配置具有多个域的SSL + SSL支持
[英]Congiuring varnish with multiple domains+ssl Support
问题描述
I am currently been involved in implementation of varnish with loadbalancer as back-end which shall forward traffic accordingly to multiple web server. 
我目前参与了将负载均衡器作为后端的清漆的实现,该后端会将流量相应地转发到多个Web服务器。
I am trying to achieve: 我正在努力实现:
Public Traffic -> haproxy/DNS -> [Varnish (x2) / nginx(ssl) ] -> Loadbalancer -> Web server(x4)
I am able to configure Varnish , nginx as ssl/443 terminator for one domain. 我可以将Varnish和nginx配置为一个域的ssl / 443终止符。 (ie if i point dns to varnish eth and access webserver serves the page) (即,如果我将dns指向清漆eth并访问webserver服务该页面)
varnish config 清漆配置
backend loadbalancer { .host = "xxx.xxx.xxx.xxx"; .port = "80" }
backend loadbalancer_ssl { .host = "xxx.xxx.xxx.xxx"; .port = "443"; }
sub vcl_recv {
# Set the director to cycle between web servers.
if (server.port == 443) {
set req.backend = loadbalancer_ssl;
}
else {
set req.backend = loadbalancer;
}
}
# And other vcl rules for security and other.
Nginx Config Nginx配置
location / {
# Pass the request on to Varnish.
proxy_pass http://127.0.0.1;
proxy_http_version 1.1;
#SSL certificate and config
=> How would i achieve configuring varnish as dns entry Point with ssl termination for multiple domains? =>如何在多个域中使用ssl终止将清漆配置为dns入口点? => Is it possible to somehow configure varnish to accept all connections and bypass ssl to web server directly? =>是否可以通过某种方式将清漆配置为接受所有连接并直接将ssl绕过Web服务器? (so that i don't have to worry about multiple interface for ssl support) (这样我就不必担心支持ssl的多个接口)
=> Or any standard approach to achieve with 443 terminator? =>还是使用443终结器实现的任何标准方法?
Note: why i am trying to achieve this: To create multiple layer for security and using existing hardware devices. 注意:为什么要尝试实现此目的:创建多层安全性并使用现有的硬件设备。
Already in place: 已经到位:
- All server has (multiple interface for ssl using lightty). 所有服务器都有(使用lightty的ssl多个接口)。
- Load balancer -> Hardware -> which will balance load between those web server. 负载平衡器->硬件->将在这些Web服务器之间平衡负载。
Any experts sharing there view would be great. 任何有共同看法的专家都将很棒。
1 个解决方案
解决方案1
0 2013-04-15 18:58:52
I have decided to go with nginx as ssl terminator and achieving my question answers as below. 我决定将Nginx用作ssl终结器,并实现以下问题答案。 I decided to update this, if anyone finds it useful. 如果有人发现它有用,我决定对其进行更新。
From my above query: 从我上面的查询:
How would i achieve configuring varnish as dns entry Point with ssl termination for multiple domains? 如何在多个域中使用ssl终止将清漆配置为dns入口点?
=> How it works is we need to have socket listening for https/ either nginx/pound/or anything else that can read ssl. =>它是如何工作的,我们需要让套接字监听https /,nginx / pound /或其他任何可以读取ssl的东西。 (which i was not quite convinced previously is to use this point as ssl terminator however i think i am fine as beyond that level now i have planned to make it internal zone. (我以前不太确信是将此点用作ssl终结器,但是我认为我可以超过该级别,现在我计划将其设置为内部区域。
=> Is it possible to somehow configure varnish to accept all connections and bypass ssl to webserver directly? =>是否可以通过某种方式将清漆配置为接受所有连接并直接将SSL绕过Web服务器? (so that i dont have to worry about multiple interface for ssl support) (这样我就不必担心支持ssl的多个接口)
One can achieve this either with multiple interface (if you have multiple domains). 一个人可以通过多个接口(如果您有多个域)来实现这一目标。 or, same interface if you are dealing with subdomains. 或者,如果要处理子域,则使用相同的界面。 Or, you can create one secure page for all ssl required pages (depends upon trade-off) 或者,您可以为所有ssl必需的页面创建一个安全页面(取决于权衡)
=> Or any standard approach to achieve with 443 terminator? =>还是使用443终结器实现的任何标准方法? I decided to go with nginx to use those feature that nginx provides (interms of security layer). 我决定与nginx一起使用nginx提供的那些功能(安全层的内部功能)。
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.