SSL with Varnish and Apache on separate droplets, one domain

I have a droplet with Apache serving up a website on a domain (let us say “”). My DNS “A” records point the domain to the existing droplet (host). Via DigitalOcean Marketplace I have created a new droplet with Varnish and Hitch preinstalled.

In order to pass traffic through Varnish I must presumably replace the “A” records with new ones pointing to this new droplet, but if I do so, my existing droplet is no longer tied to the domain “” and so my SSL certificate won’t be valid.

If I keep the existing “A” records so that I still have a valid certificate, how can traffic be passed through the Varnish server?

If I have “A” records pointing to both droplets, how can I ensure that all traffic is passed to Varnish?

Any help would be much appreciated.

Submit an answer
Answer a question...

This textbox defaults to using Markdown to format your answer.

You can type !ref in this text area to quickly search our full set of tutorials, documentation & marketplace offerings and insert the link!

Sign In or Sign Up to Answer

These answers are provided by our Community. If you find them useful, show some love by clicking the heart. If you run into issues leave a comment, or add your own answer to help others.

Site Moderator
Site Moderator badge
December 15, 2020
Accepted Answer

Hi @henryhood,

You can use Varnish infront of your Apache on port 80 on the server where your SSL is installed. That’s how Varnish is meant to work. It works on port 80 and passes data to Apache.

This means that you can install Varnish on the droplet where you have Apache and your website. that what you wouldn’t need to change any DNS records, you’ll just need to configure Varnish to listen on port 80 and Apache on port 8080 for HTTP requests. THe 433 requests you can still leave with Apache I guess.

Regards, KFSys

Hi KFSys, you are no doubt right, and there would be no problem running Varnish and Apache on the 2 processors / 4Gb I had, but since I will also be installing ElasticSearch I have upgraded the droplet to 4 processors / 8Gb. I have done as you suggested but also installed Hitch to do SSL termination. Right now both https and http are accepted, but I will change that to https only. Everything works OK now, except I have a minor problem with MediaWiki’s VisualEditor, which can’t save edits. Thanks for your help!

Want to learn more? Join the DigitalOcean Community!

Join our DigitalOcean community of over a million developers for free! Get help and share knowledge in Q&A, subscribe to topics of interest, and get courses and tools that will help you grow as a developer and scale your project or business.

Thank you, KFSys, I think I’ll do as you suggest. I just hoped I could do it this way as it would be cheaper to add a small droplet than to upgrade my existing one, which I will probably then need.