Configure varnish with cloudflare along with SSL terminator

Riad Reza Shuvo

5/3/24, 9:13 AM

Now, we are planning to create a cache server between the user and the site. Proposed Plan

As per my understanding, cache servers can't work with HTTPs data. So, we have to convert the data from https to http. For this reason, we can use two SSL terminations for this conversion. Varnish with SSL termination

I can configure the SSL between the user and the varnish server. But I am not understanding how I will configure the termination in between Varnish and Cloudflare for HTTPs to HTTP conversion.

1 + 0

ssl

varnish

cloudflare

Score:0

Server

Thijs Feryn

5/4/24, 7:18 AM

Currently Varnish Cache, the open source version of Varnish, doesn't support TLS.

You can offload incoming TLS requests from the client using a TLS proxy like Hitch. See https://www.varnish-software.com/developers/tutorials/terminate-tls-varnish-hitch/ for a tutorial on how to install & configure it.

However, Varnish doesn't support backend TLS connections either. This means the connection between Varnish and Cloudflare will also happen over plain HTTP.

Transmitting protocol information to the other servers

Given that all traffic is transmitted over plain HTTP once the TLS connection is terminated by your TLS proxy, the metadata about the initial client connection needs to be transmitted.

My initial suggestion would be to enable the PROXY protocol on all proxy servers in the chain. This means:

Enable a PROXY protocol listening interface on Varnish
Send traffic from Hitch to Varnish over the PROXY protocol
Send traffic from Varnish to Cloudflare over the PROXY protocol

This ensures that client connection information is accounted for across all hops.

But just to be safe, I would also set the X-Forwarded-Proto header in Varnish based on the PROXY information. See https://www.varnish-software.com/developers/tutorials/terminate-tls-varnish-hitch/#retrieve-tls-information-with-vmod_proxy for the exact VCL code to get it done

See https://developers.cloudflare.com/fundamentals/get-started/reference/http-request-headers/#x-forwarded-proto for Cloudflare's take on X-Forwarded-Proto.

If you have a Cloudflare enterprise plan, you can also receive PROXY protocol requests in Cloudflare. See https://developers.cloudflare.com/spectrum/how-to/enable-proxy-protocol/ for more info.

Just add the .proxy_header = 2; attribute to your backend in default.vcl to enable the PROXY protocol for backend connections.

If you don't have a Cloudflare enterprise plan, maybe using X-Forwarded-Proto is the way to go.

TLS support in Varnish Enterprise

If you want to have end-to-end TLS support in Varnish, you can purchase a subscription with Varnish Software for the Varnish Enterprise product.

See https://docs.varnish-software.com/varnish-enterprise/features/backend-ssl/ for documentation about backend TLS support in Varnish Enterprise.

See https://docs.varnish-software.com/varnish-enterprise/features/core-ssl/ for in-core TLS support in Varnish Enterprise.

+ 0

Elon Musk

I sit in a Tesla and translated this thread with Ai:

EN: Configure varnish with cloudflare along with SSL terminator

Post an answer

Most people don’t grasp that asking a lot of questions unlocks learning and improves interpersonal bonding. In Alison’s studies, for example, though people could accurately recall how many questions had been asked in their conversations, they didn’t intuit the link between questions and liking. Across four studies, in which participants were engaged in conversations themselves or read transcripts of others’ conversations, people tended not to realize that question asking would influence—or had influenced—the level of amity between the conversationalists.