We get a lot of questions about TLS and Varnish, and we’ve long been touting our TLS proxy, Hitch, as the best way to terminate TLS in front of Varnish. Hitch is a lightweight, high-performance TLS proxy that is entirely dedicated to TLS termination. This makes Hitch a tiny and performant tool that can be used anywhere, including in front of Varnish. One of its main features is the PROXY protocol, which is capable of capturing and transporting information about the original connection, regardless of the number of proxies it passes through.
Hitch can connect to Varnish using the PROXY protocol, and send the original client IP address. Varnish will capture this address and store its value inside the X-Forwarded-For header. This ensures that the origin, or any other system that sits behind Varnish, can get the original client IP address by using the X-Forwarded-For header.
With Hitch, you also get access to a range of TLS features and tunables, leveraging the underlying OpenSSL library.
While some users are just looking for ways to terminate TLS in front of Varnish, many users who are already familiar with Hitch have wondered about how they might gain more direct access to Hitch, and we wanted to make it easier to use. Most users want to get Hitch directly from the source without waiting for maintainers bundling it up.
We also get daily questions about official Docker images. Docker containers have become a key element in building modern apps and microservices.
With the recent release of Hitch 1.6, we’ve responded to these questions as well as adding other security-related features, including mutual TLS.
New Hitch packages: Hitch 1.6 cuts out the middleman
In the past when we released a new version of Hitch for the open source community, we developed the source code and sent it out into the world, relying on the maintainers of each Linux distribution (Debian, BSD, Ubuntu) to bundle it up, so the user could easily install. There’s nothing inherently wrong with this setup -- it works very well at scale. But different distributions make different promises on stability, and that means you can’t always count on getting the latest and greatest version via the stock packages. Getting it straight from the source will ensure that you’re getting the most up-to-date version available.
We already release up-to-date packages for Varnish Cache itself; now, to make sure the open source community gets access to all the goods, we’ve created up-to-date packages for Hitch as well, available a week after official release, so users don’t have to wait -- you can cut out the middleman and get the official packages directly from us in the repo.
Official Docker image: Coming soon
Having Hitch packages in hand makes it easier to offer an official Docker image that you can grab and use off the shelf. As with official Hitch packages, accessing official Docker images ensures that you’ve got the most up-to-date version. Stay tuned: the Hitch Docker image is coming soon in the Docker Hub. We'll let you know when, and share a blog post about how to use Varnish and Hitch in a container.
Hitch 1.6 also introduces support for mutual TLS (client certificate authentication/TLS mutual authentication). TLS is already used everywhere on the internet to secure connections and authenticate servers, serving as proof that clients are safe.
Mutual TLS adds another level of security: it allows the server to validate the identity of its clients. While not useful for regular websites, it becomes invaluable for intranets, extranets and other high-security setups that need to be accessible without being totally open.
Easier than ever to secure yourself
The importance of secure data transport is undeniable. Now it’s easier and cleaner than ever to take advantage of more TLS options: Hitch yourself up and get going straight from the source.
Be on the alert: more news and an upcoming blog post about the official Docker image is coming soon!