What SSL termination Tool would you recommend using to work with Varnish (HAProxy, Nginx, something else)?


#1

Hello,Gurys

based on your experience what SSL termination Tool would you recommend using to work with Varnish (HAProxy, Nginx, something else)?

The idea is to terminate SSL > and pass it to Varnish > then pass to Apache server. > website 1 & website 2

My current setup: Centos 7, Varnish 4.1.3 (port 80) > Apache 2.4.6 > website 1 & website 2
( I use Webmin as control panel and SSH)

  1. With the above setup (when SSL termination will be added), what method /tool would you recommend for getting / renewing SSL certificates?

  2. Would you recommend getting separate SSL certificates for each domian or 1 certificate for all domains (I have total 2 domains)

Thanks You!


#2
  1. since Varnish only handle http, I’d use Nginx to terminate the SSL.

  2. Since you are on Centos 7, I’d suggest the default certbot client.

  3. That depends if the domains are related. If they are, then yes I’d use a single cert. That’s down to personal choice though.


#3

RE: question 1, since you are using Varnish 4.1+ you might consider leveraging the PROXY protocol that is present in Varnish 4.1+ as well as HAProxy. One of the advantages of this approach is that it requires less fiddly header consultation to determine the original client IP from the TLS connection from Varnish/Apache (e.g. see this guide). It is also supported by other server daemons & TLS terminators.

I concur with @serverco on questions 2 & 3 :slight_smile:


#4

Thanks for the answers!

When you say “domains are related” do you mean the domain and a sub-domain? They are different domains for completely different websites but they both belong to me and they are on the same Apache server. Both domains are pointed to the same public IP of my vps and Apache redirects the traffic accordingly, so I’m not sure if my domains are related…


#5

It’s a personal choice … if they were example.com and example.de and sub.example.co.uk I’d probably put them on the same cert. If they were something.com and nothing.io I’d probably do them separately.


#8

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.