Search
Varnish Cache Plus

In-Process TLS

Description

In-Process TLS termination offers lower latency, improves data throughput (over 150Gbps), and removes the need for a separate TLS terminator greatly simplifying network topography.

Configuration


in-core-tls.png

In-Process Varnish port configuration


Configuring TLS in Varnish is done in a separate configuration file, which is passed to Varnish via the -A parameter.

The configuration file format is based on Hitch’s config file. If you have an existing Hitch configuration file, this can be passed to Varnish and should work out of the box.

Note: Varnish currently implements a subset of the settings available in Hitch. Not yet implemented configuration settings will be ignored.

The Varnish TLS configuration file consists of a series of option assignments. Some options (pem-file, frontend) can be be set several times, and the effect is that multiple certificate files and listen endpoints are defined. Other options can only be assigned once.

The hash mark, or pound sign (#), is used as a comment character. You can use it to annotate your config file. All text after the comment character to the end of the line is ignored. Empty lines are ignored.

An example minimal config may look like the following:

  frontend = {
      host = ""
      port = "443"
  }

  pem-file = "/etc/varnish/certs/mycert.pem"

Options

Options can either be in the top level of the configuration file (global scope), or inside a frontend block. Options inside a frontend block only affect the frontend, while options in the top level sets defaults for all frontends.

Unless otherwise noted below, options can only be used in the top level.

frontend

This specifies the port and interface (the listen endpoint) that Varnish binds to when listening for connections. It is possible to define multiple frontends, and Varnish will bind to multiple ports and/or multiple interfaces.

If the host is specified as "*" or the empty string (""), Varnish will bind on all interfaces for the given port.

A frontend can be specified either in a single line:

	frontend = "[HOST]:PORT"

Or in a frontend block:

    frontend = {
        host = "HOST"
        port = "PORT"
        <other frontend options>
    }

Multiple frontend definitions are permitted. If Varnish is configured with a TLS configuration file, at least one frontend definition is required.

pem-file

Specifies an x509 certificate file. Can be specified multiple times to load multiple certificates.

pem-file can either be specified in a single line, where the certificate, private key and optionally DH parameters are concatenated into a single file,

   pem-file = "/path/to/cert.pem"

or supplied as separate files in a pem-file block,

   pem-file = {
       cert = "/path/to/chain.pem"
       private-key = "/path/to/priv.pem"
       dhparam = "/path/to/dhparam.pem"
   }

The certificate must be in PEM format, and must be sorted starting with the subject’s certificate first, followed by the intermediate CA certificate(s) if applicable.

Specifying DH parameters is recommended. These should be generated by running

   $ openssl dhparam -out dh.pem 2048

Multiple certificates can be loaded by specifying multiple pem-file definitions. Varnish will use Server Name Indication (SNI) to decide which certificate is used.

If we are unable to find a match using SNI, or if the client did not specify an SNI extension, the certificate specified last will be used as a fallback (see also sni-nomatch-abort).

If pem-file is specified inside of a frontend block, the certificate is only available for connections coming in via that endpoint.

Note: A restart of Varnish is required to update certificates.

ciphers

Specifies the list of ciphers to be used for secure communication. Each cipher in the list must be separated by a colon (:), in order of preference.

See ciphers(1) for further description of the format.

This option applies to TLSv1.2 and below. For TLSv1.3, see ciphersuites.

This option is also available in a frontend block.

ciphersuites

Specifies available ciphersuites for TLSv1.3. Similar to ciphers, entries must be separated by colon (:) and sorted in order of preference, e.g,

   ciphersuites = "TLS_AES_256_GCM_SHA384:TLS_AES_128_GCM_SHA256"

This option is also available in a frontend block.

prefer-server-ciphers

Specifies whether the server’s order of ciphers should be enforced. true means the server chooses, false means the client chooses.

This option is also available in a frontend block.

tls-protos

The SSL/TLS protocols to be used. This is an unquoted list of tokens. Available tokens are SSLv3, TLSv1.0, TLSv1.1, TLSv1.2 and TLSv1.3.

The default setting is:

   tls-protos = TLSv1.2 TLSv1.3

This option is also available in a frontend block.

ecdh-curve

Sets the list of supported TLS curves.

   ecdh-curve = "X25519:prime256v1:secp384r1"

sni-nomatch-abort

Setting this to true will abort the connection when the client submits an unrecognized SNI server name.

This option is also available in a frontend block.

ssl-engine

Sets an openssl engine. This is used with an SSL accelerator card. See the OpenSSL documentation for legal values.

match-global-certs

Only available in a frontend block. Specifies whether SNI matches should be limited to certificates specified in the same frontend block or not.

Defaults to true if there are no certificates specified for a frontend, otherwise false.

Availability

In-process TLS was added to Varnish Enterprise starting from version 6.0.6r2.