Good Morning Everyone ;)
Before doing some work today and installing Hitch as a SSL/TLS
terminator in front of varnish on my production server ...
I would like to thank you all for your help & suggestions and especially
@Guillaume for insisting to have a look at Hitch ;)
First, I want to take back my statement about hitch documentation. I
found all in the docu that is needed to setup and configure hitch.
Perhaps I was a bit surprised about the 'tiny' amount of documentation
but hey ... hitch is only a 'dumb' TLS proxy!
So there's nothing that much to document after all ;)
Also the redirect from http -> https works like a breeze ... though I
had to do a bit of std.log("local port: " + std.port(local.ip))
to understand the difference between remote, local, client, server
variables ...
Another tiny bit of frustration I encountered via a typo copy & paste
from github
https://github.com/varnish/hitch/issues/39
It's about setting the X-Forwarded-Proto https header in varnish VCL to
let my wordpress know that it's running on https
and if you do a copy & paste of
sub vcl_recv {
if (std.port(local.ip) == 80) {
return (synth(700));
} else {
set req.http.X-Forwared-Proto = "https";
}
}
and you don't have a close look that the 'd' is missing in
req.http.X-Forwared-Proto
it should be req.http.X-Forwarded-Proto
you will scratch your head for quite some time and wonder why wordpress
doesn't know that it is running on SSL ... oh my gosh!
anyway ... all worked out fine and now I got some hitch install to do on
my production server ;)
Thanks & best wishes
Becki
On 16.08.2017 09:57, Guillaume Quintard wrote:
At the risk of insisting, hitch is super easy to setup, once
installed, you just need to:
- Edit /etc/hitch/hitch.conf to
- Set the front-end, usually *:443
- Set the backend (where to send decrypted traffic), 127.0.0.1:8443
<http://127.0.0.1:8443>
- Set the pem-file line to point to a certificate
- Add "-a 127.0.0.1:8443 <http://127.0.0.1:8443>,PROXY" to Varnish
command.
The Varnish part will be needed anyway if you want to use the proxy
protocol.
The docs here
https://docs.varnish-software.com/varnish-cache-plus/features/client-ssl/
can help you (except that the name of the package differs) but the
crux of it is really what I listed above.
So we can do better next time, what didn't you like about the info you
got about hitch?
--
Guillaume Quintard
On Aug 16, 2017 09:29, "Admin Beckspaced" <[email protected]
<mailto:[email protected]>> wrote:
Thanks a lot for your suggestion for using HaProxy ;)
My thinking was just: why install another bit of software when
apache is able to do the SSL termination.
But like Andrei said, if traffic spikes hit the apache runaround
will not be the optimal solution.
Do you guys have any recent up-to-date tutorials / howtos on
setting up HaProxy as SSL terminator in front of varnish.
also doing the SSL redirects ...
Did look around for Hitch but wasn't very pleased with the info
provided ;(
Any hints are welcome & thanks for your help & replies ;)
Greetings
Becki
_______________________________________________
varnish-misc mailing list
[email protected]
https://www.varnish-cache.org/lists/mailman/listinfo/varnish-misc
