Question
Varnish SSL and hitch SSL termination super bad performance
I’m testing around with loader.io and noticed SSL (termination) in front of varnish serves very badly.
My Digital Ocean graph seems to show Disk I/O maxed at 1.21MB/s (isn’t this incredibly low? My M4 SSD runs around 1.500MB/s which is not the same as 1.5 right?)
Cache-Control: max-age=333s
I have setup Hitch as SSL termination like so:
sudo nano /etc/hitch/hitch.conf
# ADD:
## Basic hitch config for use with Varnish and Acmetool
# Listening
frontend = "[*]:443"
ciphers = "EECDH+AESGCM:EDH+AESGCM:AES256+EECDH:AES256+EDH"
# Send traffic to the Varnish backend using the PROXY protocol
backend = "[::1]:6086"
write-proxy-v2 = on
# List of PEM files, each with key, certificates and dhparams
pem-file = "/var/lib/acme/live/website.io/haproxy"
# END ADD
And varnish like so:
sudo nano /etc/varnish/acmetool.vcl
# ADD:
backend acmetool {
.host = "127.0.0.1";
.port = "402";
}
sub vcl_recv {
if (req.url ~ "^/.well-known/acme-challenge/") {
set req.backend_hint = acmetool;
return(pass);
}
}
# END ADD
# include acmetool settings in default.vcl
cp /dev/null /etc/varnish/default.vcl
sudo nano /etc/varnish/default.vcl
# ADD:
vcl 4.0;
import std;
backend default {
.host = "127.0.0.1";
.port = "8080";
}
sub vcl_recv {
if (std.port(local.ip) == 80) {
set req.http.x-redir = "https://" + req.http.host + req.url;
return(synth(850, "Moved permanently"));
}
}
sub vcl_synth {
if (resp.status == 850) {
set resp.http.Location = req.http.x-redir;
set resp.status = 301;
return (deliver);
}
}
include "/etc/varnish/acmetool.vcl";
# END ADD
What’s wrong with my setup and how can I improve performance?
These answers are provided by our Community. If you find them useful, show some love by clicking the heart. If you run into issues leave a comment, or add your own answer to help others.
×