At the risk of insisting, hitch is super easy to setup, once installed, you just need to: - Edit /etc/hitch/hitch.conf to - Set the front-end, usually *:443 - Set the backend (where to send decrypted traffic), 127.0.0.1:8443 - Set the pem-file line to point to a certificate - Add "-a 127.0.0.1:8443,PROXY" to Varnish command.
The Varnish part will be needed anyway if you want to use the proxy protocol. The docs here https://docs.varnish-software.com/varnish-cache-plus/features/client-ssl/ can help you (except that the name of the package differs) but the crux of it is really what I listed above. So we can do better next time, what didn't you like about the info you got about hitch? -- Guillaume Quintard On Aug 16, 2017 09:29, "Admin Beckspaced" <[email protected]> wrote: > Thanks a lot for your suggestion for using HaProxy ;) > > My thinking was just: why install another bit of software when apache is > able to do the SSL termination. > But like Andrei said, if traffic spikes hit the apache runaround will not > be the optimal solution. > > Do you guys have any recent up-to-date tutorials / howtos on setting up > HaProxy as SSL terminator in front of varnish. > also doing the SSL redirects ... > > Did look around for Hitch but wasn't very pleased with the info provided ;( > > Any hints are welcome & thanks for your help & replies ;) > > Greetings > Becki > > > > On 15.08.2017 22:04, Jan Hugo Prins | BetterBe wrote: > >> I would not do it like that. >> Better is to use something like Hitch or HaProxy (my preference) and put >> that in front of Varnish. >> Then HaProxy / Hitch can terminate all SSL traffic, and HaProxy can also >> do your redirect to SSL if needed. >> Then in Varnish you use the Apache server as a backend and let it only >> serve what it needs to serve. >> Use the ProxyProtocol to send the client information from HaProxy to >> Vernish. >> In Varnish you need to put the client IP into the X-Forwarded-For header. >> In Apache you can then use this header to have the real client IP address. >> >> This way you have the real client IP information on all layers. >> >> Jan Hugo Prins >> >> >> > > _______________________________________________ > varnish-misc mailing list > [email protected] > https://www.varnish-cache.org/lists/mailman/listinfo/varnish-misc >
_______________________________________________ varnish-misc mailing list [email protected] https://www.varnish-cache.org/lists/mailman/listinfo/varnish-misc
