How to implement SSL/TLS in Varnish Plus?

A couple of weeks back we shared that we’ll be adding SSL/TLS support in Varnish Plus. Now that the announcement is out and we’ve presented it on a couple of occasions it is time to go through implementation details. 

First, a little piece of trivia: did you know that the reason SSL changed its name was because Netscape registered it as a trademark? So, the protocol suddenly changed its name accordingly.

It turns out the timing of our implementation is pretty spot on. After spending a week in and around San Francisco I’ve noticed that the tech world has significantly more focus on transport security now than it did just half a year back.

How does it work?

What exactly have we done? There are currently two places where we’ve added SSL/TLS. The obvious place is the client-facing TLS. We achieve this by releasing Hitch TLS, a piece of software we’ve built by taking the now-abandoned stud project and adding the features needed to turn it into a modern, minimalistic and fast TLS proxy.

We’ve added the following:

    •    New --pidfile argument.
    •    Rudimentary test framework implemented.
    •    Set the defaults to TLS v1.0, TLS v1.1 and TLS v1.2.
    •    SNI on by default
    •    Support PROXYv1 and PROXYv2 protocol to origin.
    •    Multiple listening sockets with possibly different default key/certificate.
    •    Wildcard certificates are supported - with and without SNI.
    •    SSL3.0 must now be enabled explicitly.
    •    autoconf/automake
    •    Other various bug fixes and improvements.

Client-side SSL/TLS

Hitch TLS has an event-driven architecture. The recommended setup would be to have it spawn one process per CPU core. The process will bind itself to that core by using CPU affinity, increasing the likelihood of CPU cache hits happening. It seems Hitch should be capable of doing around 3000 TLS protocol negotiations per core per second, something we expect to be ample.

SSL/TLS on the backend

The other place where adding TLS makes a lot of sense is the backend. The number of companies requiring that inter machine connections be TLS is increasing. Furthermore, use of Varnish Plus among content delivery networks is increasing. These long-haul connections  often go through the public internet and as a result it might be vital to encrypt these.

In order to require TLS toward the origin, you just add “.ssl = 1” in the backend declaration. 

If you are already using Varnish Plus you can follow these instructions to improve the security of your website without having to rely on third-party solutions thereby saving your company time (one less product to maintain) and money.

You can download our on-demand webinar on SSL/TLS in Varnish Plus here.


Topics: ssl, Varnish Software

6/9/15 9:00 PM by Per Buer

All things Varnish related

The Varnish blog is where the our team writes about all things related to Varnish Cache and Varnish Software...or simply vents.


Recent Posts

Posts by Topic

see all

Varnish Software Blog