2

I am currently running Varnish in front of apache for all http traffic. I added stunnel so as to take advantage of the cache for HTTPS connections as well. So, for HTTPS, stunnel talks to varnish which then talks to Apache.

The problem is that when varnish returns a cached page to stunnel, stunnel sends it through HTTPS to the client, but the rest of the resources, eg css files, js files, etc, are requested by the client through plain HTTP. I guess this is due to the cached pages containing links to the resources with just HTTP.

My questions are:

  1. Is this a common problem with reverse ssl proxies?

  2. Is there any way to prevent this form happening?

  3. Let's say I have a domain, www.example.com, and I want it to be accessible only via HTTPS, and I also want http://www.example.com not to return 404 but to redirect to https://www.example.com. How can this be done avoiding loops (ie varnish redirecting to stunnel which then requests the page again from varnish through HTTP, which in turn redirects again to stunnel etc). Is there maybe any way for stunnel to insert a header that varnish will look for so as not to perform any redirect if the header is present?

masegaloeh
  • 17,978
  • 9
  • 56
  • 104
Nikolaos Kakouros
  • 163
  • 1
  • 6

1 Answers1

1

In some website, if you switch from HTTP to HTTPS version, you should inform the the website configuration like 'Hey, we are served through HTTPS now'. Well, the reason is some website has hard-coded configuration to their static file URL generator. So, even they are served through HTTPS, the static-resources-URL generator still thinks that we are talking through HTTP.

Now, you suspect that varnish cache still deliver old content. The guess can be true... Well, you can clear the cache so you can confirm the theory.

To redirect parts, you can configure varnish so they do the redirect task. Add this line to varnish config inside sub vcl_recv

if (!req.http.X-Forward-For && client.ip !~ localhost) {
    set req.http.x-Redir-Url = "https://" + req.http.host + req.url;
    error 750 req.http.x-Redir-Url;
}

The logic: if some random IP (other that localhost) connect to varnish (because they still use HTTP version), than varnish issue redirect to HTTPS. The VCL logic taken from this blog.

Summary

  1. To resolve the static file URL part, you should (1) check website configuration and inform it that we are served through HTTPS now and (2) clear the varnish cache.

  2. Redirecting HTTP to HTTPS task can be done by varnish

Community
  • 1
masegaloeh
  • 17,978
  • 9
  • 56
  • 104