Varnish cache software does not support SSL/TLS by default. You need additional software to enable SSL/TLS support on Varnish.
SSL Termination is a method to enable SSL/TLS on Varnish. You can use Hitch, Nginx, or Apache to enable SSL termination for the Varnish HTTP accelerator.
SSL termination software will be running on the HTTPS port ‘443‘ and handles all HTTPS requests from clients. After that, all requests will be forwarded to the varnish cache software, then forward to the origin backend server.
Prerequisites
In this article, you will learn how to set up Varnish SSL Termination with the Nginx web server.
Before you begin, ensure you have got the following requirements in place:
- A Linux server with Varnish installed on it.
- Root privileges
- A domain name
For this example, we’re using the Rocky Linux server with the Varnish installed on top of it. And we will use the domain name ‘example.io‘.
Now let’s get started.
Installing Nginx Webserver
If you’re using the Nginx as the Varnish backend, skip this first step.
In this first step, you will be installing Nginx on the Linux system.
1. For Debian/Ubuntu-based distribution, execute the apt command below to install the Nginx web server.
sudo apt install nginx -y
2. For CentOS/RockyLinux/AlmaLinux operating system, execute the DNF command below to install the Nginx web server.
sudo dnf install nginx -y
3. After Nginx installation completes, start and enable the Nginx web server using the following command.
sudo systemctl enable --now nginx
If you got an error, leave it. You will be configuring Nginx in the next step.
Generate SSL with Certbot
In this step, you will be installing the cerbot tool and generating SSL certificates from Letsencrypt for the domain ‘example.io‘.
1. First, add the HTTP and HTTPS ports to the system firewall.
For Debian/Ubuntu systems, execute the ufw command below to open HTTP and HTTPS ports.
sudo ufw allow http
sudo ufw allow https
sudo ufw reload
For CentOS/RockyLinux/AlmaLinux systems, execute the firewall-cmd command below.
sudo firewall-cmd --add-service=http --permanent
sudo firewall-cmd --add-service=https --permanent
sudo firewall-cmd --reload
2. Next, install the certbot tool using the following command.
Install certbot tool on Debian/Ubuntu systems using the apt command below.
sudo apt install certbot -y
Install certbot tool on the CentOS/RockyLinux/AlmaLinux systems using the DNF command below.
sudo dnf install certbot -y
3. Before you generate the SSL Letsencrypt, stop the Varnish service that running on the default HTTP port.
sudo systemctl stop varnish
sudo systemctl stop nginx
4. Now execute the certbot command below to generate SSL Letsencrypt. And make sure to change the domain name and email address.
sudo certbot certonly --agree-tos --email [email protected] --standalone --preferred-challenges http -d example.io
After the certbot process completes, your certificate will be available at the directory ‘/etc/letsencrypt/live/DOMAIN.COM/‘.
The certificate ‘fullchain.pem‘ is your SSL public key, and the ‘privkey.pem‘ is your SSL private key.
Setup Default Nginx Port
Skip this step if you’re using the Nginx web server as the backend for your Varnish HTTP accelerator.Advertisement
If you’re using another backend web server, you must configure the default port for Nginx.
1. Edit the default nginx configuration using nano editor.
sudo nano /etc/nginx/nginx.conf
On the default ‘server { … }‘ section, change the option ‘listen‘ to port ‘8081‘ as below.
....server {
listen 8081 default_server;
listen [::]:8081 default_server;...trim...
}....
Save the configuration and exit.
2. Now restart the Nginx service to apply a new configuration.
sudo systemctl restart nginx
The default Nginx service is now running on port ‘8081‘.
Setup SSL Termination with Nginx Web server
To set up SSL termination with Nginx, you need to create a new virtual host/server blocks configuration that will be running on the HTTPS port ‘443’.
This virtual host handles all HTTPS requests from clients and forwards all requests to the Varnish HTTP accelerator.
1. Create a new Nginx server block configuration using the following command.
If you’re using the Debian/Ubuntu-based system, create a new configuration ‘/etc/nginx/sites-available/example.io‘.
sudo nano /etc/nginx/sites-available/example.io
For CentOS/RockyLinux/AlmaLinux system, create new configuration ‘/etc/nginx/conf.d/example.conf’.
sudo nano /etc/nginx/conf.d/example.conf
Copy and paste the following configuration. And make sure to change the domain name and path of SSL certificates.
server { listen 443 ssl http2;
server_name example.io;
ssl_certificate /etc/letsencrypt/live/exmaple.io/fullchain.pem;
ssl_certificate_key /etc/letsencrypt/live/example.io/privkey.pem;
ssl_session_cache builtin:1000 shared:SSL:10m;
ssl_protocols TLSv1.2;
ssl_ciphers HIGH:!aNULL:!eNULL:!EXPORT:!CAMELLIA:!DES:!MD5:!PSK:!RC4;
ssl_prefer_server_ciphers on;
access_log /var/log/nginx/example.io_access.log;
error_log /var/log/nginx/example.io_error.log;
location / {
proxy_pass http://127.0.0.1:80;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto https;
proxy_set_header X-Forwarded-Port 443;
proxy_set_header Host $host;
}
}
Save the configuration and exit.
2. Next, For the Debian/Ubuntu system, activate the server block configuration using the following command.
sudo ln -s /etc/nginx/sites-available/example.io /etc/nginx/sites-enabled/
3. Now execute the following command to verify the Nginx configuration, then restart the Nginx service to apply the new configuration.
sudo nginx -t
sudo systemctl restart nginx
4. Now verify the Nginx service and HTTPS port ‘443‘ using the following command.
Verify Nginx service status using the systemctl command below.
sudo systemctl status nginx
Make sure the Nginx service is active and running.
Verify the HTTPS port ‘443‘ on your system using the ss command below.
ss -antpl | grep 443
Make sure the HTTPS port ‘443‘ on the state ‘LISTEN‘.
LISTEN 0 128 0.0.0.0:443 0.0.0.0:* users:(("nginx",pid=4787,fd=8),("nginx",pid=4786,fd=8),("nginx",pid=4785,fd=8))
Now you’ve completes the basic configuration of SSL termination with the Nginx webserver.
Automatic HTTP to HTTPS with Varnish
In this step, you will be setting up Varnish to automatically redirect HTTP to HTTPS protocol. This can be achieved by creating a new Varnish rule on the configuration ‘default.vcl’.
1. Edit the varnish configuration ‘/etc/varnish/default.vcl’ using nano editor.
nano /etc/varnish/default.vcl
Copy and paste the following configuration inside the option ‘sub vcl_recv { … }‘. And make sure to change the domain name with your domain.
sub vcl_recv { ...trim...
if (client.ip != "127.0.0.1" && req.http.host ~ "example.io") {
set req.http.x-redir = "https://example.io" req.url;
return(synth(850, ""));
}
...trim...
{
Next, add the following configuration to the bottom of the line. This will determine the redirect method to HTTP ‘301’.
sub vcl_synth {
if (resp.status == 850) {
set resp.http.Location = req.http.x-redir;
set resp.status = 301;
return (deliver);
}
}
Save the varnish configuration and exit.
2. Next, restart the Varnish service to apply a new configuration using the following command.
sudo systemctl restart varnish
And you’ve completed the automatic HTTP and HTTPS redirect using the Varnish rule.
Verify Varnish SSL Termination
To test the Varnish SSL termination, you can use the web browser or using the curl command.
1. Open your web browser and type your domain name on the address bar. For this example, we’re using the Firefox web browser.
http://example.io
You will be automatically redirected to the HTTPS protocol.
Right-click on the web page and click the menu ‘Inspect‘.
Move to the tab ‘Network‘ and click the ‘Reload‘ button.
Click the root URL request and you will see similar output as below.
The request to http://example.io is automatically redirected to the HTTPS protocol https://example.io with the status code ‘301‘.
The Varnish server handles all client requests.
2. To verify varnish SSL termination with curl, use the following command.
curl -I http://example.io
You will see a detailed HTTP header as below.
The request is redirected to the HTTPS protocol ‘https://example.io’ with HTTP status code ‘301‘. The varnish server handles all requests from clients.
Conclusion
Congratulation! You’ve learned the configuration of Varnish SSL Termination with the Nginx web server.
Also, you’ve learned the basic certbot command for generating free SSL Letsencrypt and the basic varnish rule for automatically redirecting from HTTP to HTTPS.
