<div dir="auto">At the risk of insisting, hitch is super easy to setup, once installed, you just need to:<div dir="auto">- Edit /etc/hitch/hitch.conf to</div><div dir="auto"> - Set the front-end, usually *:443</div><div dir="auto"> - Set the backend (where to send decrypted traffic), <a href="http://127.0.0.1:8443">127.0.0.1:8443</a></div><div dir="auto"> - Set the pem-file line to point to a certificate</div><div dir="auto">- Add "-a <a href="http://127.0.0.1:8443">127.0.0.1:8443</a>,PROXY" to Varnish command.</div><div dir="auto"><br></div><div dir="auto">The Varnish part will be needed anyway if you want to use the proxy protocol.</div><div dir="auto"><br></div><div dir="auto">The docs here <a href="https://docs.varnish-software.com/varnish-cache-plus/features/client-ssl/">https://docs.varnish-software.com/varnish-cache-plus/features/client-ssl/</a> can help you (except that the name of the package differs) but the crux of it is really what I listed above.</div><div dir="auto"><br></div><div dir="auto">So we can do better next time, what didn't you like about the info you got about hitch?<br><br><div data-smartmail="gmail_signature" dir="auto">-- <br>Guillaume Quintard </div></div></div><div class="gmail_extra"><br><div class="gmail_quote">On Aug 16, 2017 09:29, "Admin Beckspaced" <<a href="mailto:admin@beckspaced.com">admin@beckspaced.com</a>> wrote:<br type="attribution"><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">Thanks a lot for your suggestion for using HaProxy ;)<br>
<br>
My thinking was just: why install another bit of software when apache is able to do the SSL termination.<br>
But like Andrei said, if traffic spikes hit the apache runaround will not be the optimal solution.<br>
<br>
Do you guys have any recent up-to-date tutorials / howtos on setting up HaProxy as SSL terminator in front of varnish.<br>
also doing the SSL redirects ...<br>
<br>
Did look around for Hitch but wasn't very pleased with the info provided ;(<br>
<br>
Any hints are welcome & thanks for your help & replies ;)<br>
<br>
Greetings<br>
Becki<br>
<br>
<br>
<br>
On 15.08.2017 22:04, Jan Hugo Prins | BetterBe wrote:<br>
<blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">
I would not do it like that.<br>
Better is to use something like Hitch or HaProxy (my preference) and put that in front of Varnish.<br>
Then HaProxy / Hitch can terminate all SSL traffic, and HaProxy can also do your redirect to SSL if needed.<br>
Then in Varnish you use the Apache server as a backend and let it only serve what it needs to serve.<br>
Use the ProxyProtocol to send the client information from HaProxy to Vernish.<br>
In Varnish you need to put the client IP into the X-Forwarded-For header.<br>
In Apache you can then use this header to have the real client IP address.<br>
<br>
This way you have the real client IP information on all layers.<br>
<br>
Jan Hugo Prins<br>
<br>
<br>
</blockquote>
<br>
<br>
______________________________<wbr>_________________<br>
varnish-misc mailing list<br>
<a href="mailto:varnish-misc@varnish-cache.org" target="_blank">varnish-misc@varnish-cache.org</a><br>
<a href="https://www.varnish-cache.org/lists/mailman/listinfo/varnish-misc" rel="noreferrer" target="_blank">https://www.varnish-cache.org/<wbr>lists/mailman/listinfo/varnish<wbr>-misc</a><br>
</blockquote></div></div>