How to configure Ssl termination with HAProxy when using varnish + apache?

Question

I have varnish + apache on my ubuntu vps. I want to enable ssl certificates on my server but i don’t want to remove varnish. How do i configure that haproxy terminates ssl connections and forward the real visitor ip to apache?
I want:

Client => Haproxy => Varnish => Apache

I would like that all requests get redirected to HTTPS.

Thank you and happy holidays.
Arjon

Answer 1

vegardx December 31, 2015

You set the X-Forwarded-For headers in HAProxy. If there is already set an X-Forwarded-For header other reverse proxies will always just add their own to it, the left-most or first address is the source address. You don’t have to think about that, anything that reads and uses X-Forwarded-For headers will sort that out automagically.

You also want to set the X-Forwarded-Proto so you can do all sorts of magic in Varnish, like redirecting traffic not using TLS without hitting your backend servers and separate the caches, as Varnish doesn’t talk TLS, which can lead to some interesting results, like images not being served up because they are requested over HTTP when the page is served over HTTPS.

Side question, are you using HAProxy to actually load balance between multiple backends? If not, why not just terminate the TLS connection in Apache, send that to Varnish and then back to Apache again?

Reply Report

arjon December 31, 2015

Thanks for your detailed reply. I am not very good with configuring it myself so if you could add a couple of instructions it would be really great. I want to HAproxy only for ssl termination but i thought i might use other features as well. Would it be good to have haproxy instead of using apache to terminate ssl and forward it to varnish? If yes/no, how do i do that? Sorry for being a little noob about this. Thanks again.
Reply Report
- vegardx December 31, 2015
  
  Go with what you’re most comfortable with. Ideally you want fewer moving parts in your stack, as it makes debugging a lot easier, but on the other hand having things separated can make it easier in some circumstances. It can be a little mind bending to read the logs when you go back and forth.
  
  Personally I only use Nginx and Varnish, and could probably replace Varnish with Nginx as well, but Varnish has some rather nice built in features for cache invalidation which are hard to compete with. TLS is terminated in Nginx, the X-Forwarded-Proto header is set, and then sent to Varnish, which does what ever magic needs doing, then sends it back to Nginx which does its magic as a web server.
  
  Unless you want to load balance anything other than HTTP/HTTPS I don’t really see any reason for using HAProxy at this stage. Apache2 can do more or less exactly the same things, except perhaps for health checking your backend(s). But you can do that in Varnish anyway.
  
  Reply Report
  
  arjon December 31, 2015
  
  Okay thanks. I am taking your advice and i will use apache for ssl termination. Can you recomment a link to a blog which might have clear instructions?
  
  Reply Report
  
  vegardx December 31, 2015
  
  No, but the documentation is really good. You should always start there first.
  
  Reply Report

Answer 2

arjon December 31, 2015

Thanks for your detailed reply. I am not very good with configuring it myself so if you could add a couple of instructions it would be really great. I want to HAproxy only for ssl termination but i thought i might use other features as well. Would it be good to have haproxy instead of using apache to terminate ssl and forward it to varnish? If yes/no, how do i do that? Sorry for being a little noob about this. Thanks again.
Reply Report
- vegardx December 31, 2015
  
  Go with what you’re most comfortable with. Ideally you want fewer moving parts in your stack, as it makes debugging a lot easier, but on the other hand having things separated can make it easier in some circumstances. It can be a little mind bending to read the logs when you go back and forth.
  
  Personally I only use Nginx and Varnish, and could probably replace Varnish with Nginx as well, but Varnish has some rather nice built in features for cache invalidation which are hard to compete with. TLS is terminated in Nginx, the X-Forwarded-Proto header is set, and then sent to Varnish, which does what ever magic needs doing, then sends it back to Nginx which does its magic as a web server.
  
  Unless you want to load balance anything other than HTTP/HTTPS I don’t really see any reason for using HAProxy at this stage. Apache2 can do more or less exactly the same things, except perhaps for health checking your backend(s). But you can do that in Varnish anyway.
  
  Reply Report
  
  arjon December 31, 2015
  
  Okay thanks. I am taking your advice and i will use apache for ssl termination. Can you recomment a link to a blog which might have clear instructions?
  
  Reply Report
  
  vegardx December 31, 2015
  
  No, but the documentation is really good. You should always start there first.
  
  Reply Report

Related

Question

How to configure Ssl termination with HAProxy when using varnish + apache?

Related

Leave a comment

Looking for something else?

Sign up for our newsletter

Related

Question

How to configure Ssl termination with HAProxy when using varnish + apache?

Related

Leave a comment

Related

question

WordPRess Files Removed Now What To Do?

question

Problem installing wordpress on subdomain (nginx / ubuntu)

question

cpu from 13% to 100% in one minute

question

Why are snapshots so slow

Looking for something else?