Blesta Behind Varnish Cache Sever With Ssl Termination

[SinOjos]

I have a question concerning how Blesta will handle cookies behind a Varnish Cache Server. Standard use is to use X-Forwarded-For with a vcl setting of req.http.X-Forwarded-For + ", " + client.ip. Which sets x-forwarded-for with the client ip. I am interested in getting away from whmcs, but I need to find a system that will work correctly while utilizing a Varnish Cache Server with Ngnix for SSL Termination.

 

I am doing some preliminary data gathering to quickly rule out those that will not fit my needs, prior to doing some test installs. Anyone have any experience running Blesta with a Varnish Cache Server along with SSL Termination?

[Michael]

Never used it myself, hopefully someone can help you. You could try it with the trial.

[serge]

I think it's same way:  http://www.blesta.com/forums/index.php?/topic/4117-prevent-loop-blesta-behind-loadbalancer-with-ssl-termination/?hl=termination

[barryf]

  On 9/20/2015 at 4:48 PM, SinOjos said:

I have a question concerning how Blesta will handle cookies behind a Varnish Cache Server. Standard use is to use X-Forwarded-For with a vcl setting of req.http.X-Forwarded-For + ", " + client.ip. Which sets x-forwarded-for with the client ip. I am interested in getting away from whmcs, but I need to find a system that will work correctly while utilizing a Varnish Cache Server with Ngnix for SSL Termination.

 

I am doing some preliminary data gathering to quickly rule out those that will not fit my needs, prior to doing some test installs. Anyone have any experience running Blesta with a Varnish Cache Server along with SSL Termination?

 

Hi

 

We run Blesta behind haproxy, with haproxy handling the SSL and setting X-Forwarded-For header. No issues.

 

Hope this helps.

 

-Barry

[serge]

Hi

 
We run Blesta behind haproxy, with haproxy handling the SSL and setting X-Forwarded-For header. No issues.


Hope this helps.
 

-Barry

Same situation as Barry, all runing fine, see above link I given

[SinOjos]

Thanks for the reply guys. I am a bit late in replying due to a family matter, old people are so annoying at times, suppose they do not realize due to dementia, that some of us have to work for a living!

 

I am going to go ahead and do a trial and check to see if things will work with the way I am doing things. Even though I am using a different method, haproxy is similar to what I am doing. You may want to check out the Varnish Cache Server, many of the largest websites in the world are using it, as it delivers websites from ram. https://www.varnish-cache.org/

[SinOjos]

Since I have been distracted as of late. I finally got around to taking a look at the recent varnish cache release 4.1 on Sept. 30 2015. It now has support for haproxy, while haproxy 1.5 released on 07/02/2015 included native ssl support. Looks like the way to go may be with haproxy and varnish cache, not that there is anything wrong with nginx, simply that haproxy does have some features that are useful. Going to build a test cluster and see how things go with a Blesta trial. I am confident it should work, it will be a matter of fine tuning things to achieve specific goals though.

 

Not surprised that Poul Henning included support for haproxy, he has some very defined opinions on ssl support, his most recent ssl post is a good read. https://www.varnish-cache.org/docs/trunk/phk/ssl_again.html

[barryf]

  On 10/7/2015 at 11:21 AM, SinOjos said:

Since I have been distracted as of late. I finally got around to taking a look at the recent varnish cache release 4.1 on Sept. 30 2015. It now has support for haproxy, while haproxy 1.5 released on 07/02/2015 included native ssl support. Looks like the way to go may be with haproxy and varnish cache, not that there is anything wrong with nginx, simply that haproxy does have some features that are useful. Going to build a test cluster and see how things go with a Blesta trial. I am confident it should work, it will be a matter of fine tuning things to achieve specific goals though.

 

Not surprised that Poul Henning included support for haproxy, he has some very defined opinions on ssl support, his most recent ssl post is a good read. https://www.varnish-cache.org/docs/trunk/phk/ssl_again.html

 

 

Yes, One of the greatest benefits of using haproxy is the ease of dealing with SSL. I use it as the front-end for all sites, and now I have only a single place I need to keep/update certs for all domains. The SNI support in haproxy seems to work flawlessly. I run my proxies on CoreOS/Docker containers, and use confd to add/remove certs and hosts.

 

Updating or adding a cert is as simple as

cat certificate.pem| etcdctl set /services/haproxy/ssl_certs/cert_name

This new cert will get added to /etc/haproxy/ssl/certs.d/ on all required haproxy containers, and haproxy reloaded.

 

Adding a new Blesta host is similar. I simply add the new hostname to my blesta_hosts file, then:

cat blesta_hosts| etcdctl set /services/haproxy/blesta_hosts

confd then creates a new file /etc/haproxy/blesta.hosts which is configured as an ACL in haproxy. This ACL is then used to route these requests to my blesta cluster:

acl blesta hdr_dom(host) -i -f /etc/haproxy/blesta.hosts
use_backend blesta-servers if blesta

-Barry