简体繁体 English

用于 https 的清漆

[英]Varnish to be used for https

原文 2015-11-02 10:09:24 6 1 nginx/ https/ reverse-proxy/ varnish/ haproxy

Here's the situation.这是情况。 I have clients over a secured network (https) that talk to multiple backends.我的客户端通过安全网络 (https) 与多个后端通信。 Now, I wanted to establish a reverse proxy for majorly load balancing (based on header data or cookies) and a little caching.现在，我想为主要负载平衡（基于头数据或 cookie）和一些缓存建立一个反向代理。 So, I thought varnish could be of use.所以，我认为清漆可能有用。

But, varnish does not support ssl-connection.但是，varnish 不支持 ssl 连接。 As I've read at many places, quoting, "Varnish does not support SSL termination natively" .正如我在很多地方读到的那样，引用"Varnish does not support SSL termination natively" 。 But, I want every connection, ie.但是，我想要每个连接，即。 client-varnish and varnish-backend to be over https.客户端清漆和清漆后端通过 https。 I cannot have plaintext data anywhere throughout network (there are restrictions) so nothing else can be used as SSL-Terminator (or can be?).我不能在整个网络的任何地方拥有纯文本数据（有限制），所以没有其他东西可以用作 SSL 终止符（或者可以？）。

So, here are the questions:所以，这里是问题：

Firstly, what does this mean (if someone can explain in simple terms) that "Varnish does not support SSL termination natively".首先，这是什么意思（如果有人可以用简单的术语解释）“Varnish 本身不支持 SSL 终止”。
Secondly, is this scenario good to implement using varnish?其次，这个场景是否适合使用清漆实现？
and Finally, if varnish is not a good contender, should I switch to some other reverse proxy.最后，如果 varnish 不是一个好的竞争者，我是否应该切换到其他一些反向代理。 If yes, then which will be suitable for the scenario?如果是，那么哪个适合该场景？ (HA, Nginx etc.) （HA、Nginx 等）

1 个解决方案

what does this mean (if someone can explain in simple terms) that "Varnish does not support SSL termination natively"这是什么意思（如果有人可以用简单的术语解释）“Varnish 本身不支持 SSL 终止”

It means Varnish has no built-in support for SSL.这意味着 Varnish 没有对 SSL 的内置支持。 It can't operate in a path with SSL unless the SSL is handled by separate software.除非 SSL 由单独的软件处理，否则它无法在带有 SSL 的路径中运行。

This is an architectural decision by the author of Varnish, who discussed his contemplation of integrating SSL into Varnish back in 2011.这是 Varnish 的作者做出的架构决定，他在 2011 年讨论了他将 SSL 集成到 Varnish 中的想法。

He based this on a number of factors, not the least of which was wanting to do it right if at all, while observing that the de facto standard library for SSL is openssl, which is a labyrinthine collection of over 300,000 lines of code, and he was neither confident in that code base, nor in the likelihood of a favorable cost/benefit ratio.他基于许多因素做出这一点，其中最重要的是想要把它做对，如果有的话，同时观察到 SSL 的事实上的标准库是 openssl，这是一个超过 300,000 行代码的迷宫集合，并且他对这个代码库既不自信，也不对有利的成本/收益比的可能性有信心。

His conclusion at the time was, in a word, "no."他当时的结论是，一句话，“不”。

That is not one of the things I dreamt about doing as a kid and if I dream about it now I call it a nightmare.这不是我小时候梦想做的事情之一，如果我现在做梦，我称之为噩梦。

https://www.varnish-cache.org/docs/trunk/phk/ssl.html https://www.varnish-cache.org/docs/trunk/phk/ssl.html

He revisited the concept in 2015.他在 2015 年重新审视了这个概念。

His conclusion, again, was "no."他的结论再次是“不”。

Code is hard, crypto code is double-plus-hard, if not double-squared-hard, and the world really don't need another piece of code that does an half-assed job at cryptography.代码很难，加密代码是双加硬的，如果不是双平方硬的话，世界真的不需要另一段在密码学方面做半途而废的代码。

... ...

When I look at something like Willy Tarreau's HAProxy I have a hard time to see any significant opportunity for improvement.当我看到像 Willy Tarreau 的HAProxy这样的东西时，我很难看到任何重要的改进机会。

No, Varnish still won't add SSL/TLS support.不，Varnish 仍然不会添加 SSL/TLS 支持。

Instead in Varnish 4.1 we have added support for Willys PROXY protocol which makes it possible to communicate the extra details from a SSL-terminating proxy, such as HAProxy, to Varnish.相反，在 Varnish 4.1 中，我们添加了对 Willys PROXY 协议的支持，这使得从 SSL 终止代理（例如 HAProxy）向 Varnish 传达额外细节成为可能。

https://www.varnish-cache.org/docs/trunk/phk/ssl_again.html https://www.varnish-cache.org/docs/trunk/phk/ssl_again.html

This enhancement could simplify integrating varnish into an environment with encryption requirements, because it provides another mechanism for preserving the original browser's identity in an offloaded SSL setup.这种增强可以简化将 varnish 集成到具有加密要求的环境中的过程，因为它提供了另一种机制来在卸载的 SSL 设置中保留原始浏览器的身份。

is this scenario good to implement using varnish?这个场景是否适合使用清漆实现？

If you need Varnish, use it, being aware that SSL must be handled separately.如果您需要 Varnish，请使用它，注意 SSL 必须单独处理。 Note, though, that this does not necessarily mean that unencrypted traffic has to traverse your network... though that does make for a more complicated and CPU hungry setup.但是请注意，这并不一定意味着未加密的流量必须遍历您的网络……尽管这确实会使设置更加复杂且占用 CPU 资源。

nothing else can be used as SSL-Terminator (or can be?)没有其他东西可以用作 SSL 终止符（或者可以？）

The SSL can be offloaded on the front side of Varnish, and re-established on the back side of Varnish, all on the same machine running Varnish, but by separate processes, using HAProxy or stunnel or nginx or other solutions, in front of and behind Varnish. SSL可以在Varnish的前端卸载，在Varnish的后端重新建立，都在运行Varnish的同一台机器上，但是通过单独的进程，使用HAProxy或stunnel或nginx或其他解决方案，在前面和在清漆后面。 Any traffic in the clear is operating within the confines of one host so is arguably not a point of vulnerability if the host itself is secure, since it never leaves the machine.任何明文流量都在一台主机的范围内运行，因此如果主机本身是安全的，则可以说不是漏洞点，因为它永远不会离开机器。

if varnish is not a good contender, should I switch to some other reverse proxy如果清漆不是一个好的竞争者，我应该切换到其他一些反向代理吗

This is entirely dependent on what you want and need in your stack, its cost/benefit to you, your level of expertise, the availability of resources, and other factors.这完全取决于您在堆栈中想要和需要什么、它对您的成本/收益、您的专业水平、资源的可用性以及其他因素。 Each option has its own set of capabilities and limitations, and it's certainly not unheard-of to use more than one in the same stack.每个选项都有其自己的一组功能和限制，在同一堆栈中使用多个选项当然并非闻所未闻。