Search
Varnish Cache Plus
Overview Installation Upgrading Upgrading to 6.0 Troubleshooting Changelog Changelog for 6.0.x Changes (Varnish Cache 4.1) Changes (Varnish Cache Plus 4.1) Features Backend SSL/TLS Client SSL/TLS termination In-Process TLS MSE 3.0 Settings mkfs.mse Memory Governor MSE 2.0 Parallel ESI Backend health counter HTTP/2 Support JSON Logging Relocation TCP Only Probes Timeouts Varnish scoreboard VMODs ACL (aclplus) Accept Accounting Akamai Connector AWS VCL Brotli Body Access & Transformation (xbody) Cookie Plus (cookieplus) DeviceAtlas Dynamic backends (goto) Edgestash File Format Geolocation (geoip/mmdb) Header Manipulation (Headerplus) JWT HTTP communication (http) JSON parsing (json) Key value storage (kvstore) Least connections director (leastconn) MSE control (mse) Probe Proxy Purge (purge/softpurge) Real-time status (vmod-rtstatus) Reverse DNS (resolver) Rewrite Session SQLite3 Stale Strings (str) Synthetic backends (synthbackend) TCP configuration (tcp) Total Encryption (crypto) Transfer rate limiting (tcp) TLS Unified director object (udo) Uniform Resource Identifier (uri) URL Plus (urlplus) Utils Vsthrottle Tag-based invalidation (Ykey/Xkey)

TLS

Description

vmod-tls lets you query details relating to a TLS connection.

If called from one of the client VCL subroutines (e.g. vcl_recv or vcl_deliver), it will provide details about the client TLS connection.

If called from vcl_backend_response, vmod-tls will show details from the currently established TLS backend connection.

Note that the client-side functionality relies on using Varnish’s native TLS implementation. If you are currently terminating TLS in a separate process (for example using Hitch), you should instead use the PROXY VMOD which offers similar functionality.

Examples

Client connection

The following example will report which TLS version and which cipher is used for the client connection.

import tls;

sub vcl_deliver {
	if (tls.is_tls()) {
		# Report cipher and TLS version as a response header
		set resp.http.tls-version = tls.version();
		set resp.http.tls-cipher = tls.cipher();

		# Alternatively, we can log it
		std.log("tls-version: " + tls.version());
		std.log("tls-cipher: " + tls.cipher());
	}
}

Backend connection

The following example will report information about the backend connection. This is only available from vcl_backend_response.

import tls;

sub vcl_backend_response {
	if (tls.is_tls()) {
		# Report cipher and TLS version as a backend response header
		set beresp.http.be-tls-version = tls.version();
		set beresp.http.be-tls-cipher = tls.cipher();

		# Also log:
		std.log("backend-tls-version: " + tls.version());
		std.log("backend-tls-cipher: " + tls.cipher());
	}
}

Functions

is_tls

BOOL is_tls()

Indicates whether the peer is connected over an SSL/TLS connection.

version

STRING version()

Returns the TLS version in use for this connection. E.g. “TLSv1.2”.

cipher

STRING cipher()

Returns the cipher that was chosen during the TLS handshake.

authority

STRING authority()

Returns the hostname presented for Server Name Indication (SNI).

alpn

STRING alpn()

Returns the result of the Application Layer Protocol Negotiation (ALPN). This will contain one of “http/1.1”, “h2” or NULL if no ALPN happened.

Varnish does not currently do ALPN with its backends, so if used in vcl_backend_response this will always return NULL.

cert_sign

STRING cert_sign()

Certificate signature algorithm. E.g. “SHA256”.

cert_key

STRING cert_key()

The algorithm used to generate the certificate. E.g. “RSA2048”.

Manuals
Varnish Live
Varnish Cloud
Varnish Cache Plus
Varnish High Availability
Varnish Administration Console
Varnish Custom Statistics
Varnish Broadcaster
Varnish WAF
Varnish Controller
News
Varnish HTTP/2 Request Smuggling
Varnish Broadcaster 1.5.2
Varnish Controller 2.0.3
Varnish Cache Plus 6.0.8r3
Varnish Cache Plus 6.0.8r2
News archive