Varnish Cache Plus

Backend SSL/TLS

Description

Varnish Cache Plus 4.0 and later has support for using SSL/TLS on backend connections. This means that any miss, pass or piped requests handled by Varnish Plus will be encrypted https requests when sent over the network to a backend/origin server.

Typical usage is a setup with caches distributed around the world to be closer to the end user, and it is important that internal session data is not available to any third parties.

VCL example

VCL code:

backend default {
	.host = "backend.example.com";
	.port = "https";	   # This defaults to https when SSL
	.ssl = 1;		       # Turn on SSL support
	.ssl_sni = 1;		   # Use SNI extension
	.ssl_verify_peer = 1;  # Verify the peer's certificate chain
	.ssl_verify_host = 1;  # Verify the host name in the peer's certificate
}

Installation

Support for backend SSL/TLS is built into in supported versions of Varnish Cache Plus, and does not require any extra installation steps.

Backend SSL/TLS introduces a requirement for OpenSSL which is maintained and updated through the operating system. When using this functionality it is important to follow security best practices and keep the systems update to avoid loss of confidentiality.

Availability

Backend SSL/TLS support was added to Varnish Plus starting from Varnish Cache Plus 4.0.3r3, and is also available in Varnish Cache Plus 4.1 series.