How to do https in varnish?

Question

I need accept https from client and my backend is also https.

How can listen HTTPS in varnish and forward request to backend in HTTPS?

VARNISH_LISTEN_PORT=443
# how to add SSL certs?

Answer 1

Varnish, at least in the open source version, does not support HTTPS. Varnish Software released Hitch a while ago, which can be used to terminate HTTPS in front of a Varnish caching proxy. Many setups that I have seen also use nginx for SSL termination with varnish as backend.

I just found out that the commercial product Varnish Plus in fact supports TLS/SSL.

Answer 2

Hitch is opensource and infact supports SSL termination and can be used as Proxy for converting your HTTP server to HTTPS server.

Following is the guide and example, here openstack running on HTTP has been converted into HTTPS for all communication.

1. Create a VM(will be used as proxy node):

2. Download Hitch at Proxy Node: git clone https://github.com/varnish/hitch.git

   official link: https://github.com/varnish/hitch

3. Install HITCH as shown below: To install hitch, Docs can be followed from the official link, below are the commands anyways.

   $ ./bootstrap
   $ ./configure
   $ make
   $ sudo make install

4. After successuful installation of HITCH, prepare certificate for the Proxy Node(.pem file)

5. Start the Proxy using HITCH as shown below.

   [root@testing_tools hitch]# hitch --tls -f "[*]:443" -b "[2001::29]:80" devstack.pem -u hitch -g hitch

   [root@testing_tools hitch]# hitch --tls -f "[*]:9696" -b "[2001::29]:9696" devstack.pem -u hitch -g hitch

6. Make Following changes(keystone Database) at Openstack end for endpoints. ie. make all endpoints configured for HTTPS.

   mysql> select * from endpoint; +----------------------------------+--------------------+-----------+----------------------------------+-------------------------------------------------+-------+---------+-----------+ | id | legacy_endpoint_id | interface | service_id | url | extra | enabled | region_id | +----------------------------------+--------------------+-----------+----------------------------------+-------------------------------------------------+-------+---------+-----------+ | 01c5333a2edf4505a14987770a762a8a | NULL | public | f883c99bc5514dd6b8d3b417fb8a121c | https://devstackipv6/volume/v1/$(project_id)s | {} | 1 | RegionOne | | 1766694b9c5b4814a421a074d44b2d32 | NULL | admin | 68a37fb109aa4f878f893fc87c262f94 | https://devstackipv6/heat-api-cfn/v1 | {} | 1 | RegionOne | | 29e5c59cd68443d6beb96272b2d57143 | NULL | internal | eff63e56a0264b08a4cc9dc5de4ac8c4 | https://devstackipv6/heat-api/v1/$(project_id)s | {} | 1 | RegionOne | +----------------------------------+--------------------+-----------+----------------------------------+-------------------------------------------------+-------+---------+-----------+