add parameter for redirecting to SSL

[cusco]

Hi,

I've set up this vcl template. Thank you very much, its very useful.

Now, my setup is (client) --https--> apache 443 --proxy pass --> varnish 80 --> apache 8080

so apache does the ssl termination and proxies into varnish.
varnish then requests apache non https port

this works and requires in apache non https vhost:
SetEnvIf X_FORWARDED_PROTO "^https$" HTTPS=on

on vhost https I have:
ProxyPreserveHost On
ProxyPass / http://127.0.0.1:80/
#ProxyPassReverse / http://localhost:80/
RequestHeader set X-Forwarded-Port "443"
RequestHeader set X-Forwarded-Proto "https"

and for wordpress users, in wp-config.php i have:
define('FORCE_SSL_ADMIN', true);
// in some setups HTTP_X_FORWARDED_PROTO might contain
// a comma-separated list e.g. http,https
// so check for https existence
if (strpos($_SERVER['HTTP_X_FORWARDED_PROTO'], 'https') !== false)
$_SERVER['HTTPS']='on';

before loading wp-settings.php

Now, varnish should have a way of redirecting to https if client is not using it.. something like:

if(client.ip != "127.0.0.1"){
set req.http.x-redir = "https://" + req.http.host + req.url;
return(synth(850, "Moved permanently"));
}

and
sub vcl_synth {
if (resp.status == 850) {
set resp.http.Location = req.http.x-redir;
set resp.status = 302;
return (deliver);
}
}

I took this code from somewhere on the internet, but i'm afraid its not quite right..

Would it be possible for you to implement such feature?

[cusco]

Also, I'm guessing there would be a list of hosts, and then match req.http.host with that lookup...

[mattiasgeniar]

Hi!

This shouldn't be too hard to implement in Varnish, it's essentially the same logical condition as your Apache vhost redirect on port :8080. Something like this should work, in vcl_recv.

  if (req.http.X-Forwarded-Proto !~ "(?i)https") {
    # This is not an HTTPs connection via Apache
    if (req.http.host ~ "^(domain1.tld|domain2.tld|domain3.tld)$ ") {
      return(synth(850, "https://" + req.http.host + req.url));
    }
  }

Could you give that a try?

[cusco]

@mattiasgeniar Thank you!

Let me just say I'm new to varnish.. so I understand very little of it, tho I understand the logic.

In the meanwhile I have added the following to the vcl:

# Force HTTPS if ((client.ip != "127.0.0.1") && ( std.tolower(req.http.host) == "domain1.tld" || std.tolower(req.http.host) == "domain2.tld" || std.tolower(req.http.host) == "domain3.tld" || std.tolower(req.http.host) == "xxx" || std.tolower(req.http.host) == "xxx" || std.tolower(req.http.host) == "xxx" || std.tolower(req.http.host) == "xxx" || std.tolower(req.http.host) == "xxx" || std.tolower(req.http.host) == "xxx" || std.tolower(req.http.host) == "xxx" || std.tolower(req.http.host) == "xxx" || std.tolower(req.http.host) == "xxx" || std.tolower(req.http.host) == "xxx" || std.tolower(req.http.host) == "xxx" || std.tolower(req.http.host) == "xxx" || std.tolower(req.http.host) == "xxx" || std.tolower(req.http.host) == "xxx" || std.tolower(req.http.host) == "xxx" )) { #set req.http.x-redir = "https://" + req.http.host + req.url; #return(synth(720, "Moved permanently")); return(synth(720, "https://" + req.http.host + req.url)); }

using your existing code 720

But seems right validating req.http.X-Forwarded-Proto, .. I will test that. I was suggesting you could add a commented section for this pre-configured..

Should I set something regarding the x-forwarded-proto in varnish at anytime?

Also, on a separate note, for some reason getting a HEAD on my apache takes more than 5 seconds (why?!?), so probe was marking it as sick. you should add a curl command in the comments of probe section to simulate it. What I used was:
time curl -X "HEAD / HTTP/1.1" -i http://localhost:8080

[mattiasgeniar]

Should I set something regarding the x-forwarded-proto in varnish at anytime?

No, if the Apache proxy sets it, that check in Varnish will work just fine.

As for the curl tip: I should definitely do that!