Transport layer security (TLS) is the de facto standard for sending and receiving secure HTTP traffic. With this in mind, Varnish long ago built a standalone TLS proxy on the open-source Hitch project. It delivers secure transport and doesn’t interfere with content delivery performance, but for a number of reasons, it’s not always the right choice for every implementation.
What is TLS?
TLS is a cryptographic protocol designed to secure communications being sent over a computer network. It has become the accepted standard for secure data communications, taking over from the now-deprecated SSL.
TLS is deemed essential to secure end-to-end data transmission. Without TLS, sensitive information is about as secure as what you might write on the back of a postcard: anyone could intercept and see it. With TLS support enabled, data transmissions between clients and servers are encrypted. All major web browsers support TLS, and most support TLS by default and warn users if their traffic is not secured by TLS.
Why is TLS important?
If your website or application is business-critical, which most websites are, encryption safeguards the data sent over the internet against the risks it faces in transit. Implementing a security policy and putting solutions into place that support secure data transport but do not stand in the way of your business goals or hinder the performance and speed of your web transactions will go a long way toward thwarting threats.
TLS in Varnish
For many years, Varnish, an HTTP server and an HTTP client, offered TLS support on both the server and client ends via the open-source Hitch TLS proxy, which was designed to do one thing (and do it well): protecting your web traffic.
The existing TLS proxy is tightly integrated with Varnish and helps improve website security by encrypting communication without relying on third-party solutions. TLS support is integrated in two places: one, the most obvious and significant, as client-facing TLS; the other, on the backend – all to make one modern, minimalistic and fast TLS proxy. While this has worked well, delivering exceptional performance for most Varnish users, and even providing an additional level of security as a result of being a separate process, not all implementations are suited for a separate Hitch TLS layer.
Why native TLS termination?
With native TLS termination in Varnish Enterprise, users can choose how to implement TLS. Many users in specific high-performance industries, such as media streaming and telecommunications, need high-speed content delivery to large audiences, meaning that extreme performance is more important than preserving the separation of TLS termination from the Varnish process. Speed gains are the focus, and integrating in-process TLS termination delivers this speed.
How are these speed gains achieved? Native TLS allows for eliminating an extra network hop, enabling off-the-shelf bare metal and virtualized servers to achieve increasingly fast and resource-efficient content delivery.
Native TLS in the real world
Swedish-based global telco, Telia Company, built its next-generation CDN solution with Varnish Enterprise. One of the primary features that distinguished Varnish as the right solution was the ability to achieve high-performance content delivery based on standard hardware (COTS) to maximize output with in-core TLS. Telia specified that getting maximum performance from a single server including TLS was a key criterion.
Many roads to TLS
Varnish TLS security is easy to implement, and you have a choice of ways to use it. Learn more about your TLS options with Varnish:
- Open-source Hitch TLS proxy
- Hitch TLS proxy as a container image on Docker
- Varnish Enterprise with built-in TLS termination
Read how our client, Telia used Varnish Enterprise and native, in-process TLS in building their future-proof CDN solution, below.