In nearly every example I've seen for setting up Varnish with nginx and SSL support, the setup is Varnish running on port 80, nginx on port 443 for SSL termination and nginx running on another port doing the actual work communicating with the backend.
Given most websites now redirect port 80 to 443, what advantage is there in having Varnish running on port 80?
Why wouldn't you have nginx running on port 80, doing the 301 to the HTTPS version, nginx running on port 443 doing the SSL termination and proxying to Varnish, which is running on a different port, with nginx again running on another port doing the actual work?
HTTP: nginx [80] (301)
HTTPS: nginx [443] <> Varnish [6081] <> nginx [8080] <> backend
I really can't see any merit in having Varnish on port 80 front of house just to do a redirect. Unless, there's some problem with redirects and the unwanted addition of port numbers to URLs? Maybe adding 3 nginx server blocks is adding "more" work to the setup, but then having to configure Varnish to redirect port 80, unless it's internal, seems like "more" work.
Bonus question: Why is Apache added to the mix in most of these setups when nginx is already in use and visa-versa? They can both handle SSL termination and proxying.
I agree with "why not":
HTTP: nginx [80] (301)
HTTPS: nginx [443] <> Varnish [6081] <> nginx [8080] <> backend
As to why:
HTTP: Varnish [80] (conditional 301, using VCL)
HTTPS: nginx [443] <> Varnish [80] <> nginx [8080] <> backend
The answer is:
legacy reasons. This is just the way to go in "conditional HTTPs" world (where it is OK to have a website work in both HTTP and HTTPs versions or no HTTPs version at all), which was just a couple years ago, before Google, as web monopolist, did not insist on all websites having HTTPs or fear poor-er search rankings. It is relatively recently, that LetsEncrypt allowed everyone to avail of free certificates, and the aforementioned requirement from Google made so many websites use those. The websites/tutorials for Varnish setup, simply did not pick up / adjust ports as something that doesn't strike as being needed to be adjusted.
expandability. Think outside the "single server" setup. When you decide to build a stack of Varnish-es (CDN), it makes much more sense to keep the "main" Varnish on port 80. (Outside/edge Varnish instances will be talking to the main Varnish,as opposed to talking to main backend, for "cache of cache" sort of thing). The traffic between edge<>main wouldn't be secure but have no performance penalty of encryption.
I think we can simplify a bit:
HTTPS: nginx [443] <> Varnish [6081]<> backend
Let Varnish do the caching and avoid the extra Nginx layer.
More simplification:
hitch [443] <> Varnish [6081]<> backend
Hitch: https://hitch-tls.org/
Related
I have a Windows PC with some Flask webapps running on various ports 5000, 5001, ...
I have mapped subdomains with CNAMEs to point to the server and Nginx handles the rerouting (correct wording?) to the appropriate ports: x.server.net -> ip:5000, y.server.net -> ip:5001
It works
Now I want to enable https so I would like to redirect users from http to https.
Further, I discovered that Nginx doesn't handle when users supply a non-standard port, so x.server.net:5001 actually points to the wrong Flask app. So I would also like to redirect non-default ports to the default (80 or 443 depending on http or https). Some of the apps don't need https, so I might mix it.
Can this be done with Nginx or should I use something else? I found others asking this, but the replies are only for Linux as far as I understand (iptables?).
And last but not least, is redirects a safe approach? Can it be ignored by a malicious client?
I am thinking to install varnish cache on a small VPS configuration. My VPS configuration is 2 core CPU & 2 GB RAM with 50 GB SSD.
I would like to know on such small VPS configuration what should be best to install
Varnish Cache, Nginx Web server (PHP & MySQL also)
Nginx Cache (for static file caching) on top of Nginx webserver along with PHP & MySQL
Fyi I also need to install SSL on all virtual host. What I know by default Varnish doesn't work on SSL. There should be additional things has to be installed to support SSL. So if I have to install multiple service on server to support varnish cache does it not better to use the nginx only with nginx cache remembering the server specs are low.
I am waiting for an open discussion to find best solution. Thanks in advance.
Nginx is a great webserver, but isn't a specialized reverse caching proxy. Varnish is specifically built for caching and its caching policies are far more granular.
Components
Use Hitch as your TLS proxy
Use Varnish for caching
Use Nginx as your webserver and connect to Nginx from Varnish
See https://www.varnish-software.com/developers/tutorials/terminate-tls-varnish-hitch/ for a tutorial on how to install Hitch for TLS termination.
See https://www.varnish-software.com/developers/tutorials/#installations for a list of tutorials (per platform and distribution) on how to install Varnish.
Port configuration
Configure Nginx to listen on port 8080
Configure Varnish to listen on port 80
Add an additional listening interface in Varnish on port 8443 for PROXY protocol traffic
Configure Hitch to listen on port 443
Let Hitch connect to Varnish over port 8443 via the PROXY protocol
Let Varnish connect to Nginx over port 8080 via a backend definition
I have website and some game server.
I have domain which I connect to Cloudflare.
I want to redirect non http/https traffic to my server IP because when I try to connect to server with domain I can't do this because of Cloudflare proxy.
Maybe it can be done differently?
I use Nginx.
Cloudflare has its own SSL configuration.
There are 4 options for you:
Off disables https completely
Flexible Cloudflare will automatically switch client requests from HTTP to HTTPS but it still points to port 80 on your nginx server, should not configure SSL on nginx in this case.
So the only options for you are Full or Full Strict (more restricted on the cert configured on nginx, must be a valid cert).
With Full you can configure your nginx with a self-signed SSL and let it go. Cloudflare will handle the part between client and its proxy server.
My current configuration is like this :
1. Nginx listening on Port 8080 and 443
2. Varnish listening to port 80
Currently, when requests are made through HTTP they are delivered through the varnish, but when requests are made through HTTPS varnish doesn't deliver them.
My goal is to put varnish between Client and Nginx web server ( or make varnish work with port 443 )
Reading through articles and answer on StackOverflow, I tried to setup reverse proxy 443 to 80 ( or 8080 maybe ?)
I followed these article(s) :
https://www.smashingmagazine.com/2015/09/https-everywhere-with-nginx-varnish-apache/
https://serverfault.com/questions/835887/redirect-http-to-https-using-varnish-4-1
Problem is that when I try to set these up, I get 502 bad request error, and sometimes the default Nginx page.
PS: I'm trying to set this up using virtual server block, not default server.
PS2: I also need to deliver the final web page through HTTPS weather the request made through HTTP or HTTPS ( but I get too many redirects error )
PS3: I'm using Cloudflare
The basic concept is to sandwich varnish between an entity handling SSL and a back-end server working on port 8080 or whatever you choose.
Here's the traffic flow:
user 443 > front-end proxy for SSL offloading 443 > Varnish 80 > nginx 8080.
Now your options for Front end proxy are:
1.A Load balancer supporting SSL termination / offloading.
2.Nginx or apache working as a proxy to receive traffic on 443 and forward that on port 80 to Varnish.
Error 502 means your Varnish is having issues connecting your backend, please check varnish.vcl
I need to have 3 varnish instances, I follow this guide creating-varnish-cluster and now I have those systems
3 servers that have varnish, each varnish has vcl like that vcl-cluster
1 backend server, that contains application and Nginx for load balancing between varnish servers, Nginx config: nginx-config
but requests received in Nginx and passes through varnish but varnish server can't forward request to the backend. when I call directly backend it perfectly works.
how can I fix this issue? and is there any better solution for varnish scaling? (except varnish plus:D)
server.identity is the hostname of the machine, by default. I assume your machines are not called node1, node2 and node3, so you need to edit your VCL to reflect that.