Question
How to configure Ssl termination with HAProxy when using varnish + apache?
- Posted on December 31, 2015
- LAMP StackCachingConfiguration ManagementApacheWordPressUbuntu
Asked by arjon
I have varnish + apache on my ubuntu vps. I want to enable ssl certificates on my server but i don’t want to remove varnish. How do i configure that haproxy terminates ssl connections and forward the real visitor ip to apache? I want:
Client => Haproxy => Varnish => Apache
I would like that all requests get redirected to HTTPS.
Thank you and happy holidays. Arjon
This textbox defaults to using Markdown to format your answer.
You can type !ref in this text area to quickly search our full set of tutorials, documentation & marketplace offerings and insert the link!
These answers are provided by our Community. If you find them useful, show some love by clicking the heart. If you run into issues leave a comment, or add your own answer to help others.
Want to learn more? Join the DigitalOcean Community!
Join our DigitalOcean community of over a million developers for free! Get help and share knowledge in Q&A, subscribe to topics of interest, and get courses and tools that will help you grow as a developer and scale your project or business.
You set the X-Forwarded-For headers in HAProxy. If there is already set an X-Forwarded-For header other reverse proxies will always just add their own to it, the left-most or first address is the source address. You don’t have to think about that, anything that reads and uses X-Forwarded-For headers will sort that out automagically.
You also want to set the X-Forwarded-Proto so you can do all sorts of magic in Varnish, like redirecting traffic not using TLS without hitting your backend servers and separate the caches, as Varnish doesn’t talk TLS, which can lead to some interesting results, like images not being served up because they are requested over HTTP when the page is served over HTTPS.
Side question, are you using HAProxy to actually load balance between multiple backends? If not, why not just terminate the TLS connection in Apache, send that to Varnish and then back to Apache again?