Varnish Administration Console
Overview Installation Getting started Setting up with ssl. FAQ Configuration Properties Changelog Varnish Agent About Changelog Configuration Parameters API Reference Introduction Cache (Varnish instance) Group VCL Parameters Ban User Message Snippet VAC related Super Fast Purger Introduction Setup and Security How to use

Setting up with ssl.

Setting up SSL

Below are the steps to setup a HTTP(S) server in front of the VAC for purposes of SSL termination.

These steps assume no previous installation exist and the certificate and key were copied to /etc/pki/tls/certs/server.crt and /etc/pki/tls/private/server.key respectively.

RHEL and derivatives

Using EPEL

Install the nginx HTTP(S) server:

yum update -y
yum install -y nginx

Backup files:

cp /etc/nginx/nginx.conf /etc/nginx/nginx.conf~
cp /etc/nginx/conf.d/ssl.conf /etc/nginx/conf.d/ssl.conf~
cp /opt/vac/etc/defaults /opt/vac/etc/defaults~

Disable HTTP (optional)

sed -i '/^server {/,/^}/d' /etc/nginx/nginx.conf

Enable SSL reverse-proxy support:

sed -i -e '/^#server/,/#}/{s/^#//}' \
    -e 's,cert.pem,/etc/pki/tls/certs/server.crt,' \
    -e 's,cert.key,/etc/pki/tls/private/server.key,' \
    -e '/root/,/index/c\\tproxy_pass http://127.0.0.1:81/;' \
    /etc/nginx/conf.d/ssl.conf

Update the VAC to bind to localhost on port 81:

sed -i -e 's,^vacListeningHost="0.0.0.0",vacListeningHost="127.0.0.1",' \
    -e 's,^vacListeningPort=80,vacListeningPort=81,' \
    /opt/vac/etc/defaults

Restart the VAC:

systemctl restart vac

Ensure the nginx HTTP(S) server is started on boot:

systemctl is-enabled nginx

Start the nginx HTTP(S) server:

systemctl start nginx

Not using EPEL

Install the Apache HTTP(S) server and mod_ssl:

yum update -y
yum install -y httpd mod_ssl

Backup files:

cp /etc/httpd/conf/httpd.conf /etc/httpd/conf/httpd.conf~
cp /etc/httpd/conf.d/ssl.conf /etc/httpd/conf.d/ssl.conf~
cp /opt/vac/etc/defaults /opt/vac/etc/defaults~

Disable HTTP (optional):

sed -i 's,^Listen 80,#&,' /etc/httpd/conf/httpd.conf

Enable SSL reverse-proxy support:

sed -i -e 's,^</VirtualHost>,ProxyPass / http://127.0.0.1:81/ \
  ProxyPassReverse / http://127.0.0.1:81/\n&,' \
    -e 's,localhost.crt,server.crt,' \
    -e 's,localhost.key,server.key,' \
    /etc/httpd/conf.d/ssl.conf

Update the VAC to bind to localhost on port 81:

sed -i -e 's,^vacListeningHost="0.0.0.0",vacListeningHost="127.0.0.1",' \
    -e 's,^vacListeningPort=80,vacListeningPort=81,' \
    /opt/vac/etc/defaults

Restart the VAC:

systemctl start vac

Ensure the Apache HTTP(S) server is started on boot:

systemctl is-enabled httpd

Start the Apache HTTP(S) server:

systemctl start httpd
Manuals
Varnish Live
Varnish Cloud
Varnish Cache Plus
Varnish High Availability
Varnish Administration Console
Varnish Custom Statistics
Varnish Broadcaster
Varnish WAF
News
Varnish Live
Varnish Cache Plus 6.0.3r2
Varnish Cache Plus 6.0.3r1
Varnish Agent 6.2.0
Varnish Cache Plus 4.1.11r1
News archive