varnish-cache.org/lists/mailman/listinfo/varnish-misc > > > -- > Kind regards > > Jan Hugo Prins > *DevOps Engineer* > <https://betterbe.com> > Auke Vleerstraat 140 E > 7547 AN Enschede > CC no. 08097527 > <https://www.kvk.nl/orderstraat/product-kiezen/?kvknummer=080975270000> > *T* +31 (0) 53 48 00 694 <+31534800694> > *E* [email protected] > *M* +31 (0)6 263 58 951 <+31%20%280%296%20263%2058%20951> www.betterbe.com > BetterBe accepts no liability for the content of this email, or for the > consequences of any actions taken on the basis > of the information provided, unless that information is subsequently > confirmed in writing. If you are not the intended > recipient you are notified that disclosing, copying, distributing or > taking any action in reliance on the contents of this > information is strictly prohibited. > > _______________________________________________ > varnish-misc mailing list > [email protected] > https://www.varnish-cache.org/lists/mailman/listinfo/varnish-misc >
_______________________________________________ varnish-misc mailing list [email protected] https://www.varnish-cache.org/lists/mailman/listinfo/varnish-misc
