Varnish Cache Plus

Backend SSL/TLS

Description

Varnish Cache Plus has support for using SSL/TLS on backend connections. This means that any miss, pass or piped requests handled by Varnish Plus will be encrypted https requests when sent over the network to a backend/origin server.

VCL example

backend default {
	.host = "backend.example.com";
	.port = "443";
	.ssl = 1;				# Turn on SSL support
	.ssl_sni = 1;			# Use SNI extension  (default: 1)
	.ssl_verify_peer = 1;	# Verify the peer's certificate chain (default: 1)
	.ssl_verify_host = 1;	# Verify the host name in the peer's certificate (default: 0)
}

Backend SSL/TLS usage is enabled by setting .ssl = 1 in the backend definition. The port used will default to 443 unless set explicitly.

By default the connections will have an SNI extension name provided during negotiation. This defaults to the .host attribute, unless if the .host_header attribute is set in which case that will be used instead.

Configuration

  • .ssl

    Set this true (1) to enable SSL/TLS for this backend.

  • .ssl_sni [default: 1]

    Set this to false (0) to disable the use of the Server Name Indication (SNI) extension for backend TLS connections. SNI allows a backend to serve multiple TLS domains over a single IP and port. The SNI name defaults to the backend .host value, unless .host_header is defined, in which case it will be used as the SNI name.

  • .ssl_verify_peer [default: 1]

    Set this to false (0) to disable verification of the peer’s certificate chain. This allows a backend to use a self signed certificate.

  • .ssl_verify_host [default: 0]

    Set this to true (1) to enable verification of the peer’s certificate identity. The identity in the certificate is verified against the name configured in the host attribute, unless host_header is set in which case that is used instead. If disabled, this allows a backend to use an invalid certificate.

  • .host_header A host header to add to probes and regular backend requests if they have no such header. Also used for SNI and certificate host verification.

If running a custom CA, the certificates used to verify the connections can be changed by setting the SSL_CERT_FILE and SSL_CERT_DIR environment variables. SSL_CERT_FILE can point to a single pem file containing a chain of certificates, while the SSL_CERT_DIR can be a comma-separated list of directories containing pem file with symlinks by their hash key (see the man page of c_rehash from the OpenSSL library for more information).

Installation

Support for backend SSL/TLS is built into in supported versions of Varnish Cache Plus, and does not require any extra installation steps.

Backend SSL/TLS introduces a requirement for OpenSSL which is maintained and updated through the operating system. When using this functionality it is important to follow security best practices and keep the systems update to avoid loss of confidentiality.

Availability

Backend SSL/TLS support was added to Varnish Plus starting from Varnish Cache Plus 4.0.3r3, and is also available in all versions of Varnish Cache Plus 4.1 and 6.0.