SSL with Varnish and Apache on separate droplets, one domain

I have a droplet with Apache serving up a website on a domain (let us say “”). My DNS “A” records point the domain to the existing droplet (host). Via DigitalOcean Marketplace I have created a new droplet with Varnish and Hitch preinstalled.

In order to pass traffic through Varnish I must presumably replace the “A” records with new ones pointing to this new droplet, but if I do so, my existing droplet is no longer tied to the domain “” and so my SSL certificate won’t be valid.

If I keep the existing “A” records so that I still have a valid certificate, how can traffic be passed through the Varnish server?

If I have “A” records pointing to both droplets, how can I ensure that all traffic is passed to Varnish?

Any help would be much appreciated.

Submit an answer

This textbox defaults to using Markdown to format your answer.

You can type !ref in this text area to quickly search our full set of tutorials, documentation & marketplace offerings and insert the link!

Sign In or Sign Up to Answer

These answers are provided by our Community. If you find them useful, show some love by clicking the heart. If you run into issues leave a comment, or add your own answer to help others.

Site Moderator
Site Moderator badge
December 15, 2020
Accepted Answer

Hi @henryhood,

You can use Varnish infront of your Apache on port 80 on the server where your SSL is installed. That’s how Varnish is meant to work. It works on port 80 and passes data to Apache.

This means that you can install Varnish on the droplet where you have Apache and your website. that what you wouldn’t need to change any DNS records, you’ll just need to configure Varnish to listen on port 80 and Apache on port 8080 for HTTP requests. THe 433 requests you can still leave with Apache I guess.

Regards, KFSys

Hi KFSys, you are no doubt right, and there would be no problem running Varnish and Apache on the 2 processors / 4Gb I had, but since I will also be installing ElasticSearch I have upgraded the droplet to 4 processors / 8Gb. I have done as you suggested but also installed Hitch to do SSL termination. Right now both https and http are accepted, but I will change that to https only. Everything works OK now, except I have a minor problem with MediaWiki’s VisualEditor, which can’t save edits. Thanks for your help!

Thank you, KFSys, I think I’ll do as you suggest. I just hoped I could do it this way as it would be cheaper to add a small droplet than to upgrade my existing one, which I will probably then need.

Try DigitalOcean for free

Click below to sign up and get $200 of credit to try our products over 60 days!

Sign up

Featured on Community

Get our biweekly newsletter

Sign up for Infrastructure as a Newsletter.

Hollie's Hub for Good

Working on improving health and education, reducing inequality, and spurring economic growth? We'd like to help.

Become a contributor

Get paid to write technical tutorials and select a tech-focused charity to receive a matching donation.

Welcome to the developer cloud

DigitalOcean makes it simple to launch in the cloud and scale up as you grow — whether you're running one virtual machine or ten thousand.

Learn more
DigitalOcean Cloud Control Panel