Setting up SSL/TLS

Install Hitch

First, install Hitch. This is done via the varnish-plus-addon-ssl package. For RHEL and CentOS:

sudo yum install varnish-plus-addon-ssl

For Debian and Ubuntu:

sudo apt-get install varnish-plus-addon-ssl

Configure Hitch

Update the following settings in /etc/hitch/hitch.conf:

# Listen on 443
frontend = {
    host = "*"
    port = "443"

# Forward to VAC on port 80
backend = "[]:80"

# Use this cert
pem-file = "/etc/hitch/vac.pem"

# Disable proxy protocol
write-proxy-v2 = off

Leave any other settings to their default values.

To create a pem file, concatenate your private key, domain certificate, and optionally your CA certificate into a single pem file.

Enable and Start Hitch

Run the following commands:

sudo systemctl enable hitch
sudo systemctl start hitch

Setup the Varnish Agent to register over SSL/TLS

To register over SSL/TLS, change the -z parameter from http:// to https://.

Setup the Varnish Agent to listen on SSL/TLS

The Varnish Agent will still listen for its commands over plaintext. To upgrade to SSL/TLS, add the -crt and -key parameters to its service file:

ExecStart=/usr/bin/varnish-agent -z https://[vac]/api/rest/register -crt /path/to/server.crt -key /path/to/private.key