varnish-4.0-configuration-templates
varnish-4.0-configuration-templates copied to clipboard
mattiasgeniar
add parameter for redirecting to SSL
Hi,
I've set up this vcl template. Thank you very much, its very useful.
Now, my setup is (client) --https--> apache 443 --proxy pass --> varnish 80 --> apache 8080
so apache does the ssl termination and proxies into varnish. varnish then requests apache non https port
this works and requires in apache non https vhost: SetEnvIf X_FORWARDED_PROTO "^https$" HTTPS=on
on vhost https I have: ProxyPreserveHost On ProxyPass / http://127.0.0.1:80/ #ProxyPassReverse / http://localhost:80/ RequestHeader set X-Forwarded-Port "443" RequestHeader set X-Forwarded-Proto "https"
and for wordpress users, in wp-config.php i have: define('FORCE_SSL_ADMIN', true); // in some setups HTTP_X_FORWARDED_PROTO might contain // a comma-separated list e.g. http,https // so check for https existence if (strpos($_SERVER['HTTP_X_FORWARDED_PROTO'], 'https') !== false) $_SERVER['HTTPS']='on';
before loading wp-settings.php
Now, varnish should have a way of redirecting to https if client is not using it.. something like:
if(client.ip != "127.0.0.1"){ set req.http.x-redir = "https://" + req.http.host + req.url; return(synth(850, "Moved permanently")); }
and sub vcl_synth { if (resp.status == 850) { set resp.http.Location = req.http.x-redir; set resp.status = 302; return (deliver); } }
I took this code from somewhere on the internet, but i'm afraid its not quite right..
Would it be possible for you to implement such feature?
Also, I'm guessing there would be a list of hosts, and then match req.http.host with that lookup...
Hi!
This shouldn't be too hard to implement in Varnish, it's essentially the same logical condition as your Apache vhost redirect on port :8080. Something like this should work, in vcl_recv.
if (req.http.X-Forwarded-Proto !~ "(?i)https") {
# This is not an HTTPs connection via Apache
if (req.http.host ~ "^(domain1.tld|domain2.tld|domain3.tld)$ ") {
return(synth(850, "https://" + req.http.host + req.url));
}
}
Could you give that a try?
@mattiasgeniar Thank you!
Let me just say I'm new to varnish.. so I understand very little of it, tho I understand the logic.
In the meanwhile I have added the following to the vcl:
# Force HTTPS if ((client.ip != "127.0.0.1") && ( std.tolower(req.http.host) == "domain1.tld" || std.tolower(req.http.host) == "domain2.tld" || std.tolower(req.http.host) == "domain3.tld" || std.tolower(req.http.host) == "xxx" || std.tolower(req.http.host) == "xxx" || std.tolower(req.http.host) == "xxx" || std.tolower(req.http.host) == "xxx" || std.tolower(req.http.host) == "xxx" || std.tolower(req.http.host) == "xxx" || std.tolower(req.http.host) == "xxx" || std.tolower(req.http.host) == "xxx" || std.tolower(req.http.host) == "xxx" || std.tolower(req.http.host) == "xxx" || std.tolower(req.http.host) == "xxx" || std.tolower(req.http.host) == "xxx" || std.tolower(req.http.host) == "xxx" || std.tolower(req.http.host) == "xxx" || std.tolower(req.http.host) == "xxx" )) { #set req.http.x-redir = "https://" + req.http.host + req.url; #return(synth(720, "Moved permanently")); return(synth(720, "https://" + req.http.host + req.url)); }
using your existing code 720
But seems right validating req.http.X-Forwarded-Proto, .. I will test that. I was suggesting you could add a commented section for this pre-configured..
Should I set something regarding the x-forwarded-proto in varnish at anytime?
Also, on a separate note, for some reason getting a HEAD on my apache takes more than 5 seconds (why?!?), so probe was marking it as sick. you should add a curl command in the comments of probe section to simulate it. What I used was: time curl -X "HEAD / HTTP/1.1" -i http://localhost:8080
Should I set something regarding the x-forwarded-proto in varnish at anytime?
No, if the Apache proxy sets it, that check in Varnish will work just fine.
As for the curl tip: I should definitely do that!