Varnish Cache does not support SSL/TLS and other protocols related to port 443. If you are using Varnish Cache to improve the performance of your web application, you will need to install and configure another software called SSL/TLS Proxy Completion to work with Varnish Cache and enable HTTPS.

Hitch is an open source libev and SSL/TLS based open proxy for Varnish Cache, currently running on Linux, OpenBSD, FreeBSD, and MacOSX. It disconnects TLS/SSL connections by listening on port 443 (the default port for HTTPS connections) and forwards unencrypted traffic to Varnish Cache, but should also work with other backends.

It supports TLS1.2 and TLS1.3 and the inherited TLS 1.0/1.1, supports ALPN (Application-Layer Protocol Negotiation) and NPN (Next Protocol Negotiation) for HTTP/2, PROXY to transmit the client IP/port signal to the internal channel, UNIX domain socket connections to the source, SNI (Server Name Indication), with and without wildcard certificates. It is also suitable for large installations requiring up to 15,000 listening ports and 500,000 certificates.

Following on from our two previous articles on installing Verniscache for Nginx and Apache HTTP servers, this tutorial shows how to enable HTTPS for Verniscache using the Hitch TLS proxy on CentOS/RHEL 8.

How to Enable HTTPS for Varnish Cache with Hitch on CentOS-RHEL 8

Logical diagram of our installation

These instructions assume that you have installed Varnish for Nginx or the Apache web server, otherwise see

Step 1: Mount the holder on the CentOS/RHEL 8

1. The Hitch package is available in the EPEL (Extra Packages for Enterprise Linux) repository. To install it, first enable EPEL on your system and then install the package. If you have not installed the OpenSSL package, install it.

# dnf install epel-release
dnf install hitch openssl

How to Enable HTTPS for Varnish Cache with Hitch on CentOS-RHEL 8

Installing a link on CentOS 8

2. Once the installation of the package is complete, you will need to configure the paint cover to make the coupling work. You also need to configure Hitch to use SSL/TLS and Varnish certificates as a backend. The main configuration file for Hitch can be found in /etc/hitch/hitch.conf, which is explained below.

Step 2: Colour adjustment of cover for trailer coupling

3. In order to communicate with Hitch, you must then have Varnish listen on the extra port (in our case 8443) using the PROXY protocol support.

Open the Varnish systemd service file for editing.

# systemctl edit – complete lacquer layer

Find the ExecStart rule and add an extra flag -a with the value 127.0.0.1:8443,proxy. Using 127.0.0.1:8443 means that Varnish only accepts internal connections (from processes running on the same server, in this case, a hiccup), not external connections.

ExecStart=/usr/sbin/varnishd -a :80 -a 127.0.0.1:8443,proxy -f /etc/varnish/default.vcl -s malloc,256m

How to Enable HTTPS for Varnish Cache with Hitch on CentOS-RHEL 8

Gate for Hitch paint audition kit

Save the file and restart the paint service to apply the latest changes.

# restart the paint system

Step 3: Obtaining SSL/TLS certificates

4. This section explains how to create an SSL/TLS certificate package used by Hitch. In this tutorial we will explain the different options for using a self-signed certificate, a commercial certificate or a Let’s Encrypt certificate.

You can use the OpenSSL tool to create a self-signed certificate (which may only be used in a local test environment).

# mkdir /etc/ssl/tecmint.lan
# cd /etc/ssl/tecmint.lan/
# openssl req -x509 -noodes -days 365 -newkey rsa:2048 -keyout tecmint.lan.crt

Then create a certificate and a keychain tape as follows.

# cat tecmint.crt tecmint.key >tecmint.pem

Pay attention: For productive use, you can purchase a certificate from a Commercial Certification Authority (CA) or get a free, automated, fully recognized certificate from Let’s Encrypt. Then make a PEM bundle.

If you purchased a certificate from a commercial CA, you must combine the private key, the certificate and the entire CA as shown in the figure.

# cat example.com.crt example.com-ca-bundle.crt > /etc/ssl/example.com.pem

To encrypt the certificate, the private key and the whole chain are stored in /etc/letsencrypt/live/example.com/, so you need to create the package as shown in the image.

# cat /etc/letsencrypt/live/example.com/fullchain.pem /etc/letsencrypt/live/example.com/privkey.pem >/etc/letsencrypt/live/example.com/example.com_bundle.pem

Step 4: Trailer couplingInstallation and commissioning

5. Then configure Varnish as the backend for Hitch and specify the SSL/TLS certificate files to be used for HTTPS and open them for editing in Hitch’s main configuration file.

# vi /etc/hitch/hitch.conf

The front part defines the IP addresses and the port Hitch will listen to. By default, all IPv4 and IPv6 interfaces connected to the server and running on port 443 are listened to and incoming HTTPS requests are processed and forwarded to Varnish.

Change the default port of the proxy backend in the link configuration file with the backend parameter from 6086 to 8443 (the port used to redirect requests to Varnish). Also specify the certificate file with the option pem file, as shown in the figure.

backend = [127.0.0.1]:8443
#pem-dir = /etc/pki/tls/private
pem file = /etc/ssl/tecmint.lan/tecmint.pem

How to Enable HTTPS for Varnish Cache with Hitch on CentOS-RHEL 8

Configure Hitch as SSL/TLS proxy for paint colour

Save the file and close it.

6. Now start the pairing service and let it start automatically when the system boots up. Note that if the –now switch is used when the function is enabled, it also starts the system service and then checks its status to make sure it is working as follows.

# systemctl release –now coupling
# systemctl status coupling

How to Enable HTTPS for Varnish Cache with Hitch on CentOS-RHEL 8

Check the status of Hitch

7. Before you start testing if your website/application works in HTTPS, you must allow HTTPS service port 443 on the Firewall so that requests routed to this port on the server can pass through the Firewall.

# firewall-cmd –zone=public –permanent –add-service=https
# firewall-cmd –reload

Step 5: Test SSL/TLS termination with Paint Cache installation

8. It is time to test the Varnish Cache Hitch installation. Open a web browser and use the IP address of your domain or server to browse via HTTPS.

https://www.example.com
OR
https://SERVER_IP/.

After downloading the index page of your web application, check the HTTP headers to confirm that the content is delivered via Varnish Cache.

To do so, right-click on the downloaded web page and select Check from the list of options to open the development tools. Then click on the Network tab and reload the page, then select the HTTP header request, as shown in the following screenshot.

How to Enable HTTPS for Varnish Cache with Hitch on CentOS-RHEL 8

Check the HTTPS setting in the color cache.

Step 6: HTTP to HTTPS bypass in the coating

9. In order for your website to run only in HTTPS, you need to redirect all HTTP traffic to HTTPS. You can do this by adding the following configuration to the configuration file of your trailer coupling

# vi /etc/hitch/hitch.conf

First add the std import line; just below vlc 4.0; then find the vlc_recv subroutine, which is the first VCL subroutine running in its master data structure immediately after Varnish Cache parses the customer’s request. Here we can change the request headers and run the synthesizer to forward customer requests.

Change it to look like this.

sub vcl_recv {
if (std.port(server.ip) != 443) {
set req.http.location = https:// + req.http.host + req.url;
return(synth(301));
}
}

Note that the PROXY protocol allows Varnish to see the 443 listening port hook through the server.ip variable. For example, the std.port(server.ip) line returns the port number on which the connection to the client was received.

If the port is not 443 for HTTPS (as verified (std.port(server.ip) != 443), the subroutine sets the HTTP Location Request header (set req.http.location) as a secure request (https:// + req.http.host + req.url) by simply asking the web browser to download the HTTPS version of the web page (i.e., URL redirection).

The location header is moved to the subroutine vcl_synth (called with return(synth(301)) with the HTTP status code 301 (permanently moved).

10. Then add the following subroutine vcl_synth (one of the many applications is user redirection) to process the synthesizer described above.

Subparagraph vcl_synth {
if (resp.status == 301) {
set resp.http.location = req.http.location;
set resp.status = 301;
return (delivery);
}
}.

It checks that the status of the response is 301, the HTTP location header in the response is set to the HTTP location header in the request, which is actually forwarded to HTTPS and performs the delivery action.

The delivery action builds a response from the background, stores the response in the cache and sends it to the customer.

How to Enable HTTPS for Varnish Cache with Hitch on CentOS-RHEL 8

Configure Hitch to forward from HTTP to HTTPS

Save the file and close it.

11. Make the configuration changes of the new paint by restarting maintenance. Then use the curl command line tool to confirm the redirection from HTTP to HTTPS.

# systemctl reboot paint
# curl -I http://eaxmple.com/

How to Enable HTTPS for Varnish Cache with Hitch on CentOS-RHEL 8

Check HTTP redirection for HTTPS

In addition, the browser response will be the same as that shown in the following screenshot.

How to Enable HTTPS for Varnish Cache with Hitch on CentOS-RHEL 8

Check the redirection from HTTP to HTTPS in your browser.

We hope everything has gone smoothly so far. Otherwise you can use the response form below to make a comment or ask a question. For more information on additional configuration options, see the documentation on the paint cover and coupling.