Varnish to be used for https
Asked Answered
S

1

2

Here's the situation. I have clients over a secured network (https) that talk to multiple backends. Now, I wanted to establish a reverse proxy for majorly load balancing (based on header data or cookies) and a little caching. So, I thought varnish could be of use.

But, varnish does not support ssl-connection. As I've read at many places, quoting, "Varnish does not support SSL termination natively". But, I want every connection, ie. client-varnish and varnish-backend to be over https. I cannot have plaintext data anywhere throughout network (there are restrictions) so nothing else can be used as SSL-Terminator (or can be?).

So, here are the questions:

  • Firstly, what does this mean (if someone can explain in simple terms) that "Varnish does not support SSL termination natively".
  • Secondly, is this scenario good to implement using varnish?
  • and Finally, if varnish is not a good contender, should I switch to some other reverse proxy. If yes, then which will be suitable for the scenario? (HA, Nginx etc.)
Saltillo answered 2/11, 2015 at 10:9 Comment(0)
K
1

what does this mean (if someone can explain in simple terms) that "Varnish does not support SSL termination natively"

It means Varnish has no built-in support for SSL. It can't operate in a path with SSL unless the SSL is handled by separate software.

This is an architectural decision by the author of Varnish, who discussed his contemplation of integrating SSL into Varnish back in 2011.

He based this on a number of factors, not the least of which was wanting to do it right if at all, while observing that the de facto standard library for SSL is openssl, which is a labyrinthine collection of over 300,000 lines of code, and he was neither confident in that code base, nor in the likelihood of a favorable cost/benefit ratio.

His conclusion at the time was, in a word, "no."

That is not one of the things I dreamt about doing as a kid and if I dream about it now I call it a nightmare.

https://www.varnish-cache.org/docs/trunk/phk/ssl.html

He revisited the concept in 2015.

His conclusion, again, was "no."

Code is hard, crypto code is double-plus-hard, if not double-squared-hard, and the world really don't need another piece of code that does an half-assed job at cryptography.

...

When I look at something like Willy Tarreau's HAProxy I have a hard time to see any significant opportunity for improvement.

No, Varnish still won't add SSL/TLS support.

Instead in Varnish 4.1 we have added support for Willys PROXY protocol which makes it possible to communicate the extra details from a SSL-terminating proxy, such as HAProxy, to Varnish.

https://www.varnish-cache.org/docs/trunk/phk/ssl_again.html

This enhancement could simplify integrating varnish into an environment with encryption requirements, because it provides another mechanism for preserving the original browser's identity in an offloaded SSL setup.

is this scenario good to implement using varnish?

If you need Varnish, use it, being aware that SSL must be handled separately. Note, though, that this does not necessarily mean that unencrypted traffic has to traverse your network... though that does make for a more complicated and CPU hungry setup.

nothing else can be used as SSL-Terminator (or can be?)

The SSL can be offloaded on the front side of Varnish, and re-established on the back side of Varnish, all on the same machine running Varnish, but by separate processes, using HAProxy or stunnel or nginx or other solutions, in front of and behind Varnish. Any traffic in the clear is operating within the confines of one host so is arguably not a point of vulnerability if the host itself is secure, since it never leaves the machine.

if varnish is not a good contender, should I switch to some other reverse proxy

This is entirely dependent on what you want and need in your stack, its cost/benefit to you, your level of expertise, the availability of resources, and other factors. Each option has its own set of capabilities and limitations, and it's certainly not unheard-of to use more than one in the same stack.

Kurdistan answered 3/11, 2015 at 23:4 Comment(3)
Hi, this is a really good explanation. It is not just security, but audit/certification restrictions. So, even if the plain text is on same machine, it is visible to system administrator and even this is not acceptable. So, whatever I'll use to route the traffic from within, I need it to route SSL traffic as well. So, I'll probably now use HAProxy for load distribution.Saltillo
Ok, on a different note, do you know if HAProxy can be used to distribute load based on Http(s) header/ parameters and/or cookies?Saltillo
@Saltillo yes, HAProxy can inspect the payload and make the same routing decisions on HTTPS as HTTP as long as HAProxy terminates the SSL connection. It can re-establish SSL to the back-end, so the unencrypted data is only within the HAProxy process, which is different than what happens with Varnish, but really no different than what happens inside the web server itself -- the encrypted data must be decrypted by the web server or it couldn't be processed by the application.Kurdistan

© 2022 - 2024 — McMap. All rights reserved.