As you know, Varnish does not directly support SSL/TLS. However, in the process of using and researching, I have found a way to use HTTPS with Varnish, which is using the SSL Termination Proxy model.
How the SSL Termination Proxy works using Nginx in conjunction with Varnish:
- A user accesses the website through the HTTPS protocol (port 443).
- The SSL Termination Proxy (Nginx) forwards that request to the Cache Proxy (Varnish), which currently serves the HTTP protocol (port 80). If Varnish has a cache content, it immediately responds without step 5.
- Cache Proxy (Varnish) requires content from the backend server (Nginx) and cached if not already.
- Backend server (Nginx) responds to the required data.
- Cache Proxy (Varnish) transfers data to SSL Termination Proxy (Nginx).
- SSL Termination Proxy (Nginx) encrypts the data and sends it to the end user.
The backend server can be one or more servers. Of course, you can use the same Nginx server as a proxy and backend.
To install, configure and use, I have described in detail in the Varnish series. Suppose you have a server that works normally with Nginx and Varnish.
1. Add the Nginx configuration code as an SSL Proxy
You need to edit the corresponding domain configuration file in the directory /etc/nginx/conf.d/
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 |
server { listen 443 ssl http2; server_name hocvps.com; # SSL ssl_certificate /etc/nginx/ssl/nginx.crt; ssl_certificate_key /etc/nginx/ssl/nginx.key; location / { proxy_pass http://127.0.0.1:80; proxy_set_header X-Real-IP $remote_addr; proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; proxy_set_header X-Forwarded-Proto https; proxy_set_header X-Forwarded-Port 443; proxy_set_header Host $host; } } |
The #SSL fragment you remember replaced with the corresponding certificate of Let’s Encrypt or Comodo with corresponding server_name.
Reload Nginx configuration:
1 |
service nginx reload |
2. Configure Varnish redirect to HTTPS
Still let Varnish listen port 80, add the following redirect code (for Varnish 4) to the /etc/varnish/default.vcl configuration file.
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 |
sub vcl_recv { # Ask Varnish to fire 750 status for HTTP requests from external IPs and port 80, # and not from SSL Termination Proxy (Nginx). if ( (req.http.host ~ "^(?i)www.hocvps.com" || req.http.host ~ "^(?i)hocvps.com") && req.http.X-Forwarded-Proto !~ "(?i)https") { return (synth(750, "")); } } sub vcl_synth { # Listen to 750 status from vcl_recv. if (resp.status == 750) { set resp.status = 301; set resp.http.Location = "https://hocvps.com" + req.url; return(deliver); } } |
At this time, all HTTP request will be Varnish redirected to HTTPS.
Reload Varnish configuration:
1 |
service varnish reload |
If you use WordPress, you may need to add the following code to your wp-config.php file for WordPress to enable HTTPS:
1 2 3 |
if (isset($_SERVER["HTTP_X_FORWARDED_PROTO"] ) && "https" == $_SERVER["HTTP_X_FORWARDED_PROTO"] ) { $_SERVER["HTTPS"] = "on"; } |
So it’s done, simple.
Good luck.