varnish ssl

Joshua Levine jlevine at iwin.com
Sat May 4 23:07:37 CEST 2013 

In the previous proposal, you would have your DNS refer to the IP address of the virtual server on the load balancer, such that DNS reflects the proper hostname of the SSL certificate in question.

Your Load Balancer would be configured with a Virtual Server that terminates SSL for you, and passes traffic to your backend varnish cluster, and varnish passes the traffic to your back end web servers.

To take it a step further I might recommend:

client -> DNS -> Public IP for the hostname on the Load Balancer (Virtual Server) -> Varnish Cluster -> An internal IP (RFC 1918) on the Load Balancer (Virtual Server) -> Web Server Cluster 

That will ensure:

1. Valid termination of your SSL traffic and none of the client errors you are concerned about.

2. n+1 management for your varnish cluster

3. n+1 management for your web server cluster

Your IP will not need to change, you just want it move to the load balancer, and you can then use whatever you want (preferably internal IPs) for the rest of the hosts.

Joshua  


On May 4, 2013, at 12:59 PM, Your Friend wrote:

> Hi,
> 
> Please correct if i'm wrong but I think that your ssl certificate is issued for a specific ip && domain. Pointing your domain to loadbalancer (new different ip) may cause problem for you and demand that you reissue your ssl certificate to make it work.
> 
> Thanks, Ali
> 
> Från: Ashish <aashisn at hotmail.com>
> Till: varnish-misc at varnish-cache.org 
> Skickat: söndag, 14 april 2013 12:46
> Ämne: varnish ssl
> 
> I am setting up varnish as caching+entry point for public traffic.
> 
> Public => varnish(x2) => loadbalancer => Web servers (x4)
> 
> We have around 15 domains with ssl support on login/payment pages.
> 
> I am not quite getting done here.
> 
> 1) i could point all domins to varnish IP and it could route 
> accordingly, but dont think i can make ssl workout to be sent st. to 
> loadbalancer and then webserver
>     question: Does ssl request gets untouched and sent directly to end 
> server?
> 2) Can i somehow configure varnish to be stand alone, but point dns to 
> loadbalancer IP's and somehow still manage to get varnish serve cached 
> objects?
> 
> Please guide me
> 
> _______________________________________________
> varnish-misc mailing list
> varnish-misc at varnish-cache.org
> https://www.varnish-cache.org/lists/mailman/listinfo/varnish-misc
> 
> 
> _______________________________________________
> varnish-misc mailing list
> varnish-misc at varnish-cache.org
> https://www.varnish-cache.org/lists/mailman/listinfo/varnish-misc

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://www.varnish-cache.org/lists/pipermail/varnish-misc/attachments/20130504/674f4df5/attachment.html>

More information about the varnish-misc mailing list