Varnish, Nginx e SSL help

June 17, 2014 3.9k views
augustobotossi
By:
augustobotossi
Hi! I have a droplet running nginx, varnish and Wordpress and it's working fine. I decided then to install a certificate and setup to whole thing to allow me to run the wordpress blog on https. I know I have to do the redirection from http to https, but when I add the lines bellow nginx fails to start, because it's using the same 80 port. 
server { 
listen 80 default_server; 
return 301 https://$host$request_uri; 
server_name myIPAdress; 
}
I am newbie on this and even having learned a lot, I am not sure how to fix this. I even saw the question bellow too and asked a question, because apparently, the user is running exaxctly the wat I should too. https://www.digitalocean.com/community/questions/nginx-ssl-varnish-nginx-backend-getting-error-on-nginx-config-test Can someone help? Thks!
Log In to Comment
2 Answers
asb MOD June 19, 2014
This article is the best thing that I've found on the topic: https://wiki.deimos.fr/Nginx_%2B_Varnish_:_Cache_even_in_HTTPS_by_offloading_SSL Essentially, you'll need to set up Varnish to listen on port 80 and use an Nginx backend listening on something else like port 8000 in this example. Nginx will then listen directly on 443 for https requests and then proxy them to port 80 on the local host for Varnish.
Reply
lennaz January 19, 2017

Hello, i don't know if you already solved your issue (it's quiete a pain to configure ssl with nginx and varnish only), but i solved this way:

starting from the hybrid
nginx on port 8080 and port 443
varnish on port 80

request on port 80 arrive on varnish, if not cached are requested to nginx on port 8080, and sent back to the user

request on port 443 (ssl) arrive on nginx, request is decrypted and sent to varnish (using proxy_pass directive using local network) on port 80, varnish request the document to nginx on 8080 or use grab its cache and send the document back to nginx, nginx crypt the document and send it back to the user

with this scenario your web server work both on http and https

next step is to redirect all http requests to https; this is done in varnish, since it is the software listening on port 80

i made the following modification in varnish default.vcl (i'm using varnish 3.0.5, for varnish 4 its a bit different)

sub vcl_recv {
.....
#HTTPS
if ( (req.http.host ~ "^(?i)mysite.it" || req.http.host ~ "^(?i)www.mysite.it")
         && req.http.X-Forwarded-Proto !~ "(?i)https") {
        set req.http.x-Redir-Url = "https://www.mysite.it" + req.url;
        error 750 req.http.x-Redir-Url;
 }
...
}


sub vcl_error {
    if (obj.status == 750) {
        set obj.http.Location = obj.response;
        set obj.status = 301;
        return (deliver);
    }
}

this way any requst to http://mysite.it or http://www.mysite.it are redirected (with full path) to https using a 301

You would probably need a little more tweaks to have everything working as you like (for example logging ip's) but this is the main concept to achieve a full http to https switch

Reply
Have another answer? Share your knowledge.