Advanced
Mailing List Archive

Mailing List Archive

  1. Home >
  2. Varnish>
  3. Misc
varnishlog client IP problem via Apache SSL reverse proxy
admin at beckspaced
Aug 15, 2017, 2:39 AM
Post #1 of 10 (3070 views)
Permalink
Hello there ;)

I'm running varnish in front of my apache on port 80 without any issues
so far.

Recently I decided to also use varnish for SSL connections

To do so I first do a http to https redirect within varnish VCL

if ( req.http.X-Forwarded-Proto !~ "(?i)https" ) {
return (synth(750, ""));
}

then in vcl_synth()

sub vcl_synth {

if (resp.status == 750) {
set resp.status = 301;
set resp.http.Location = "https://" + req.http.host +
req.url;
return(deliver);
}
}

This works fine and all http got redirected to https

Then on port 443 I got apache listening as a reverse proxy with the
following config:

<VirtualHost *:443>

ServerName somedomain.com
ServerAlias *.somedomain.org

SSLEngine on

... ssl cert stuff here ...

ProxyPreserveHost On
ProxyPass / http://127.0.0.1:80/
ProxyPassReverse / http://127.0.0.1:80/
RequestHeader set X-Forwarded-Port "443"
RequestHeader set X-Forwarded-Proto "https"

</VirtualHost>

Also this works perfectly fine! Apache does the SSL termination and then
reverse proxies everything back to varnish on port 80

If I have a look in the apache ssl log:

[15/Aug/2017:02:03:41 +0200] 35.190.201.122 TLSv1.2
ECDHE-RSA-AES128-GCM-SHA256 "GET /feed/ HTTP/1.1" -
"http://domain.org/feed/" "Go-http-client/1.1"
[15/Aug/2017:02:03:41 +0200] 35.190.201.122 TLSv1.2
ECDHE-RSA-AES128-GCM-SHA256 "GET /feed HTTP/1.1" 10513
"https://domain.org/feed/" "Go-http-client/1.1"

If I look in the varnishlog I see the following:

domain.org 35.190.201.122 - - [15/Aug/2017:02:03:41 +0200] "GET
http://domain.org/feed/ HTTP/1.1" 301 0 "-" "Go-http-client/1.1"
domain.org 127.0.0.1 - - [15/Aug/2017:02:03:41 +0200] "GET
http://domain.org/feed/ HTTP/1.1" 301 0 "http://domain.org/feed/"
"Go-http-client/1.1"
domain.org 127.0.0.1 - - [15/Aug/2017:02:03:41 +0200] "GET
http://domain.org/feed HTTP/1.1" 200 10513 "https://domain.org/feed/"
"Go-http-client/1.1"

But in the process of Varnish -> Redirect http to https -> Apache
Reverse Proxy -> Varnish I loose the client IP address in varnishlog
It jsut says 127.0.0.1

How can I forward the client IP to varnishlog in this process?

I need to have the client IP in varnishlog as I use those to generate
statistics about the website.

any help, hints or insights would be awesome ;)

Thanks & greetings
Becki


--
Beckspaced - Server Administration
------------------------------------------------
Ralf Flederer
Marienplatz 9
97353 Wiesentheid
Tel.: 09383-9033825
Mobil: 01577-7258912
Internet: www.beckspaced.com
------------------------------------------------
Re: varnishlog client IP problem via Apache SSL reverse proxy [ In reply to ]
guillaume at varnish-software
Aug 15, 2017, 4:57 AM
Post #2 of 10 (3070 views)
Permalink
So, if I understood, that's Apache in front of Varnish, not the other way
around. But let's not get lost on semantics

Varnish fanboy version: drop Apache, and use Hitch (http://hitch-tls.org/)
to handle SSL/TLS. That only works if Apache is only there for SSL
termination and not for other tasks not performed by Varnish (if so, which
ones?)
With it you can just test the server port used (std.port(server.ip) == 443)
to determine you are using https.

Apache clean version: use the PROXY protocol. Not sure Apache is able to do
it, haven't looked. That way, apache can behave like hitch and you don't
lose the client.ip info.

Apache dirty version: used the x-forwarded-for header to tell varnish who
sent the request, then use vmod_std to convert that string to an ip. Ugly,
but works.



--
Guillaume Quintard

On Tue, Aug 15, 2017 at 11:39 AM, Admin Beckspaced <admin@beckspaced.com>
wrote:

> Hello there ;)
>
> I'm running varnish in front of my apache on port 80 without any issues so
> far.
>
> Recently I decided to also use varnish for SSL connections
>
> To do so I first do a http to https redirect within varnish VCL
>
> if ( req.http.X-Forwarded-Proto !~ "(?i)https" ) {
> return (synth(750, ""));
> }
>
> then in vcl_synth()
>
> sub vcl_synth {
>
> if (resp.status == 750) {
> set resp.status = 301;
> set resp.http.Location = "https://" + req.http.host +
> req.url;
> return(deliver);
> }
> }
>
> This works fine and all http got redirected to https
>
> Then on port 443 I got apache listening as a reverse proxy with the
> following config:
>
> <VirtualHost *:443>
>
> ServerName somedomain.com
> ServerAlias *.somedomain.org
>
> SSLEngine on
>
> ... ssl cert stuff here ...
> ProxyPreserveHost On
> ProxyPass / http://127.0.0.1:80/
> ProxyPassReverse / http://127.0.0.1:80/
> RequestHeader set X-Forwarded-Port "443"
> RequestHeader set X-Forwarded-Proto "https"
>
> </VirtualHost>
>
> Also this works perfectly fine! Apache does the SSL termination and then
> reverse proxies everything back to varnish on port 80
>
> If I have a look in the apache ssl log:
>
> [15/Aug/2017:02:03:41 +0200] 35.190.201.122 TLSv1.2
> ECDHE-RSA-AES128-GCM-SHA256 "GET /feed/ HTTP/1.1" -
> "http://domain.org/feed/" <http://domain.org/feed/> "Go-http-client/1.1"
> [15/Aug/2017:02:03:41 +0200] 35.190.201.122 TLSv1.2
> ECDHE-RSA-AES128-GCM-SHA256 "GET /feed HTTP/1.1" 10513
> "https://domain.org/feed/" <https://domain.org/feed/> "Go-http-client/1.1"
>
> If I look in the varnishlog I see the following:
>
> domain.org 35.190.201.122 - - [15/Aug/2017:02:03:41 +0200] "GET
> http://domain.org/feed/ HTTP/1.1" 301 0 "-" "Go-http-client/1.1"
> domain.org 127.0.0.1 - - [15/Aug/2017:02:03:41 +0200] "GET
> http://domain.org/feed/ HTTP/1.1" 301 0 "http://domain.org/feed/"
> <http://domain.org/feed/> "Go-http-client/1.1"
> domain.org 127.0.0.1 - - [15/Aug/2017:02:03:41 +0200] "GET
> http://domain.org/feed HTTP/1.1" 200 10513 "https://domain.org/feed/"
> <https://domain.org/feed/> "Go-http-client/1.1"
>
> But in the process of Varnish -> Redirect http to https -> Apache Reverse
> Proxy -> Varnish I loose the client IP address in varnishlog
> It jsut says 127.0.0.1
>
> How can I forward the client IP to varnishlog in this process?
>
> I need to have the client IP in varnishlog as I use those to generate
> statistics about the website.
>
> any help, hints or insights would be awesome ;)
>
> Thanks & greetings
> Becki
>
>
> --
> Beckspaced - Server Administration
> ------------------------------------------------
> Ralf Flederer
> Marienplatz 9
> 97353 Wiesentheid
> Tel.: 09383-9033825
> Mobil: 01577-7258912
> Internet: www.beckspaced.com
> ------------------------------------------------
>
>
> _______________________________________________
> varnish-misc mailing list
> varnish-misc@varnish-cache.org
> https://www.varnish-cache.org/lists/mailman/listinfo/varnish-misc
>
Re: varnishlog client IP problem via Apache SSL reverse proxy [ In reply to ]
jprins at betterbe
Aug 15, 2017, 1:04 PM
Post #3 of 10 (3067 views)
Permalink
I would not do it like that.
Better is to use something like Hitch or HaProxy (my preference) and put
that in front of Varnish.
Then HaProxy / Hitch can terminate all SSL traffic, and HaProxy can also
do your redirect to SSL if needed.
Then in Varnish you use the Apache server as a backend and let it only
serve what it needs to serve.
Use the ProxyProtocol to send the client information from HaProxy to
Vernish.
In Varnish you need to put the client IP into the X-Forwarded-For header.
In Apache you can then use this header to have the real client IP address.

This way you have the real client IP information on all layers.

Jan Hugo Prins



On 08/15/2017 11:39 AM, Admin Beckspaced wrote:
>
> Hello there ;)
>
> I'm running varnish in front of my apache on port 80 without any
> issues so far.
>
> Recently I decided to also use varnish for SSL connections
>
> To do so I first do a http to https redirect within varnish VCL
>
> if ( req.http.X-Forwarded-Proto !~ "(?i)https" ) {
> return (synth(750, ""));
> }
>
> then in vcl_synth()
>
> sub vcl_synth {
>
> if (resp.status == 750) {
> set resp.status = 301;
> set resp.http.Location = "https://" + req.http.host +
> req.url;
> return(deliver);
> }
> }
>
> This works fine and all http got redirected to https
>
> Then on port 443 I got apache listening as a reverse proxy with the
> following config:
>
> <VirtualHost *:443>
>
> ServerName somedomain.com
> ServerAlias *.somedomain.org
>
> SSLEngine on
>
> ... ssl cert stuff here ...
>
> ProxyPreserveHost On
> ProxyPass / http://127.0.0.1:80/
> ProxyPassReverse / http://127.0.0.1:80/
> RequestHeader set X-Forwarded-Port "443"
> RequestHeader set X-Forwarded-Proto "https"
>
> </VirtualHost>
>
> Also this works perfectly fine! Apache does the SSL termination and
> then reverse proxies everything back to varnish on port 80
>
> If I have a look in the apache ssl log:
>
> [15/Aug/2017:02:03:41 +0200] 35.190.201.122 TLSv1.2
> ECDHE-RSA-AES128-GCM-SHA256 "GET /feed/ HTTP/1.1" -
> "http://domain.org/feed/" "Go-http-client/1.1"
> [15/Aug/2017:02:03:41 +0200] 35.190.201.122 TLSv1.2
> ECDHE-RSA-AES128-GCM-SHA256 "GET /feed HTTP/1.1" 10513
> "https://domain.org/feed/" "Go-http-client/1.1"
>
> If I look in the varnishlog I see the following:
>
> domain.org 35.190.201.122 - - [15/Aug/2017:02:03:41 +0200] "GET
> http://domain.org/feed/ HTTP/1.1" 301 0 "-" "Go-http-client/1.1"
> domain.org 127.0.0.1 - - [15/Aug/2017:02:03:41 +0200] "GET
> http://domain.org/feed/ HTTP/1.1" 301 0 "http://domain.org/feed/"
> "Go-http-client/1.1"
> domain.org 127.0.0.1 - - [15/Aug/2017:02:03:41 +0200] "GET
> http://domain.org/feed HTTP/1.1" 200 10513 "https://domain.org/feed/"
> "Go-http-client/1.1"
>
> But in the process of Varnish -> Redirect http to https -> Apache
> Reverse Proxy -> Varnish I loose the client IP address in varnishlog
> It jsut says 127.0.0.1
>
> How can I forward the client IP to varnishlog in this process?
>
> I need to have the client IP in varnishlog as I use those to generate
> statistics about the website.
>
> any help, hints or insights would be awesome ;)
>
> Thanks & greetings
> Becki
>
>
> --
> Beckspaced - Server Administration
> ------------------------------------------------
> Ralf Flederer
> Marienplatz 9
> 97353 Wiesentheid
> Tel.: 09383-9033825
> Mobil: 01577-7258912
> Internet: www.beckspaced.com
> ------------------------------------------------
>
>
> _______________________________________________
> varnish-misc mailing list
> varnish-misc@varnish-cache.org
> https://www.varnish-cache.org/lists/mailman/listinfo/varnish-misc

--
Kind regards

Jan Hugo Prins
/DevOps Engineer/
<https://betterbe.com>
Auke Vleerstraat 140 E
7547 AN Enschede
CC no. 08097527
<https://www.kvk.nl/orderstraat/product-kiezen/?kvknummer=080975270000>
*T* +31 (0) 53 48 00 694 <tel:+31534800694>
*E* jprins@betterbe.com <mailto:jprins@betterbe.com>
*M* +31 (0)6 263 58 951 <tel:+31%20%280%296%20263%2058%20951>
www.betterbe.com <https://www.betterbe.com>
BetterBe accepts no liability for the content of this email, or for the
consequences of any actions taken on the basis
of the information provided, unless that information is subsequently
confirmed in writing. If you are not the intended
recipient you are notified that disclosing, copying, distributing or
taking any action in reliance on the contents of this
information is strictly prohibited.

Attached Files:

Re: varnishlog client IP problem via Apache SSL reverse proxy [ In reply to ]
lagged at gmail
Aug 15, 2017, 11:19 PM
Post #4 of 10 (3065 views)
Permalink
+1 for SSL with Hitch/HAProxy. The setup described with the Apache
runaround will more than likely tank as soon as large traffic spikes appear

On Tue, Aug 15, 2017 at 3:04 PM, Jan Hugo Prins | BetterBe <
jprins@betterbe.com> wrote:

> I would not do it like that.
> Better is to use something like Hitch or HaProxy (my preference) and put
> that in front of Varnish.
> Then HaProxy / Hitch can terminate all SSL traffic, and HaProxy can also
> do your redirect to SSL if needed.
> Then in Varnish you use the Apache server as a backend and let it only
> serve what it needs to serve.
> Use the ProxyProtocol to send the client information from HaProxy to
> Vernish.
> In Varnish you need to put the client IP into the X-Forwarded-For header.
> In Apache you can then use this header to have the real client IP address.
>
> This way you have the real client IP information on all layers.
>
> Jan Hugo Prins
>
>
>
>
> On 08/15/2017 11:39 AM, Admin Beckspaced wrote:
>
> Hello there ;)
>
> I'm running varnish in front of my apache on port 80 without any issues so
> far.
>
> Recently I decided to also use varnish for SSL connections
>
> To do so I first do a http to https redirect within varnish VCL
>
> if ( req.http.X-Forwarded-Proto !~ "(?i)https" ) {
> return (synth(750, ""));
> }
>
> then in vcl_synth()
>
> sub vcl_synth {
>
> if (resp.status == 750) {
> set resp.status = 301;
> set resp.http.Location = "https://" + req.http.host +
> req.url;
> return(deliver);
> }
> }
>
> This works fine and all http got redirected to https
>
> Then on port 443 I got apache listening as a reverse proxy with the
> following config:
>
> <VirtualHost *:443>
>
> ServerName somedomain.com
> ServerAlias *.somedomain.org
>
> SSLEngine on
>
> ... ssl cert stuff here ...
> ProxyPreserveHost On
> ProxyPass / http://127.0.0.1:80/
> ProxyPassReverse / http://127.0.0.1:80/
> RequestHeader set X-Forwarded-Port "443"
> RequestHeader set X-Forwarded-Proto "https"
>
> </VirtualHost>
>
> Also this works perfectly fine! Apache does the SSL termination and then
> reverse proxies everything back to varnish on port 80
>
> If I have a look in the apache ssl log:
>
> [15/Aug/2017:02:03:41 +0200] 35.190.201.122 TLSv1.2
> ECDHE-RSA-AES128-GCM-SHA256 "GET /feed/ HTTP/1.1" -
> "http://domain.org/feed/" <http://domain.org/feed/> "Go-http-client/1.1"
> [15/Aug/2017:02:03:41 +0200] 35.190.201.122 TLSv1.2
> ECDHE-RSA-AES128-GCM-SHA256 "GET /feed HTTP/1.1" 10513
> "https://domain.org/feed/" <https://domain.org/feed/> "Go-http-client/1.1"
>
> If I look in the varnishlog I see the following:
>
> domain.org 35.190.201.122 - - [15/Aug/2017:02:03:41 +0200] "GET
> http://domain.org/feed/ HTTP/1.1" 301 0 "-" "Go-http-client/1.1"
> domain.org 127.0.0.1 - - [15/Aug/2017:02:03:41 +0200] "GET
> http://domain.org/feed/ HTTP/1.1" 301 0 "http://domain.org/feed/"
> <http://domain.org/feed/> "Go-http-client/1.1"
> domain.org 127.0.0.1 - - [15/Aug/2017:02:03:41 +0200] "GET
> http://domain.org/feed HTTP/1.1" 200 10513 "https://domain.org/feed/"
> <https://domain.org/feed/> "Go-http-client/1.1"
>
> But in the process of Varnish -> Redirect http to https -> Apache Reverse
> Proxy -> Varnish I loose the client IP address in varnishlog
> It jsut says 127.0.0.1
>
> How can I forward the client IP to varnishlog in this process?
>
> I need to have the client IP in varnishlog as I use those to generate
> statistics about the website.
>
> any help, hints or insights would be awesome ;)
>
> Thanks & greetings
> Becki
>
>
> --
> Beckspaced - Server Administration
> ------------------------------------------------
> Ralf Flederer
> Marienplatz 9
> 97353 Wiesentheid
> Tel.: 09383-9033825
> Mobil: 01577-7258912
> Internet: www.beckspaced.com
> ------------------------------------------------
>
>
>
> _______________________________________________
> varnish-misc mailing listvarnish-misc@varnish-cache.orghttps://www.varnish-cache.org/lists/mailman/listinfo/varnish-misc
>
>
> --
> Kind regards
>
> Jan Hugo Prins
> *DevOps Engineer*
> <https://betterbe.com>
> Auke Vleerstraat 140 E
> 7547 AN Enschede
> CC no. 08097527
> <https://www.kvk.nl/orderstraat/product-kiezen/?kvknummer=080975270000>
> *T* +31 (0) 53 48 00 694 <+31534800694>
> *E* jprins@betterbe.com
> *M* +31 (0)6 263 58 951 <+31%20%280%296%20263%2058%20951> www.betterbe.com
> BetterBe accepts no liability for the content of this email, or for the
> consequences of any actions taken on the basis
> of the information provided, unless that information is subsequently
> confirmed in writing. If you are not the intended
> recipient you are notified that disclosing, copying, distributing or
> taking any action in reliance on the contents of this
> information is strictly prohibited.
>
> _______________________________________________
> varnish-misc mailing list
> varnish-misc@varnish-cache.org
> https://www.varnish-cache.org/lists/mailman/listinfo/varnish-misc
>

Attached Files:

Re: varnishlog client IP problem via Apache SSL reverse proxy [ In reply to ]
admin at beckspaced
Aug 15, 2017, 11:56 PM
Post #5 of 10 (3065 views)
Permalink
Thanks a lot for your suggestion for using HaProxy ;)

My thinking was just: why install another bit of software when apache is
able to do the SSL termination.
But like Andrei said, if traffic spikes hit the apache runaround will
not be the optimal solution.

Do you guys have any recent up-to-date tutorials / howtos on setting up
HaProxy as SSL terminator in front of varnish.
also doing the SSL redirects ...

Did look around for Hitch but wasn't very pleased with the info provided ;(

Any hints are welcome & thanks for your help & replies ;)

Greetings
Becki



On 15.08.2017 22:04, Jan Hugo Prins | BetterBe wrote:
> I would not do it like that.
> Better is to use something like Hitch or HaProxy (my preference) and
> put that in front of Varnish.
> Then HaProxy / Hitch can terminate all SSL traffic, and HaProxy can
> also do your redirect to SSL if needed.
> Then in Varnish you use the Apache server as a backend and let it only
> serve what it needs to serve.
> Use the ProxyProtocol to send the client information from HaProxy to
> Vernish.
> In Varnish you need to put the client IP into the X-Forwarded-For header.
> In Apache you can then use this header to have the real client IP address.
>
> This way you have the real client IP information on all layers.
>
> Jan Hugo Prins
>
>


_______________________________________________
varnish-misc mailing list
varnish-misc@varnish-cache.org
https://www.varnish-cache.org/lists/mailman/listinfo/varnish-misc
Re: varnishlog client IP problem via Apache SSL reverse proxy [ In reply to ]
guillaume at varnish-software
Aug 16, 2017, 12:57 AM
Post #6 of 10 (3065 views)
Permalink
At the risk of insisting, hitch is super easy to setup, once installed, you
just need to:
- Edit /etc/hitch/hitch.conf to
- Set the front-end, usually *:443
- Set the backend (where to send decrypted traffic), 127.0.0.1:8443
- Set the pem-file line to point to a certificate
- Add "-a 127.0.0.1:8443,PROXY" to Varnish command.

The Varnish part will be needed anyway if you want to use the proxy
protocol.

The docs here
https://docs.varnish-software.com/varnish-cache-plus/features/client-ssl/
can help you (except that the name of the package differs) but the crux of
it is really what I listed above.

So we can do better next time, what didn't you like about the info you got
about hitch?

--
Guillaume Quintard

On Aug 16, 2017 09:29, "Admin Beckspaced" <admin@beckspaced.com> wrote:

> Thanks a lot for your suggestion for using HaProxy ;)
>
> My thinking was just: why install another bit of software when apache is
> able to do the SSL termination.
> But like Andrei said, if traffic spikes hit the apache runaround will not
> be the optimal solution.
>
> Do you guys have any recent up-to-date tutorials / howtos on setting up
> HaProxy as SSL terminator in front of varnish.
> also doing the SSL redirects ...
>
> Did look around for Hitch but wasn't very pleased with the info provided ;(
>
> Any hints are welcome & thanks for your help & replies ;)
>
> Greetings
> Becki
>
>
>
> On 15.08.2017 22:04, Jan Hugo Prins | BetterBe wrote:
>
>> I would not do it like that.
>> Better is to use something like Hitch or HaProxy (my preference) and put
>> that in front of Varnish.
>> Then HaProxy / Hitch can terminate all SSL traffic, and HaProxy can also
>> do your redirect to SSL if needed.
>> Then in Varnish you use the Apache server as a backend and let it only
>> serve what it needs to serve.
>> Use the ProxyProtocol to send the client information from HaProxy to
>> Vernish.
>> In Varnish you need to put the client IP into the X-Forwarded-For header.
>> In Apache you can then use this header to have the real client IP address.
>>
>> This way you have the real client IP information on all layers.
>>
>> Jan Hugo Prins
>>
>>
>>
>
> _______________________________________________
> varnish-misc mailing list
> varnish-misc@varnish-cache.org
> https://www.varnish-cache.org/lists/mailman/listinfo/varnish-misc
>
Re: varnishlog client IP problem via Apache SSL reverse proxy [ In reply to ]
jprins at betterbe
Aug 16, 2017, 2:34 AM
Post #7 of 10 (3065 views)
Permalink
I think the choice between HaProxy and Hitch is probably one where you
have to look at what you need or might need in the future and what you
already know.
My decision to use HaProxy was based on several criteria:
- We already use HaProxy at other locations so I was familiar with the
product and it's configuration.
- Using Hitch would mean that I would need to maintain another part of
software.
- I wanted to be able to make traffic routing decisions before the
request hits Varnish. Send requests to different backend etc.
- I wanted to do some rewrites before the traffic hits Varnish.

Based on those criteria I decided to put HaProxy in front of Varnish.
Your criteria will very likely be different.

Jan Hugo Prins


On 08/16/2017 08:56 AM, Admin Beckspaced wrote:
> Thanks a lot for your suggestion for using HaProxy ;)
>
> My thinking was just: why install another bit of software when apache
> is able to do the SSL termination.
> But like Andrei said, if traffic spikes hit the apache runaround will
> not be the optimal solution.
>
> Do you guys have any recent up-to-date tutorials / howtos on setting
> up HaProxy as SSL terminator in front of varnish.
> also doing the SSL redirects ...
>
> Did look around for Hitch but wasn't very pleased with the info
> provided ;(
>
> Any hints are welcome & thanks for your help & replies ;)
>
> Greetings
> Becki
>
>
>
> On 15.08.2017 22:04, Jan Hugo Prins | BetterBe wrote:
>> I would not do it like that.
>> Better is to use something like Hitch or HaProxy (my preference) and
>> put that in front of Varnish.
>> Then HaProxy / Hitch can terminate all SSL traffic, and HaProxy can
>> also do your redirect to SSL if needed.
>> Then in Varnish you use the Apache server as a backend and let it
>> only serve what it needs to serve.
>> Use the ProxyProtocol to send the client information from HaProxy to
>> Vernish.
>> In Varnish you need to put the client IP into the X-Forwarded-For
>> header.
>> In Apache you can then use this header to have the real client IP
>> address.
>>
>> This way you have the real client IP information on all layers.
>>
>> Jan Hugo Prins
>>
>>
>

--
Kind regards

Jan Hugo Prins
/DevOps Engineer/
<https://betterbe.com>
Auke Vleerstraat 140 E
7547 AN Enschede
CC no. 08097527
<https://www.kvk.nl/orderstraat/product-kiezen/?kvknummer=080975270000>
*T* +31 (0) 53 48 00 694 <tel:+31534800694>
*E* jprins@betterbe.com <mailto:jprins@betterbe.com>
*M* +31 (0)6 263 58 951 <tel:+31%20%280%296%20263%2058%20951>
www.betterbe.com <https://www.betterbe.com>
BetterBe accepts no liability for the content of this email, or for the
consequences of any actions taken on the basis
of the information provided, unless that information is subsequently
confirmed in writing. If you are not the intended
recipient you are notified that disclosing, copying, distributing or
taking any action in reliance on the contents of this
information is strictly prohibited.

Attached Files:

Re: varnishlog client IP problem via Apache SSL reverse proxy [ In reply to ]
admin at beckspaced
Aug 16, 2017, 3:30 AM
Post #8 of 10 (3065 views)
Permalink
Thanks Guillaume,

will then have a look into the info you provided and report back if I
run into any trouble trying to setup hitch ;)

What's your recommendation of up-to-date documents on how to setup hitch
in front of varnish with multiple vhost SSL certificates?

So far I found:

https://github.com/varnish/hitch
https://hitch-tls.org/

Is there any docu elsewhere you can recommend?

Thanks a lot for your support!

Greetings
Becki


On 16.08.2017 09:57, Guillaume Quintard wrote:
> At the risk of insisting, hitch is super easy to setup, once
> installed, you just need to:
> - Edit /etc/hitch/hitch.conf to
> - Set the front-end, usually *:443
> - Set the backend (where to send decrypted traffic), 127.0.0.1:8443
> <http://127.0.0.1:8443>
> - Set the pem-file line to point to a certificate
> - Add "-a 127.0.0.1:8443 <http://127.0.0.1:8443>,PROXY" to Varnish
> command.
>
> The Varnish part will be needed anyway if you want to use the proxy
> protocol.
>
> The docs here
> https://docs.varnish-software.com/varnish-cache-plus/features/client-ssl/
> can help you (except that the name of the package differs) but the
> crux of it is really what I listed above.
>
> So we can do better next time, what didn't you like about the info you
> got about hitch?
>
> --
> Guillaume Quintard
>
> On Aug 16, 2017 09:29, "Admin Beckspaced" <admin@beckspaced.com
> <mailto:admin@beckspaced.com>> wrote:
>
> Thanks a lot for your suggestion for using HaProxy ;)
>
> My thinking was just: why install another bit of software when
> apache is able to do the SSL termination.
> But like Andrei said, if traffic spikes hit the apache runaround
> will not be the optimal solution.
>
> Do you guys have any recent up-to-date tutorials / howtos on
> setting up HaProxy as SSL terminator in front of varnish.
> also doing the SSL redirects ...
>
> Did look around for Hitch but wasn't very pleased with the info
> provided ;(
>
> Any hints are welcome & thanks for your help & replies ;)
>
> Greetings
> Becki
>
>
>
> On 15.08.2017 22:04, Jan Hugo Prins | BetterBe wrote:
>
> I would not do it like that.
> Better is to use something like Hitch or HaProxy (my
> preference) and put that in front of Varnish.
> Then HaProxy / Hitch can terminate all SSL traffic, and
> HaProxy can also do your redirect to SSL if needed.
> Then in Varnish you use the Apache server as a backend and let
> it only serve what it needs to serve.
> Use the ProxyProtocol to send the client information from
> HaProxy to Vernish.
> In Varnish you need to put the client IP into the
> X-Forwarded-For header.
> In Apache you can then use this header to have the real client
> IP address.
>
> This way you have the real client IP information on all layers.
>
> Jan Hugo Prins
>
>
>
>
> _______________________________________________
> varnish-misc mailing list
> varnish-misc@varnish-cache.org <mailto:varnish-misc@varnish-cache.org>
> https://www.varnish-cache.org/lists/mailman/listinfo/varnish-misc
> <https://www.varnish-cache.org/lists/mailman/listinfo/varnish-misc>
>


_______________________________________________
varnish-misc mailing list
varnish-misc@varnish-cache.org
https://www.varnish-cache.org/lists/mailman/listinfo/varnish-misc
Re: varnishlog client IP problem via Apache SSL reverse proxy [ In reply to ]
guillaume at varnish-software
Aug 16, 2017, 3:39 AM
Post #9 of 10 (3065 views)
Permalink
For multiple certificates, simply put multiple pem-file lines in
hitch.conf, and you're good to go :-)

--
Guillaume Quintard

On Aug 16, 2017 12:30, "Admin Beckspaced" <admin@beckspaced.com> wrote:

> Thanks Guillaume,
>
> will then have a look into the info you provided and report back if I run
> into any trouble trying to setup hitch ;)
>
> What's your recommendation of up-to-date documents on how to setup hitch
> in front of varnish with multiple vhost SSL certificates?
>
> So far I found:
>
> https://github.com/varnish/hitch
> https://hitch-tls.org/
>
> Is there any docu elsewhere you can recommend?
>
> Thanks a lot for your support!
>
> Greetings
> Becki
>
>
> On 16.08.2017 09:57, Guillaume Quintard wrote:
>
>> At the risk of insisting, hitch is super easy to setup, once installed,
>> you just need to:
>> - Edit /etc/hitch/hitch.conf to
>> - Set the front-end, usually *:443
>> - Set the backend (where to send decrypted traffic), 127.0.0.1:8443 <
>> http://127.0.0.1:8443>
>> - Set the pem-file line to point to a certificate
>> - Add "-a 127.0.0.1:8443 <http://127.0.0.1:8443>,PROXY" to Varnish
>> command.
>>
>> The Varnish part will be needed anyway if you want to use the proxy
>> protocol.
>>
>> The docs here https://docs.varnish-software.
>> com/varnish-cache-plus/features/client-ssl/ can help you (except that
>> the name of the package differs) but the crux of it is really what I listed
>> above.
>>
>> So we can do better next time, what didn't you like about the info you
>> got about hitch?
>>
>> --
>> Guillaume Quintard
>>
>> On Aug 16, 2017 09:29, "Admin Beckspaced" <admin@beckspaced.com <mailto:
>> admin@beckspaced.com>> wrote:
>>
>> Thanks a lot for your suggestion for using HaProxy ;)
>>
>> My thinking was just: why install another bit of software when
>> apache is able to do the SSL termination.
>> But like Andrei said, if traffic spikes hit the apache runaround
>> will not be the optimal solution.
>>
>> Do you guys have any recent up-to-date tutorials / howtos on
>> setting up HaProxy as SSL terminator in front of varnish.
>> also doing the SSL redirects ...
>>
>> Did look around for Hitch but wasn't very pleased with the info
>> provided ;(
>>
>> Any hints are welcome & thanks for your help & replies ;)
>>
>> Greetings
>> Becki
>>
>>
>>
>> On 15.08.2017 22:04, Jan Hugo Prins | BetterBe wrote:
>>
>> I would not do it like that.
>> Better is to use something like Hitch or HaProxy (my
>> preference) and put that in front of Varnish.
>> Then HaProxy / Hitch can terminate all SSL traffic, and
>> HaProxy can also do your redirect to SSL if needed.
>> Then in Varnish you use the Apache server as a backend and let
>> it only serve what it needs to serve.
>> Use the ProxyProtocol to send the client information from
>> HaProxy to Vernish.
>> In Varnish you need to put the client IP into the
>> X-Forwarded-For header.
>> In Apache you can then use this header to have the real client
>> IP address.
>>
>> This way you have the real client IP information on all layers.
>>
>> Jan Hugo Prins
>>
>>
>>
>>
>> _______________________________________________
>> varnish-misc mailing list
>> varnish-misc@varnish-cache.org <mailto:varnish-misc@varnish-cache.org
>> >
>> https://www.varnish-cache.org/lists/mailman/listinfo/varnish-misc
>> <https://www.varnish-cache.org/lists/mailman/listinfo/varnish-misc>
>>
>>
>
Re: varnishlog client IP problem via Apache SSL reverse proxy [ In reply to ]
admin at beckspaced
Aug 18, 2017, 12:08 AM
Post #10 of 10 (3045 views)
Permalink
Good Morning Everyone ;)

Before doing some work today and installing Hitch as a SSL/TLS
terminator in front of varnish on my production server ...

I would like to thank you all for your help & suggestions and especially
@Guillaume for insisting to have a look at Hitch ;)

First, I want to take back my statement about hitch documentation. I
found all in the docu that is needed to setup and configure hitch.
Perhaps I was a bit surprised about the 'tiny' amount of documentation
but hey ... hitch is only a 'dumb' TLS proxy!
So there's nothing that much to document after all ;)

Also the redirect from http -> https works like a breeze ... though I
had to do a bit of std.log("local port: " + std.port(local.ip))
to understand the difference between remote, local, client, server
variables ...

Another tiny bit of frustration I encountered via a typo copy & paste
from github

https://github.com/varnish/hitch/issues/39

It's about setting the X-Forwarded-Proto https header in varnish VCL to
let my wordpress know that it's running on https

and if you do a copy & paste of

sub vcl_recv {
if (std.port(local.ip) == 80) {
return (synth(700));
} else {
set req.http.X-Forwared-Proto = "https";
}
}

and you don't have a close look that the 'd' is missing in
req.http.X-Forwared-Proto
it should be req.http.X-Forwarded-Proto

you will scratch your head for quite some time and wonder why wordpress
doesn't know that it is running on SSL ... oh my gosh!

anyway ... all worked out fine and now I got some hitch install to do on
my production server ;)

Thanks & best wishes
Becki


On 16.08.2017 09:57, Guillaume Quintard wrote:
> At the risk of insisting, hitch is super easy to setup, once
> installed, you just need to:
> - Edit /etc/hitch/hitch.conf to
> - Set the front-end, usually *:443
> - Set the backend (where to send decrypted traffic), 127.0.0.1:8443
> <http://127.0.0.1:8443>
> - Set the pem-file line to point to a certificate
> - Add "-a 127.0.0.1:8443 <http://127.0.0.1:8443>,PROXY" to Varnish
> command.
>
> The Varnish part will be needed anyway if you want to use the proxy
> protocol.
>
> The docs here
> https://docs.varnish-software.com/varnish-cache-plus/features/client-ssl/
> can help you (except that the name of the package differs) but the
> crux of it is really what I listed above.
>
> So we can do better next time, what didn't you like about the info you
> got about hitch?
>
> --
> Guillaume Quintard
>
> On Aug 16, 2017 09:29, "Admin Beckspaced" <admin@beckspaced.com
> <mailto:admin@beckspaced.com>> wrote:
>
> Thanks a lot for your suggestion for using HaProxy ;)
>
> My thinking was just: why install another bit of software when
> apache is able to do the SSL termination.
> But like Andrei said, if traffic spikes hit the apache runaround
> will not be the optimal solution.
>
> Do you guys have any recent up-to-date tutorials / howtos on
> setting up HaProxy as SSL terminator in front of varnish.
> also doing the SSL redirects ...
>
> Did look around for Hitch but wasn't very pleased with the info
> provided ;(
>
> Any hints are welcome & thanks for your help & replies ;)
>
> Greetings
> Becki
>
>


_______________________________________________
varnish-misc mailing list
varnish-misc@varnish-cache.org
https://www.varnish-cache.org/lists/mailman/listinfo/varnish-misc

©2024 GT.net. A Gossamer Threads company.
5th Floor, 455 Granville St., Vancouver, BC V6C 1T1, Canada | Legal