Update: I have updated this tutorial to a latest release of Varnish, read here.
By default, Varnish does not work and it will never work with HTTPS requests it only understands plain HTTP. This means, that on mixed content websites, sites serving HTTPS and HTTP pages, the secure pages won't be or cannot be cached on Varnish reducing the load time compared to the non-secure version of the page for example.
There are many sites that offer lots of static content through HTTPS that can definitely be cached using Varnish and in order to do so we need to implement an extra layer before any request goes to our Varnish Server. This layer is going to be handled by a Load Balancer/Proxy Server which will take care of routing the HTTP and the HTTPS requests, by interpreting SSL and converting the requests to plain HTTP so they can be understood by Varnish.
This is a huge advantage in terms of caching since you will be able to keep using Varnish with your secure pages.
Pound, is a Load Balancer/Proxy server, a very little Linux package that takes care of of this implementation, it is capable of play with SSL and will route the http/https requests to Varnish it is also very secure since it does not perform write operations on Linux but only reads.
On this tutorial I will show you how to improve the caching experience using Varnish over HTTPS using Pound. This post assumes you already have a Varnish installation running and listening on port 8080. Here is a nice post on how to install and configure Varnish for Drupal
First, we need to install Pound. (I'm using Ubuntu Server 14.04 as my base OS).
$sudo apt-get install pound
After installation is complete, we need to configure pound, edit the following file and add the code bellow, edit according to your needs.
$sudo nano etc/pound/pound.cfg
Follow this instructions in order to create SSL certificate files for Pound or you can use any other SSL certificates you have. Make sure the cert paths are correct.
## Minimal sample pound.cfg
##
## see pound(8) for details
######################################################################
## global options:
User "www-data"
Group "www-data"
#RootJail "/chroot/pound"
## Logging: (goes to syslog by default)
## 0 no logging
## 1 normal
## 2 extended
## 3 Apache-style (common log format)
LogLevel 1
## check backend every X secs:
Alive 30
## use hardware-accelleration card supported by openssl(1):
#SSLEngine "<hw>"
# poundctl control socket
Control "/var/run/pound/poundctl.socket"
TimeOut 60
######################################################################
## listen, redirect and ... to:
## redirect all requests on port 8080 ("ListenHTTP") to the local webserver (see "Service" below):
ListenHTTP
HeadRemove "X-Forwarded-Proto"
AddHeader "X-Forwarded-Proto: https"
Address 0.0.0.0
Port 80
## allow PUT and DELETE also (by default only GET, POST and HEAD)?:
xHTTP 0
ReWriteLocation 0
## Varnish
Service
BackEnd
Address 127.0.0.1
Port 8080
End
End
End
ListenHTTPS
HeadRemove "X-Forwarded-Proto"
AddHeader "X-Forwarded-Proto: https"
Address 0.0.0.0
Port 443
xHTTP 0
Cert "/etc/pound/ssl/server.pem"
ReWriteLocation 0
## Varnish
Service
Backend
Address 127.0.0.1
Port 8080
End
End
End
Restart Pound service:
$sudo service pound restart
As you can see, we are telling Pound to listen on ports 80 and 443 and we created 2 services so the requests are routed to Varnish on port 8080, SSL decription takes place on Pound making Varnish cache over SSL possible.
as a final step, add this lines to the settings.php file so Drupal can be aware when the request is secure or not
if (isset($_SERVER['HTTP_X_FORWARDED_PROTO']) && $_SERVER['HTTP_X_FORWARDED_PROTO'] == 'https') {
$_SERVER['HTTPS'] = 'on';
}
Enjoy!