March 27, 2020
2 min read time

In-process TLS - What is it all about?


As you might know, the latest Varnish Enterprise release (6.0.6r2) adds support for in-process, or native, TLS. What does this mean, though, and why add this feature, why now?


TLS and Varnish

To explain, let’s talk about the history of TLS and Varnish. In 2015 we built a TLS proxy called Hitch, which was purpose-built to terminate TLS at scale, with very low latencies. Hitch is a separate service that sits in front of Varnish - a proxy in front of a proxy. Hitch speaks HTTPS with the end user, then decrypts and sends the traffic to Varnish, which can then send any traffic back to the origin servers over HTTP or HTTPS. Even though Hitch is a separate service, in most cases it’s installed on the same instance as Varnish.

Hitch - terminating TLS separately from the main Varnish service - has served us and our users very well, and even with the recent addition of in-process TLS we still recommend Hitch in the majority of cases. It’s still maintained and supported, and will always be a major part of the Varnish Enterprise solution.

What’s key with the new release is that there is a choice of how to implement TLS in Varnish Enterprise. The question is, when a single Varnish server with a well-tuned Hitch TLS proxy can process up to 100Gbps, why would you want to “go native”?


Why go native with in-process TLS?

Achieving 100Gbps when using Hitch is very impressive, and easily delivers good enough performance for the majority of users. An arms race of sorts is on in some industries, though, including telecommunications and media streaming. Organizations in these domains are vying to be the best at delivering content at high speed to very large audiences, including HD video, now and in the future.

The race to future-proof web services and remain competitive in the long-term means hunting for speed gains wherever they can be found. For these organizations, 100Gbps may not be enough, and the benefits of separating TLS termination and Varnish may be eclipsed by the need for extreme performance. 

Bringing TLS functionality into the core Varnish Enterprise process means we can further push the boundaries of performance. Enabling TLS natively within Varnish eliminates the need for the extra network hop, with the result that it’s possible to reach speeds of up to 150Gbps from a single, off-the-shelf server. Varnish Enterprise with in-process TLS is the fastest and most resource efficient solution on the market.


Let’s get technical

Look out for our upcoming technical blog post on in-process TLS, with insights into how we tested and benchmarked the new solution, and information on how to configure it to benefit from the huge performance increases right away.