Varnish Administration Console

Setting up with ssl.

Setting up SSL

Below are the steps to setup a HTTP(S) server in front of the VAC for purposes of SSL termination.

These steps assume no previous installation exist and the certificate and key were copied to /etc/pki/tls/certs/server.crt and /etc/pki/tls/private/server.key respectively.

RHEL and derivatives

Using EPEL

Install the nginx HTTP(S) server:

yum update -y
yum install -y nginx

Backup files:

cp /etc/nginx/nginx.conf /etc/nginx/nginx.conf~
cp /etc/nginx/conf.d/ssl.conf /etc/nginx/conf.d/ssl.conf~
cp /opt/vac/etc/defaults /opt/vac/etc/defaults~

Disable HTTP (optional)

sed -i '/^server {/,/^}/d' /etc/nginx/nginx.conf

Enable SSL reverse-proxy support:

sed -i -e '/^#server/,/#}/{s/^#//}' \
    -e 's,cert.pem,/etc/pki/tls/certs/server.crt,' \
    -e 's,cert.key,/etc/pki/tls/private/server.key,' \
    -e '/root/,/index/c\\tproxy_pass http://127.0.0.1:81/;' \
    /etc/nginx/conf.d/ssl.conf

Update the VAC to bind to localhost on port 81:

sed -i -e 's,^vacListeningHost="0.0.0.0",vacListeningHost="127.0.0.1",' \
    -e 's,^vacListeningPort=80,vacListeningPort=81,' \
    /opt/vac/etc/defaults

Restart the VAC:

systemctl restart vac

Ensure the nginx HTTP(S) server is started on boot:

systemctl is-enabled nginx

Start the nginx HTTP(S) server:

systemctl start nginx

Not using EPEL

Install the Apache HTTP(S) server and mod_ssl:

yum update -y
yum install -y httpd mod_ssl

Backup files:

cp /etc/httpd/conf/httpd.conf /etc/httpd/conf/httpd.conf~
cp /etc/httpd/conf.d/ssl.conf /etc/httpd/conf.d/ssl.conf~
cp /opt/vac/etc/defaults /opt/vac/etc/defaults~

Disable HTTP (optional):

sed -i 's,^Listen 80,#&,' /etc/httpd/conf/httpd.conf

Enable SSL reverse-proxy support:

sed -i -e 's,^</VirtualHost>,ProxyPass / http://127.0.0.1:81/ \
  ProxyPassReverse / http://127.0.0.1:81/\n&,' \
    -e 's,localhost.crt,server.crt,' \
    -e 's,localhost.key,server.key,' \
    /etc/httpd/conf.d/ssl.conf

Update the VAC to bind to localhost on port 81:

sed -i -e 's,^vacListeningHost="0.0.0.0",vacListeningHost="127.0.0.1",' \
    -e 's,^vacListeningPort=80,vacListeningPort=81,' \
    /opt/vac/etc/defaults

Restart the VAC:

systemctl start vac

Ensure the Apache HTTP(S) server is started on boot:

systemctl is-enabled httpd

Start the Apache HTTP(S) server:

systemctl start httpd