In this article, we will explore the process of setting up Varnish SSL Termination with the Nginx web server on Rocky Linux 8. Varnish cache software, although highly efficient, does not support SSL/TLS by default. Therefore, additional software is needed to enable SSL/TLS support on Varnish. SSL Termination is a method that allows us to enable SSL/TLS on Varnish by using software like Nginx to handle HTTPS requests from clients before forwarding them to the Varnish cache software and ultimately to the origin backend server.

Prerequisites

Before we begin, make sure you have the following prerequisites in place:

• A Linux server with Varnish installed
• Root privileges
• A domain name

For the purpose of this guide, we will be using a Rocky Linux server with Varnish installed on top of it. Our domain name will be “example.io”.

Installing Nginx Web Server

If you are using Nginx as the backend for Varnish, you can skip this step. Otherwise, follow these instructions to install Nginx on your Linux system:

1. For Debian/Ubuntu-based distributions, use the following command to install Nginx:

sudo apt install nginx -y

2. For CentOS/Rocky Linux/AlmaLinux operating systems, use the following command to install Nginx:

sudo dnf install nginx -y

3. Once the installation is complete, start and enable the Nginx web server with the following command:

sudo systemctl enable --now nginx

Generate SSL with Certbot

To enable SSL/TLS on Varnish, we need to generate SSL certificates. We will use Certbot, a tool that automates the process of obtaining and renewing SSL certificates from Let’s Encrypt.

1. First, add the HTTP and HTTPS ports to the system firewall. For Debian/Ubuntu systems, use the following commands:

sudo ufw allow https
sudo ufw allow https
sudo ufw reload

For CentOS/Rocky Linux/AlmaLinux systems, use the following commands:

sudo firewall-cmd --add-service=http --permanent
sudo firewall-cmd --add-service=https --permanent
sudo firewall-cmd --reload

2. Next, install Certbot on your system. For Debian/Ubuntu systems, use the following command:

sudo apt install certbot -y

For CentOS/Rocky Linux/AlmaLinux systems, use the following command:

sudo dnf install certbot -y

3. Before generating the SSL certificates, stop the Varnish service that is running on the default HTTP port. Use the following commands:

sudo systemctl stop varnish
sudo systemctl stop nginx

4. Now, generate the SSL certificates with the Certbot command. Make sure to replace “example.io” with your own domain name and provide a valid email address:

sudo certbot certonly --agree-tos --email test@example.io --standalone --preferred-challenges http -d example.io

After the Certbot process completes, your SSL certificates will be available in the directory “/etc/letsencrypt/live/example.io/”. The “fullchain.pem” file contains your SSL public key, and the “privkey.pem” file contains your SSL private key.

Setup Default Nginx Port

Skip this step if you are using Nginx as the backend for your Varnish HTTP accelerator. Otherwise, follow these instructions to configure the default port for Nginx.

1. Edit the default Nginx configuration file using a text editor of your choice. For example, use the following command to edit the file with Nano:

sudo nano /etc/nginx/nginx.conf

2. Within the “server { … }” section, update the “listen” option to use port “8081” as shown below:

...
server {
listen 8081 default_server;
listen [::]:8081 default_server;
...
}
...

Save the configuration file and exit the text editor.

3. Restart the Nginx service to apply the new configuration:

sudo systemctl restart nginx

Nginx is now running on port “8081” as the default web server.

Setup SSL Termination with Nginx Web Server

To enable SSL termination with Nginx, we need to create a new virtual host or server block configuration that will handle HTTPS requests on port “443”.

1. Create a new Nginx server block configuration file. For Debian/Ubuntu-based systems, use the following command:

sudo nano /etc/nginx/sites-available/example.io

For CentOS/Rocky Linux/AlmaLinux systems, use the following command:

sudo nano /etc/nginx/conf.d/example.conf

2. Copy and paste the following configuration into the new file. Make sure to replace “example.io” with your own domain name and provide the correct paths to your SSL certificates:

server {
listen 443 ssl http2;
server_name example.io;
ssl_certificate /etc/letsencrypt/live/example.io/fullchain.pem;
ssl_certificate_key /etc/letsencrypt/live/example.io/privkey.pem;
ssl_session_cache builtin:1000 shared:SSL:10m;
ssl_protocols TLSv1.2;
ssl_ciphers HIGH:!aNULL:!eNULL:!EXPORT:!CAMELLIA:!DES:!MD5:!PSK:!RC4;
ssl_prefer_server_ciphers on;

access_log /var/log/nginx/example.io_access.log;
error_log /var/log/nginx/example.io_error.log;

location / {
proxy_pass http://127.0.0.1:80;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto https;
proxy_set_header X-Forwarded-Port 443;
proxy_set_header Host $host;
}
}

Save the configuration file and exit the text editor.

3. Activate the server block configuration by creating a symbolic link. For Debian/Ubuntu systems, use the following command:

sudo ln -s /etc/nginx/sites-available/example.io /etc/nginx/sites-enabled/

4. Verify the Nginx configuration and restart the Nginx service:

sudo nginx -t
sudo systemctl restart nginx

To confirm that Nginx is running and listening on port “443”, use the following command:

ss -antpl | grep443

Make sure the output shows that Nginx is listening on port “443”.

Automatic HTTP to HTTPS with Varnish

To automatically redirect HTTP requests to HTTPS, we need to configure Varnish with a new rule in the “default.vcl” configuration file.

1. Edit the Varnish configuration file with a text editor. For example, use the following command to edit the file with Nano:

sudo nano /etc/varnish/default.vcl

2. Add the following configuration inside the “sub vcl_recv { … }” section. Replace “example.io” with your own domain name:

sub vcl_recv {
...
if (client.ip != "127.0.0.1" && req.http.host ~ "example.io") {
set req.http.x-redir = "https://example.io" + req.url;
return(synth(850, ""));
}
...
}

3. Add the following configuration at the bottom of the file to handle the redirect method to HTTP “301”:

sub vcl_synth {
if (resp.status == 850) {
set resp.http.Location = req.http.x-redir;
set resp.status = 301;
return (deliver);
}
}

Save the configuration file and exit the text editor.

4. Restart the Varnish service to apply the new configuration:

sudo systemctl restart varnish

Varnish is now configured to automatically redirect HTTP requests to HTTPS.

Verify Varnish SSL Termination

To verify that Varnish SSL termination is working correctly, you can use a web browser or the curl command.

1. Open your web browser and enter your domain name in the address bar. For example, enter “http://example.io”. You should be automatically redirected to the HTTPS protocol.

Right-click on the web page, select “Inspect” from the menu, and navigate to the “Network” tab. Click the “Reload” button and you should see a request to the root URL. The request should be automatically redirected to the HTTPS protocol with a status code of “301”. This indicates that the Varnish server is handling all client requests.

2. To verify Varnish SSL termination using the curl command, use the following command:

curl -I http://example.io

You should see a detailed HTTP header with a request redirected to the HTTPS protocol “https://example.io” and a status code of “301”. This confirms that the Varnish server is handling all requests from clients.

Conclusion

Congratulations! You have successfully configured Varnish SSL Termination with the Nginx web server on Rocky Linux 8. By following the steps in this guide, you have enabled SSL/TLS support on Varnish and set up automatic redirection from HTTP to HTTPS. This ensures secure and efficient handling of client requests, improving the performance and security of your web applications.

Remember, if you need reliable and scalable Cloud VPS hosting services, consider Shape.host. With their cutting-edge infrastructure and expert support, Shape.host is the ideal partner for your hosting needs.