Varnish Cache Plus
Overview Installation Upgrading Upgrading to 6.0 Troubleshooting Changelog Changelog for 6.0.x Changes (Varnish Cache 4.1) Changes (Varnish Cache Plus 4.1) Features Backend SSL/TLS MSE Client SSL/TLS termination Parallel ESI Relocation VMODs ACL (aclplus) Accept Advanced purge (softpurge) Bodyaccess Content Transformation (xbody) Cookie Plus (cookieplus) DeviceAtlas Dynamic backends (goto) Edgestash File Geolocation (geoip) Header manipulation (header) HTTP communication (http) JSON parsing (json) Key value storage (kvstore) Least connections director (leastconn) Purge Real-time status (vmod-rtstatus) Rewrite Session Synthetic backends (synthbackend) Total Encryption (crypto) Transfer rate limiting (tcp) URL Plus (urlplus) Vsthrottle Xkey

Total Encryption (crypto)

Varnish 6.0

Description

Varnish Total Encryption provides cache encryption and a VCL based crypto API. Varnish Total Encryption uses an innovative dual key encryption algorithm with one key securely stored in the Linux kernel and the other key generated from the client request. No keys are ever stored in Varnish or in cache and every object has its own unique key.

Click here to learn more about Varnish Total Encryption.

Example VCL

Memory Encryption

Encrypting malloc, file, and mse (non persistence) using a randomly generated master key.

include "total-encryption/random_key.vcl";

Disk Encryption

Encrypting mse with persistence enabled using a local secret key.

First, generate a new secret key:

$ cat /dev/urandom | head -c 1024 > /etc/varnish/disk_secret
$ sudo chmod 600 /etc/varnish/disk_secret
$ sudo chown root: /etc/varnish/disk_secret

Add the key to the varnishd systemd unit configuration. This allows the disk_secret to be securely read via the varnishd jail configuration:

ExecStart=/usr/sbin/varnishd ... -E /etc/varnish/disk_secret

For more information on how to do this, please see our systemd reference.

Use the secret key to encrypt cache:

include "total-encryption/secret_key.vcl";

Header Encryption

When using one of the above Total Encryption includes, you can optionally encrypt headers with the following VCL:

sub vcl_backend_response {
	# Encrypt beresp.http.Content-Type
	set beresp.http.Content-Type = crypto.hex_encode(crypto.aes_encrypt(beresp.http.Content-Type));
}

sub vcl_deliver {
	# Decrypt resp.http.Content-Type
	if (resp.http.Content-Type != "") {
		set resp.http.Content-Type = crypto.aes_decrypt(crypto.hex_decode(resp.http.Content-Type));
	}
}

Skipping Encryption

Use crypto.aes_skip_response() to skip encryption or decryption in vcl_backend_response or vcl_deliver.

sub vcl_backend_response {
	if (beresp.http.Content-Type ~ "video") {
		crypto.aes_skip_response();
	}
}

Alternate Encryption Cipher

By default Varnish Total Encryption uses Cipher Block Chaining (CBC) AES encryption. On some systems, Propagating Cipher Block Chaining (PCBC) is available hardware accelerated. If so, use the following VCL to use PCBC AES encryption:

sub vcl_init {
	te_opts.set("algorithm", "pcbc(aes)");
}
Manuals
Varnish Live
Varnish Cloud
Varnish Cache Plus
Varnish High Availability
Varnish Administration Console
Varnish Custom Statistics
Varnish Broadcaster
Varnish WAF
News
Varnish Cache Plus 4.1.11r2
Varnish Cache Plus 6.0.3r4
Varnish Administration Console 3.8.2
Varnish Cache Plus 6.0.3r3
Varnish Live
News archive