Svenv.nl

Home Front rack server

Running Varnish with HTTPS/SSL

In an earlier post, I wrote how Varnish can make a huge difference in website performance. Varnish caches content and acts as a proxy (in front of a web server) to serve pages with extreme speed. The downside of Varnish however, is that it doesn't support SSL or TLS connections. Now that security becomes more and more important (not just for the sake over security but also for Google ratings) this is a problem.

The solution

(TLDR; put Varnish behind the webserver)

Recently I started implementing TLS to provide a secure connection. I needed to workaround this Varnish problem and after some reseach, I came up with following solution:

Varnish with SSL/TLS setup

A proxy behind a proxy?

Yes, a proxy behind a proxy. Nginx listens on the default port for https traffic (443) and fetches all content from Varnish. This additional step allows for the Varnish output to be encrypted (using the webserver configuration) and securely transferred. If you're using Apache or some other webserver this should work as well. Configure your server to run https like any other and create a reverse proxy to Varnish.

And what about performance?

It's mostlikely that the additional step (as well as the https encryption itself) slows down your website a little bit. The effect should be very little and far more important, it allows you to use a secure connection.

I personally think that encryption should be on by default and I prefer HTTP Strict Transport Security (HSTS) to enforce HTTPS connections on every page at all times, not just pages that deal with sensitive data. I'm willing to give up a little bit performance for that. It is however, perfectly possible to use both Varnish and HTTPS.

The source code for the Docker container (containing Nginx/Varnish configuration) is available on GitHub.

Thanks for reading!

Written by svenv on Aug. 24, 2015 Permalink
Image: FreeImages.com/Whrelf Siemens