Best practice for SSL passthrough?

[Mattias Geniar]

> Let me get this straight: HTTPS -> nginx -> HTTP -> Varnish -> HTTP ->
> Backend?
> 
> Is that how it works? That seems pretty neat because then I can cache https
> requests too.

Yup, that's it exactly. And Nginx is pretty performant as well, so it completes Varnish in that matter.

> 
> I don't know too much about ssl, but it seems to me the backend might be
> confused at getting regular http requests when it expects https? Or this
> might not be an issue?

It's not really an issue, except when your application excepts to know when it's hitting HTTP or HTTPs requests. See below. :-)

> 
> > With Nginx you can pass some extra headers to your backend as well, so
> > you can differentiate between HTTP and HTTPs traffic.
> 
> In what case would I want to do that?

Depends on your application, but you may want to limit certain functions to only the HTTPs site (say: login, credit card information, ...).

Also keep in mind that if you have redirects (say: in a .htaccess file for Apache), that redirect to HTTPs when it receives an HTTP call, you'll hit an infinite loop since all your requests will hit the backend as HTTP.

Regards,
Mattias