How to configure Ssl termination with HAProxy when using varnish + apache?

December 31, 2015 1.9k views
LAMP Stack Caching Configuration Management Apache WordPress Ubuntu

I have varnish + apache on my ubuntu vps. I want to enable ssl certificates on my server but i don't want to remove varnish. How do i configure that haproxy terminates ssl connections and forward the real visitor ip to apache?
I want:

Client => Haproxy => Varnish => Apache

I would like that all requests get redirected to HTTPS.

Thank you and happy holidays.

1 Answer

You set the X-Forwarded-For headers in HAProxy. If there is already set an X-Forwarded-For header other reverse proxies will always just add their own to it, the left-most or first address is the source address. You don't have to think about that, anything that reads and uses X-Forwarded-For headers will sort that out automagically.

You also want to set the X-Forwarded-Proto so you can do all sorts of magic in Varnish, like redirecting traffic not using TLS without hitting your backend servers and separate the caches, as Varnish doesn't talk TLS, which can lead to some interesting results, like images not being served up because they are requested over HTTP when the page is served over HTTPS.

Side question, are you using HAProxy to actually load balance between multiple backends? If not, why not just terminate the TLS connection in Apache, send that to Varnish and then back to Apache again?

  • Thanks for your detailed reply. I am not very good with configuring it myself so if you could add a couple of instructions it would be really great. I want to HAproxy only for ssl termination but i thought i might use other features as well. Would it be good to have haproxy instead of using apache to terminate ssl and forward it to varnish? If yes/no, how do i do that? Sorry for being a little noob about this. Thanks again.

    • Go with what you're most comfortable with. Ideally you want fewer moving parts in your stack, as it makes debugging a lot easier, but on the other hand having things separated can make it easier in some circumstances. It can be a little mind bending to read the logs when you go back and forth.

      Personally I only use Nginx and Varnish, and could probably replace Varnish with Nginx as well, but Varnish has some rather nice built in features for cache invalidation which are hard to compete with. TLS is terminated in Nginx, the X-Forwarded-Proto header is set, and then sent to Varnish, which does what ever magic needs doing, then sends it back to Nginx which does its magic as a web server.

      Unless you want to load balance anything other than HTTP/HTTPS I don't really see any reason for using HAProxy at this stage. Apache2 can do more or less exactly the same things, except perhaps for health checking your backend(s). But you can do that in Varnish anyway.

Have another answer? Share your knowledge.