For multiple certificates, simply put multiple pem-file lines in hitch.conf, and you're good to go :-)
-- Guillaume Quintard On Aug 16, 2017 12:30, "Admin Beckspaced" <[email protected]> wrote: > Thanks Guillaume, > > will then have a look into the info you provided and report back if I run > into any trouble trying to setup hitch ;) > > What's your recommendation of up-to-date documents on how to setup hitch > in front of varnish with multiple vhost SSL certificates? > > So far I found: > > https://github.com/varnish/hitch > https://hitch-tls.org/ > > Is there any docu elsewhere you can recommend? > > Thanks a lot for your support! > > Greetings > Becki > > > On 16.08.2017 09:57, Guillaume Quintard wrote: > >> At the risk of insisting, hitch is super easy to setup, once installed, >> you just need to: >> - Edit /etc/hitch/hitch.conf to >> - Set the front-end, usually *:443 >> - Set the backend (where to send decrypted traffic), 127.0.0.1:8443 < >> http://127.0.0.1:8443> >> - Set the pem-file line to point to a certificate >> - Add "-a 127.0.0.1:8443 <http://127.0.0.1:8443>,PROXY" to Varnish >> command. >> >> The Varnish part will be needed anyway if you want to use the proxy >> protocol. >> >> The docs here https://docs.varnish-software. >> com/varnish-cache-plus/features/client-ssl/ can help you (except that >> the name of the package differs) but the crux of it is really what I listed >> above. >> >> So we can do better next time, what didn't you like about the info you >> got about hitch? >> >> -- >> Guillaume Quintard >> >> On Aug 16, 2017 09:29, "Admin Beckspaced" <[email protected] <mailto: >> [email protected]>> wrote: >> >> Thanks a lot for your suggestion for using HaProxy ;) >> >> My thinking was just: why install another bit of software when >> apache is able to do the SSL termination. >> But like Andrei said, if traffic spikes hit the apache runaround >> will not be the optimal solution. >> >> Do you guys have any recent up-to-date tutorials / howtos on >> setting up HaProxy as SSL terminator in front of varnish. >> also doing the SSL redirects ... >> >> Did look around for Hitch but wasn't very pleased with the info >> provided ;( >> >> Any hints are welcome & thanks for your help & replies ;) >> >> Greetings >> Becki >> >> >> >> On 15.08.2017 22:04, Jan Hugo Prins | BetterBe wrote: >> >> I would not do it like that. >> Better is to use something like Hitch or HaProxy (my >> preference) and put that in front of Varnish. >> Then HaProxy / Hitch can terminate all SSL traffic, and >> HaProxy can also do your redirect to SSL if needed. >> Then in Varnish you use the Apache server as a backend and let >> it only serve what it needs to serve. >> Use the ProxyProtocol to send the client information from >> HaProxy to Vernish. >> In Varnish you need to put the client IP into the >> X-Forwarded-For header. >> In Apache you can then use this header to have the real client >> IP address. >> >> This way you have the real client IP information on all layers. >> >> Jan Hugo Prins >> >> >> >> >> _______________________________________________ >> varnish-misc mailing list >> [email protected] <mailto:[email protected] >> > >> https://www.varnish-cache.org/lists/mailman/listinfo/varnish-misc >> <https://www.varnish-cache.org/lists/mailman/listinfo/varnish-misc> >> >> >
_______________________________________________ varnish-misc mailing list [email protected] https://www.varnish-cache.org/lists/mailman/listinfo/varnish-misc
