SSL with Varnish and Apache on separate droplets, one domain

Posted December 15, 2020 497 views
ApacheDNSLet's Encrypt

I have a droplet with Apache serving up a website on a domain (let us say “”). My DNS “A” records point the domain to the existing droplet (host). Via DigitalOcean Marketplace I have created a new droplet with Varnish and Hitch preinstalled.

In order to pass traffic through Varnish I must presumably replace the “A” records with new ones pointing to this new droplet, but if I do so, my existing droplet is no longer tied to the domain “” and so my SSL certificate won’t be valid.

If I keep the existing “A” records so that I still have a valid certificate, how can traffic be passed through the Varnish server?

If I have “A” records pointing to both droplets, how can I ensure that all traffic is passed to Varnish?

Any help would be much appreciated.

These answers are provided by our Community. If you find them useful, show some love by clicking the heart. If you run into issues leave a comment, or add your own answer to help others.

Submit an Answer
3 answers

Hi @henryhood,

You can use Varnish infront of your Apache on port 80 on the server where your SSL is installed. That’s how Varnish is meant to work. It works on port 80 and passes data to Apache.

This means that you can install Varnish on the droplet where you have Apache and your website. that what you wouldn’t need to change any DNS records, you’ll just need to configure Varnish to listen on port 80 and Apache on port 8080 for HTTP requests. THe 433 requests you can still leave with Apache I guess.


Thank you, KFSys, I think I’ll do as you suggest. I just hoped I could do it this way as it would be cheaper to add a small droplet than to upgrade my existing one, which I will probably then need.

  • Hi @henryhood

    Using Varnish should help you optimize your droplet and as such should actually help lower the load of your droplet. The thing is Varnish uses only port 80 so I take it there are not many requests if any that you receive on that port? Most probably you have a redirection rule to port 443, am I correct?


Hi KFSys, you are no doubt right, and there would be no problem running Varnish and Apache on the 2 processors / 4Gb I had, but since I will also be installing ElasticSearch I have upgraded the droplet to 4 processors / 8Gb.
I have done as you suggested but also installed Hitch to do SSL termination. Right now both https and http are accepted, but I will change that to https only. Everything works OK now, except I have a minor problem with MediaWiki’s VisualEditor, which can’t save edits. Thanks for your help!