1

I'm looking to add SSL to some sites. My current setup is varnish -> nginx -> python wsgi server. The varnish sits at the front and caches both static and dynamic content. The nginx server serves up the static media from disk and proxies other requests back to the python app. It works like a charm.

I've tried 2 different approaches to adding SSL and both have their drawbacks:

request on 443 > stunnel > varnish cache > nginx > python wsgi app

request on 443 > nginx/ssl > varnish cache > python wsgi app

The first approach has the benefit of continuing to cache static content. The main drawback is that I'm not sure how to redirect "non-https" traffic to the secure version, because once the traffic hits nginx it is unencrypted.

The second approach is also good, the only drawback is that varnish is no longer in front of the static content and therefore not caching it.

What do you guys think? Any ideas?

coleifer
  • 131
  • 3
  • Hmm, I'm pretty sure that Nginx has already a really good SSL engine. So I would recommend to remove Varnish for SSL requests (port 443) use Nginx directly. But you have for sure a good reason for this approach. – Jens Bradler Apr 24 '12 at 07:47

1 Answers1

1

Regarding second approach, "the only drawback is that varnish is no longer in front of the content and therefor caching it". If nginx is serving it from local disk, the filesystem cache is already in effect so you are serving cached content.

There is no problem with the second approach, and is definitely the approach you should take.

3molo
  • 4,340
  • 5
  • 30
  • 46