Thanks Guillaume,
will then have a look into the info you provided and report back if I
run into any trouble trying to setup hitch ;)
What's your recommendation of up-to-date documents on how to setup hitch
in front of varnish with multiple vhost SSL certificates?
So far I found:
https://github.com/varnish/hitch
https://hitch-tls.org/
Is there any docu elsewhere you can recommend?
Thanks a lot for your support!
Greetings
Becki
On 16.08.2017 09:57, Guillaume Quintard wrote:
At the risk of insisting, hitch is super easy to setup, once
installed, you just need to:
- Edit /etc/hitch/hitch.conf to
- Set the front-end, usually *:443
- Set the backend (where to send decrypted traffic), 127.0.0.1:8443
<http://127.0.0.1:8443>
- Set the pem-file line to point to a certificate
- Add "-a 127.0.0.1:8443 <http://127.0.0.1:8443>,PROXY" to Varnish
command.
The Varnish part will be needed anyway if you want to use the proxy
protocol.
The docs here
https://docs.varnish-software.com/varnish-cache-plus/features/client-ssl/
can help you (except that the name of the package differs) but the
crux of it is really what I listed above.
So we can do better next time, what didn't you like about the info you
got about hitch?
--
Guillaume Quintard
On Aug 16, 2017 09:29, "Admin Beckspaced" <[email protected]
<mailto:[email protected]>> wrote:
Thanks a lot for your suggestion for using HaProxy ;)
My thinking was just: why install another bit of software when
apache is able to do the SSL termination.
But like Andrei said, if traffic spikes hit the apache runaround
will not be the optimal solution.
Do you guys have any recent up-to-date tutorials / howtos on
setting up HaProxy as SSL terminator in front of varnish.
also doing the SSL redirects ...
Did look around for Hitch but wasn't very pleased with the info
provided ;(
Any hints are welcome & thanks for your help & replies ;)
Greetings
Becki
On 15.08.2017 22:04, Jan Hugo Prins | BetterBe wrote:
I would not do it like that.
Better is to use something like Hitch or HaProxy (my
preference) and put that in front of Varnish.
Then HaProxy / Hitch can terminate all SSL traffic, and
HaProxy can also do your redirect to SSL if needed.
Then in Varnish you use the Apache server as a backend and let
it only serve what it needs to serve.
Use the ProxyProtocol to send the client information from
HaProxy to Vernish.
In Varnish you need to put the client IP into the
X-Forwarded-For header.
In Apache you can then use this header to have the real client
IP address.
This way you have the real client IP information on all layers.
Jan Hugo Prins
_______________________________________________
varnish-misc mailing list
[email protected] <mailto:[email protected]>
https://www.varnish-cache.org/lists/mailman/listinfo/varnish-misc
<https://www.varnish-cache.org/lists/mailman/listinfo/varnish-misc>
_______________________________________________
varnish-misc mailing list
[email protected]
https://www.varnish-cache.org/lists/mailman/listinfo/varnish-misc
