Varnish Enterprise

In-Process TLS


In-Process TLS termination offers lower latency, improves data throughput (over 150Gbps), and removes the need for a separate TLS terminator greatly simplifying network topography.


In-Process Varnish port configuration

Enabling TLS termination in Varnish is done either by specificing https as an option to the -a paramater (e.g. -a :443,https) or in a separate configuration file, which is passed to Varnish via the -A parameter.


Varnish offers a set of CLI commands for TLS that can be used to load and discard certificates. Changes are performed in two steps, first actions are staged, then they are committed together as a transaction. (You can also specify a number of certificates to load at start in a configuration file with -A, and then do live updates using the CLI)

Listing certificates

Staged and loaded certificates can be listed by running:

$ varnishadm tls.cert.list

tls.cert.list lists the frontend, the state (active or staged), the certificate id and the expiration date. The frontend will be default if not specified when loading the certificate.

Example list:

Frontend State   Hostname                   Certificate ID  Expiration date
default  active                cert0          Feb 29 13:38:00 2042 GMT
default  active            cert0          Feb 29 13:38:00 2042 GMT
default  staged           cert0          Feb 29 13:37:00 2042 GMT

Loading certificates

A certificate is loaded by running:

$ varnishadm tls.cert.load MYID /etc/varnish/certs/mycert.pem

tls.cert.load takes an optional ID that used when discarding certificiates. If not specified it will be generated and can later be found by listing the certificates

See the varnish-cli(7) manual page for more information and additional options.

Discarding certificates

A loaded certificate can be discarded by running:

$ varnishadm tls.cert.discard MYID

Committing or rolling back

Staged changes gets committed by running:

$ varnishadm tls.cert.commit

Uncommitted changes can be rolled back by running:

$ varnishadm tls.cert.rollback

CLI file

The Varnish child needs to be running in order to load certificates over the CLI.

socket.close can be used to prevent any requests before all certificates has been loaded.

Loading a certificate using a CLI file can look as following:

tls.cert.load /etc/varnish/certs/mycert.pem

Configuration file

The configuration file format is based on Hitch’s config file. If you have an existing Hitch configuration file, this can be passed to Varnish and should work out of the box.

Note: Varnish currently implements a subset of the settings available in Hitch. Not yet implemented configuration settings will be ignored.

The Varnish TLS configuration file consists of a series of option assignments. Some options (pem-file, frontend) can be be set several times, and the effect is that multiple certificate files and listen endpoints are defined. Other options can only be assigned once.

The hash mark, or pound sign (#), is used as a comment character. You can use it to annotate your config file. All text after the comment character to the end of the line is ignored. Empty lines are ignored.

An example minimal config may look like the following:

  frontend = {
      host = ""
      port = "443"

  pem-file = "/etc/varnish/certs/mycert.pem"


Options can either be in the top level of the configuration file (global scope), or inside a frontend block. Options inside a frontend block only affect the frontend, while options in the top level sets defaults for all frontends.

Unless otherwise noted below, options can only be used in the top level.


This specifies the port and interface (the listen endpoint) that Varnish binds to when listening for connections. It is possible to define multiple frontends, and Varnish will bind to multiple ports and/or multiple interfaces.

If the host is specified as "*" or the empty string (""), Varnish will bind on all interfaces for the given port.

A frontend can be specified either in a single line:

	frontend = "[HOST]:PORT"

Or in a frontend block:

    frontend = {
        host = "HOST"
        port = "PORT"
        <other frontend options>

Multiple frontend definitions are permitted. If Varnish is configured with a TLS configuration file, at least one frontend definition is required.


Specifies an x509 certificate file. Can be specified multiple times to load multiple certificates.

pem-file can either be specified in a single line, where the certificate, private key and optionally DH parameters are concatenated into a single file,

   pem-file = "/path/to/cert.pem"

or supplied as separate files in a pem-file block,

   pem-file = {
       cert = "/path/to/chain.pem"
       private-key = "/path/to/priv.pem"
       dhparam = "/path/to/dhparam.pem"

The certificate must be in PEM format, and must be sorted starting with the subject’s certificate first, followed by the intermediate CA certificate(s) if applicable.

Specifying DH parameters is recommended. These should be generated by running

   $ openssl dhparam -out dh.pem 2048

Multiple certificates can be loaded by specifying multiple pem-file definitions. Varnish will use Server Name Indication (SNI) to decide which certificate is used.

If we are unable to find a match using SNI, or if the client did not specify an SNI extension, the certificate specified last will be used as a fallback (see also sni-nomatch-abort).

If pem-file is specified inside of a frontend block, the certificate is only available for connections coming in via that endpoint.

Note: To reload certificates you must either perform a restart of Varnish or use the available CLI commands to load/discard certificates.


Specifies the list of ciphers to be used for secure communication. Each cipher in the list must be separated by a colon (:), in order of preference.

See ciphers(1) for further description of the format.

This option applies to TLSv1.2 and below. For TLSv1.3, see ciphersuites.

This option is also available in a frontend block.


Specifies available ciphersuites for TLSv1.3. Similar to ciphers, entries must be separated by colon (:) and sorted in order of preference, e.g,

   ciphersuites = "TLS_AES_256_GCM_SHA384:TLS_AES_128_GCM_SHA256"

This option is also available in a frontend block.


Specifies whether the server’s order of ciphers should be enforced. true means the server chooses, false means the client chooses.

This option is also available in a frontend block.


The SSL/TLS protocols to be used. This is an unquoted list of tokens. Available tokens are SSLv3, TLSv1.0, TLSv1.1, TLSv1.2 and TLSv1.3.

The default setting is:

   tls-protos = TLSv1.2 TLSv1.3

This option is also available in a frontend block.


Sets the list of supported TLS curves.

   ecdh-curve = "X25519:prime256v1:secp384r1"

client-verify = required|optional|none

Configures client certificate validation. The setting must be either none, required or optional.

The default setting is client-verify = none, in which case Varnish will not send a certificate request to the client.

If client-verify = require is configured, Varnish will only permit connections that present a valid certificate. The certificate will be verified using the CA provided in the client-verify-ca parameter.

If optional, Varnish will send certificate requests, but still permit connections that do not present one.

For settings optional and required, we also require that the client-verify-ca is configured.

This option is also available in a frontend block. If specified in a frontend block, the client verification setting will only apply to the pem-file records for that particular frontend.

client-verify-ca =

Specifies a file containing the certificates of the CAs that will be used to verify a client certificate.

For multiple CAs, this file can be a concatenation of multiple pem-files for the relevant certificate authorities.

This option is also available in a frontend block.


Setting this to true will abort the connection when the client submits an unrecognized SNI server name.

This option is also available in a frontend block.


Sets an openssl engine. This is used with an SSL accelerator card. See the OpenSSL documentation for legal values.


Only available in a frontend block. Specifies whether SNI matches should be limited to certificates specified in the same frontend block or not.

Defaults to true if there are no certificates specified for a frontend, otherwise false.


In-process TLS was added to Varnish Enterprise starting from version 6.0.6r2 and is not supported on EL7 based platforms.

CLI support was added in 6.0.12r5