May 15, 2023
3 min read time

Secure your varnish connection with TLS

What is TLS?

TLS, or Transport layer security, is a more modern version of the original SSL (Secure Socket Layer). It’s a protocol that’s part of the network stack responsible for securing the connection between client and server. TLS is commonly used in conjunction with HTTP to form HTTPS, the secure and encrypted form of HTTP.

The TLS Certificate Process

Server Certificates

TLS creates a bridge of trust between client and server by helping them prove that they are who they say they are. It does this through certificates. The most common certificates are server certificates, in which the server passes its unique certificate to the client to show its authenticity. The client then validates it using a certificate authenticator and can thus proceed with its connection, ensuring that it is not being duped by website spoofing or some other bad actor. Client certificates are the same but the other way around. In this case the client has its own unique certificate that it presents to the server, enabling the server to verify the identity of the client. When both server and client certificates are enabled that is called mutual TLS, and it is the highest form of TLS security.

TLS and Varnish

The open source Varnish Cache has historically not supported TLS, which meant you had to go to a proxy for your TLS needs. Even though Varnish Cache doesn’t natively support TLS, it does support TLS offloading through the proxy protocol. Just as Varnish sits between the client and the server and serves as a proxy server for the client, A TLS proxy sits between Varnish and the client and proxies for Varnish to create the secure HTTPS connection.

Hitch 

If you’re looking for a good TLS proxy to support your Varnish configuration, we have a solution for you. Hitch is an open source TLS proxy developed by Varnish for exactly this purpose. Hitch is both very secure and very fast, able to process over 100 gigabits per second on a single instance. Hitch has a full suite of features and capabilities including:

  • Support for both TCP and Unix domain sockets.
  • Registration of multiple separately managed certificates.
  • Server Name Indication, letting the server automatically detect which certificate to use.
  • OCSP stapling, to check if any given certificate has been revoked.
  • And a wide range of configuration options for TLS protocols and Ciphers.

 

Enterprise

For some, 100gbps per server is simply not fast enough. For clients with higher demands, TLS termination through outside proxies have the potential to form a bottleneck. So, in 2020 we built native TLS directly into our Varnish Enterprise Solution. This implementation went more smoothly than we’d anticipated, since we’d already done much of the legwork developing our own TLS proxy solution. Using a subset of Hitch’s configuration directives, we were able to bring Hitch’s TLS processing efficiency directly to Varnish Enterprise. 

 

By implementing TLS natively we progressed from 100 to 200 gbps, doubling the speed of the connection. We’ve continued to improve that number each year as part of our commitment to high speed connections. We’re currently at an astoundingly fast 1.3 terabits per second on a single server, a new world record.

 

To Summarize

For the absolute fastest TLS processing, there’s no beating Varnish Enterprise. If you're a smaller website with lesser infrastructural needs, plugging the Hitch proxy into Varnish Cache is a tried and true (and 100% free) way to achieve secure TLS connections.


There’s a lot more to TLS beyond the scope of this article. For more detailed information on how Hitch and other TLS proxies work, check out our webinar Securing Your Site: Setting Up TLS in Varnish.

 

Setting up TLS in Varnish CTA