<div dir="ltr">+1 for SSL with Hitch/HAProxy. The setup described with the Apache runaround will more than likely tank as soon as large traffic spikes appear</div><div class="gmail_extra"><br><div class="gmail_quote">On Tue, Aug 15, 2017 at 3:04 PM, Jan Hugo Prins | BetterBe <span dir="ltr"><<a href="mailto:jprins@betterbe.com" target="_blank">jprins@betterbe.com</a>></span> wrote:<br><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">
  
    
  
  <div text="#000000" bgcolor="#FFFFFF">
    I would not do it like that. <br>
    Better is to use something like Hitch or HaProxy (my preference) and
    put that in front of Varnish. <br>
    Then HaProxy / Hitch can terminate all SSL traffic, and HaProxy can
    also do your redirect to SSL if needed. <br>
    Then in Varnish you use the Apache server as a backend and let it
    only serve what it needs to serve.<br>
    Use the ProxyProtocol to send the client information from HaProxy to
    Vernish.<br>
    In Varnish you need to put the client IP into the X-Forwarded-For
    header.<br>
    In Apache you can then use this header to have the real client IP
    address.<br>
    <br>
    This way you have the real client IP information on all layers.<br>
    <br>
    Jan Hugo Prins<div><div class="h5"><br>
    <br>
    <br>
    <br>
    <div class="m_-2053081272555223348moz-cite-prefix">On 08/15/2017 11:39 AM, Admin
      Beckspaced wrote:<br>
    </div>
    </div></div><blockquote type="cite"><div><div class="h5">
      
      <p><font face="Tahoma">Hello there ;)</font></p>
      <p>I'm running varnish in front of my apache on port 80 without
        any issues so far.<br>
        <br>
        Recently I decided to also use varnish for SSL connections<br>
        <br>
        To do so I first do a http to https redirect within varnish VCL<br>
        <br>
        if ( req.http.X-Forwarded-Proto !~ "(?i)https" ) {<br>
            return (synth(750, ""));<br>
        }<br>
        <br>
        then in vcl_synth()<br>
        <br>
        sub vcl_synth {<br>
        <br>
                    if (resp.status == 750) {<br>
                        set resp.status = 301;<br>
                        set resp.http.Location = <a class="m_-2053081272555223348moz-txt-link-rfc2396E">"https://"</a> + req.http.host +
        req.url;<br>
                        return(deliver);<br>
                    }<br>
        }<br>
        <br>
        This works fine and all http got redirected to https<br>
        <br>
        Then on port 443 I got apache listening as a reverse proxy with
        the following config:<br>
        <br>
        <VirtualHost *:443><br>
        <br>
            ServerName <a href="http://somedomain.com" target="_blank">somedomain.com</a><br>
            ServerAlias *.<a href="http://somedomain.org" target="_blank">somedomain.org</a><br>
        <br>
            SSLEngine on</p>
      <p>    ... ssl cert stuff here ...<br>
      </p>
          ProxyPreserveHost On<br>
          ProxyPass / <a class="m_-2053081272555223348moz-txt-link-freetext" href="http://127.0.0.1:80/" target="_blank">http://127.0.0.1:80/</a><br>
          ProxyPassReverse / <a class="m_-2053081272555223348moz-txt-link-freetext" href="http://127.0.0.1:80/" target="_blank">http://127.0.0.1:80/</a><br>
          RequestHeader set X-Forwarded-Port "443"<br>
          RequestHeader set X-Forwarded-Proto "https"<br>
      <p></VirtualHost><br>
        <br>
        Also this works perfectly fine! Apache does the SSL termination
        and then reverse proxies everything back to varnish on port 80<br>
        <br>
        If I have a look in the apache ssl log:<br>
        <br>
        [15/Aug/2017:02:03:41 +0200] 35.190.201.122 TLSv1.2
        ECDHE-RSA-AES128-GCM-SHA256 "GET /feed/ HTTP/1.1" - <a class="m_-2053081272555223348moz-txt-link-rfc2396E" href="http://domain.org/feed/" target="_blank">"http://domain.org/feed/"</a>
        "Go-http-client/1.1"<br>
        [15/Aug/2017:02:03:41 +0200] 35.190.201.122 TLSv1.2
        ECDHE-RSA-AES128-GCM-SHA256 "GET /feed HTTP/1.1" 10513 <a class="m_-2053081272555223348moz-txt-link-rfc2396E" href="https://domain.org/feed/" target="_blank">"https://domain.org/feed/"</a>
        "Go-http-client/1.1"<br>
        <br>
        If I look in the varnishlog I see the following:<br>
        <br>
        <a href="http://domain.org" target="_blank">domain.org</a> 35.190.201.122 - - [15/Aug/2017:02:03:41 +0200] "GET
        <a class="m_-2053081272555223348moz-txt-link-freetext" href="http://domain.org/feed/" target="_blank">http://domain.org/feed/</a> HTTP/1.1"
        301 0 "-" "Go-http-client/1.1"<br>
        <a href="http://domain.org" target="_blank">domain.org</a> 127.0.0.1 - - [15/Aug/2017:02:03:41 +0200] "GET <a class="m_-2053081272555223348moz-txt-link-freetext" href="http://domain.org/feed/" target="_blank">http://domain.org/feed/</a> HTTP/1.1"
        301 0 <a class="m_-2053081272555223348moz-txt-link-rfc2396E" href="http://domain.org/feed/" target="_blank">"http://domain.org/feed/"</a>
        "Go-http-client/1.1"<br>
        <a href="http://domain.org" target="_blank">domain.org</a> 127.0.0.1 - - [15/Aug/2017:02:03:41 +0200] "GET <a class="m_-2053081272555223348moz-txt-link-freetext" href="http://domain.org/feed" target="_blank">http://domain.org/feed</a> HTTP/1.1"
        200 10513 <a class="m_-2053081272555223348moz-txt-link-rfc2396E" href="https://domain.org/feed/" target="_blank">"https://domain.org/feed/"</a>
        "Go-http-client/1.1"<br>
        <br>
        But in the process of Varnish -> Redirect http to https ->
        Apache Reverse Proxy -> Varnish I loose the client IP address
        in varnishlog<br>
        It jsut says 127.0.0.1<br>
        <br>
        How can I forward the client IP to varnishlog in this process?<br>
        <br>
        I need to have the client IP in varnishlog as I use those to
        generate statistics about the website.<br>
        <br>
        any help, hints or insights would be awesome ;)<br>
        <br>
        Thanks & greetings<br>
        Becki<br>
        <br>
        <br>
      </p>
      <pre class="m_-2053081272555223348moz-signature" cols="72">-- 
Beckspaced - Server Administration
------------------------------<wbr>------------------
Ralf Flederer
Marienplatz 9
97353 Wiesentheid
Tel.: 09383-9033825
Mobil: 01577-7258912
Internet: <a class="m_-2053081272555223348moz-txt-link-abbreviated" href="http://www.beckspaced.com" target="_blank">www.beckspaced.com</a>
------------------------------<wbr>------------------</pre>
      <br>
      <fieldset class="m_-2053081272555223348mimeAttachmentHeader"></fieldset>
      <br>
      </div></div><span class=""><pre>______________________________<wbr>_________________
varnish-misc mailing list
<a class="m_-2053081272555223348moz-txt-link-abbreviated" href="mailto:varnish-misc@varnish-cache.org" target="_blank">varnish-misc@varnish-cache.org</a>
<a class="m_-2053081272555223348moz-txt-link-freetext" href="https://www.varnish-cache.org/lists/mailman/listinfo/varnish-misc" target="_blank">https://www.varnish-cache.org/<wbr>lists/mailman/listinfo/<wbr>varnish-misc</a></pre>
    </span></blockquote>
    <br>
    <div class="m_-2053081272555223348moz-signature">-- <br>
      <table style="font-family:Arial,Roboto;font-size:12px;line-height:1.38em;border-collapse:collapse;color:#332f60;letter-spacing:0.1px;white-space:nowrap">
        <colgroup><col style="width:174px"><col style="width:174px"><col style="width:166px"></colgroup> <tbody>
          <tr>
            <td colspan="3" style="font-size:13px;color:#000;line-height:20px;padding:0 0 42px 0"> Kind regards<br>
              <br>
              Jan Hugo Prins<br>
              <i>DevOps Engineer</i> </td>
          </tr>
          <tr>
            <td colspan="3" style="padding:0 0 42px 0"><a href="https://betterbe.com" target="_blank"><img src="cid:part12.DC84B1CF.E2B5AAB4@betterbe.com" style="width:376px"></a></td>
          </tr>
          <tr>
            <td>
              Auke Vleerstraat 140 E<br>
              7547 AN Enschede<br>
              CC no. <a href="https://www.kvk.nl/orderstraat/product-kiezen/?kvknummer=080975270000" style="text-decoration:none;color:#332f60" target="_blank">08097527</a>
            </td>
            <td>
              <b>T</b> <a href="tel:+31534800694" style="text-decoration:none;color:#332f60" target="_blank">+31 (0) 53
                48 00 694</a><br>
              <b>E</b> <a href="mailto:jprins@betterbe.com" style="text-decoration:none;color:#332f60" target="_blank">jprins@betterbe.com</a><br>
              <b>M</b> <a href="tel:+31%20%280%296%20263%2058%20951" style="text-decoration:none;color:#332f60" target="_blank">+31 (0)6 263
                58 951</a>
            </td>
            <td style="vertical-align:bottom"><a href="https://www.betterbe.com" style="color:#e73c57;font-weight:bold;text-decoration:none" target="_blank">www.betterbe.com</a></td>
          </tr>
          <tr>
            <td colspan="3" style="font-size:9px;color:#a0a6b2;letter-spacing:0;line-height:1.5em;padding-top:42px">
              BetterBe accepts no liability for the content of this
              email, or for the consequences of any actions taken on the
              basis<br>
              of the information provided, unless that information is
              subsequently confirmed in writing. If you are not the
              intended<br>
              recipient you are notified that disclosing, copying,
              distributing or taking any action in reliance on the
              contents of this<br>
              information is strictly prohibited.
            </td>
          </tr>
        </tbody>
      </table>
    </div>
  </div>

<br>______________________________<wbr>_________________<br>
varnish-misc mailing list<br>
<a href="mailto:varnish-misc@varnish-cache.org">varnish-misc@varnish-cache.org</a><br>
<a href="https://www.varnish-cache.org/lists/mailman/listinfo/varnish-misc" rel="noreferrer" target="_blank">https://www.varnish-cache.org/<wbr>lists/mailman/listinfo/<wbr>varnish-misc</a><br></blockquote></div><br></div>